You can now download the whole service pack file as a self-extracting executable and simply run it to install, or you can use Windows Update, where it is listed as an Important/High Priority update (rather than critical or security) for you to manually install (after 90 days this will change to an automatic update if your system is configured for that). At the moment my 32 bit install claims this would take 409 MB via Windows Update compared with only 361 MB for the full exe package download.

Even if you only have 1 machine to do, you will save marginally on the file size if you manually download Office 2010 sp1, and then of course you will have the file to use again on any other machines that need it – if like me you are the de facto IT support for family and friends, this can be quite useful.

A few key changes relating to other products are that Outlook 2010 sp1 will fully support the now-released Office 365 online business applications suite, while SharePoint 2010 will support SQL 2011 and has improved support for users of Internet Explorer 9.

So, there’s lots of information about this important update, as well as the downloads themselves, so let’s dive straight in with a load of links to the things you probably want to get hold of straight away.

Office 2010 information and downloads

KB 2460049 Information page for Office 2010 sp1 + links to downloads
MS Support KB 2460049 Office 2010 SP1

Main Downloads Office 2010 sp1
Office 2010 sp1 – for 32-bit editions of Office
Office 2010 sp1 – for 64-bit editions of Office

SharePoint 2010

Since this is 64 bit only, there’s only one service pack download to consider.
SharePoint 2010 sp1 information
SharePoint 2010 service pack 1 download

System Administrator Information

If you manage many machines and don’t intend to deploy this by actually running the exe file on every computer on your network, you can deploy the update using WSUS, or you can extract the MSP files from the package using a command line and deploy the ones you need.
KB 2532118 has details of which MSP files are in which service pack download

You may also want to find out how to patch those other bits and pieces of the Office suite which are not necessarily part of a core installation, such as Access runtime, Visio viewer or the language packs.
KB 2510609 has details of all the different Office 2010 sp1 packages
KB 2532120 has details of the SharePoint 2010 packages

The Office Sustained Engineering blog has a page with direct links to the download pages for all the different packages for Office 2010 and SharePoint in a big long list arranged alphabetically, with columns for the article with information about that patch, and 32 / 64 bit downloads (as applicable).

There are a few “gotchas” with sp1, most notably for people using SharePoint 2010 and Office Web Apps, and regarding SharePoint workflows on new site collections. This support article is likely to be added to as reports come in of any bugs found once this starts being used around the world, so it may be worth revisiting the page again in a few weeks.
Details of known issue with service pack 1 for Office 2010 and SharePoint 2010

Excel Worksheets of Changes

Another very useful resource for IT administrators and interested geeks is a complete Excel Worksheet (.xlsx) of all the changes, issues fixed etc. While the descriptions of each one are pretty short and usually describe the old symptom (issue) rather than the new behaviour, this could be a useful quick check to see if this service pack will finally fix something odd that your users have been complaining about. There are two files, one for Office 2010 and the other for SharePoint 2010 and Office Servers:
Microsoft Office 2010 Service Pack 1 Changes.xlsx
SharePoint 2010 and Office Servers Service Pack 1 Changes.xlsx

Group Policy files updated

When Office 2010 was released to manufacture, the necessary files for managing the suite using Group Policy and the Office Customisation Tool (OCT) were available at the same time, and with the release of sp1 these tools have also been updated to version 2, which is great news, and certainly an improvement over the delays that were common for Office 2007 and the service packs for that.

There are two versions of the admin files to download, depending on whether you wish to target the 32-bit or 64-bit version of Office – the version you use does not depend on the OS of the server or workstation you are using to manage your Group Policies, so you would use the 32-bit version to mange the users that have 32-bit Office 2010 installed, even if your management console is on Windows 7 64 bit or Windows Server 2008 R2.

Updated admin files for Office 2010 sp1 – ADM/ADMX+ADML and OPAX+OPAL

The same page also has a link to the usual Excel workbook of all the Group Policy and OCT settings reference for Office 2010 but this is just the same old file that has been around since the RTM version, so don’t waste time downloading this. (At the time of writing this blog post the file linked from that page has the same MD5 hash as the one which has been available since at least last August).

The admin files download extracts to three folders for ADM / ADMX and Admin (OCT) files, as well as an updated spreadsheet listing all the settings. So, while this is not as detailed as the full settings reference, it does at least seem to have more settings, although I have not yet found any which are particularly interesting to report.

When you export from CRM to Excel the data is derived as XML, saved with an XLS file extension and Excel is invoked to open the temporary file. Unfortunately Excel checks to see if the file being opened is actually of a type which matches the file extension and tries to be helpful. Normally this is to help overcome problems such as a comma-separated variable (CSV) file being saved as an XLS file extension, which ought to mean Excel tries to read the XLS file, fails because the contents are nothing like a real Excel binary file and gives up. Instead, Excel actually looks at the content, spots that it looks very much like a CSV and allows you to open it just as if the file extension was correct in the first place. However, this cleverness is tempered somewhat by the fact that the default setting for this is to ask the user every single time what they want to do.

As always, this is probably intended to be a helpful warning and prevent people opening files which might have insecure content, but it fails to do so because most users do not understand the implications and the longwinded message is probably not even read properly anyway. Certainly the 50th time someone sees a dialog like the one below, they just click “yes” without reading and it no longer provides any benefit whatsoever (by the way, I have done nothing to this, it displays in this ridiculously wide, un-resizable window on my machine).

Whenever I have managed people in IT support roles I try to eliminate fixes which involve things like “ignore that error message, just hit OK and it will work fine”. This not only numbs people to the meaning of that particular error message but to these sorts of warnings in general. Too often I have heard users explain why they did not report a problem until it was too late, saying “well, I got an error every day saying something about faulty disk or something but I just clicked OK, like John said we should with that other one…”. Find the root cause, eliminate the error, or suppress the error somehow, don’t teach people that errors don’t matter or they just ignore them. If you went to your doctor and said “it hurts my neck when I lift my arm up” you would not be impressed if she replied “then don’t lift your arms up!”, would you?

Stop Excel asking unhelpful questions when you export records from CRM

Luckily there is a really easy way to control this behaviour across your whole network using Group Policy. You will need to download the appropriate admin files for Office 2007 or Office 2010 and add them to your Group Policy in the usual way* (either to a new policy or an existing one you might already have for applying other Office policy settings). Go to:

User configuration\Administrative templates\Microsoft Excel 2007 (or 2010)\Excel options\Security

Look for the policy setting for “Force file extension to match file type”, enable it and choose one of the three options:

• Allow different (this is the one you need to stop the warning when exporting from CRM)
• Allow different, but warn (this is the default behaviour)
• Always match file type (this stops the warning but prevents mismatched files from being opened)

This is the full explanation text which you can see in that policy setting, or in the spreadsheet of available Group Policy settings for Office:

This policy setting controls how Excel 2007 loads file types that do not match their extension. Excel 2007 can load files with extensions that do not match the files’ type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls, Excel can properly load it as a CSV file.

If you enable this policy setting, you can choose from three options for working with files that have non-matching extensions:

• Allow different – Excel 2007 opens the files properly without warning users that the files have non-matching extensions. If users subsequently edit and save the files, Excel preserves both the true, underlying file format and the incorrect file extension.
• Allow different, but warn – Excel opens the files properly, but warns users about the file type mismatch. This option is the default configuration in Excel.
• Always match file type – Excel does not open any files that have non-matching extensions.

If you disable or do not configure this policy setting, if users attempt to open files with the wrong extension, Excel opens the file and displays a warning that the file type is not what Excel expected.

*Adding group policy ADM files to GPMC

Just in case you don’t know how to do this, here’s the quick version:

Download and unzip the ADM files you need to use, and remember where they are. Open Group Policy management Console (GPMC), find the policy you want to change, right click > Edit.

Navigate to Computer or User Configuration as necessary, then right click “Administrative templates” and choose “Add/remove templates”. Click the Add button and navigate to where you saved them. Select the policy template you need (Excel12.adm or Excel14.adm in this case) and click Open – you can use Ctrl-click to select multiple template files before clicking Open, or just double click a file if you only need one. Click Close.

Double click Administrative Templates to expand that branch, and look for your new template as a “folder” – Microsoft Excel 2007 or 2010 as appropriate.

The main (virtual) Office 2010 launch event will include a keynote speech by Stephen Elop, President of the Microsoft Business Division at 11am EDT (that’s 4pm BST for readers in the UK).

System administrators everywhere will also be pleased to find that the associated Office 2010 management tools are available to download already to coincide with the launch, unlike the time lag before they were available for Office 2007, or for the later service packs. This nearly 16MB download is a self extracting exe which will force a UAC prompt on newer OS’s, which can be useful so you can put the files in a folder which needs elevated privileges, and the contents expand to a total of about 123MB.

The extracted files include Group Policy templates in ADM and ADMX formats so you can use these on XP/2003 or Windows Vista/7/2008 to create your policies. The ADMX files give you the usual advantage of a single central store versus ADM files being duplicated for every policy that uses them.

Also in the package is an updated version of the Office Customisation Tool (OCT) and opax files which contain settings for all the different apps. You will also find the now standard Excel file full (in .xls format) of GP and OCT settings for all the applications and general ones for the Office 2010 suite as a whole. You should also download and read the release notes as a Word document for these tools from the same download page, which has some late changes that supercede the spreadsheet. Some of these are fairly trivial and simply reflect changes to the explain text or the URL linked from that text.

The associated ADML and OPAL files also enable you to manage your policies across multiple languages. Included in the package at the moment are 11 language variations including English, French, Spanish, Italian, German, Brazilian Portuguese, Japanese, Korean, Russian, and two Chinese variants (zh-cn for PRC and zh-tw for Taiwan. Technet says there is a Hong Kong language version included but I can’t see it).

There is more information about what you can find in the ADM/ADMX files and how to use the OCT here on Technet, and more in the deployment sections of the Resource Kit.

This Technet page has more information including some important details about making sure to reset some of your policies before replacing the ADM files, as you won’t be able to edit them afterwards:

If you have previously configured any of the Group Policy settings affected by this update, you must set those policy settings to their Not Configured state before you remove the previous 2007 Office system ADM files and load the updated version 3 ADM files. This removes the registry key information for the policy setting from the registry. This is because if an .adm file is removed, the settings that correspond to the .adm file do not appear in Group Policy Object Editor; however, the policy settings that are configured from the .adm file remain in the Registry.pol file and continue to apply to the appropriate target client or user. This also applies to any policy settings that you had previously configured that are listed in “Removed settings” later in this article.

You can download the Administrative Templates and OCT in a self-extracting exe file. Included are ADM, ADMX and ADML files in various languages (English, French, Spanish, German, Italian, Japanese, Korean and a couple of flavours of Chinese).

Also has the OPA files and a settings reference, but this other page claims that this is the definitive version of the Office 2007 GP and settings file. I can’t tell the difference – they are the same size and have the same number of rows on the list pages, and have identical MD5 checksums, so they are the same file.

I suspect this was a newer version than the old version in the old download before the newer version superseded the old version so it is now the current version. Clear as mud?

Anyway, most of the focus of these is on fixing a few broken things and targeting settings relating to Open Document format files (making it the default for saving, or blocking it being used at all, that sort of thing.)

Happy policy making!

Group policy settings for Windows Vista sp1, Windows 7, 2003 sp2 2008, 2008 R2

Group policy settings for Internet Explorer 8 are also available (on a different page).

Note that the latest files are all in Excel 2007 format so if you are not yet using Office 2007 or 2010TP you would need to install the Office compatibility pack to allow you to view these on a previous version of Office, or the Excel 2007 viewer (+ service pack 2 as well) to view them (but not be able to edit or save changes). Both of these downloads are free.

Hat tip to Jeremy Mosokowitz at GPAnswers.com

Download the Group Policy Settings Reference for Server 2008 in Excel 2007 (.xlsx) or older version (.xls) format.

Interestingly, this also includes 9 settings which are only available for Windows Vista service pack 1 (which also RTM’d last week). All of these are to do with controlling security settings for terminal services (RDP) sessions, including a setting I will find particularly useful to control whether a session can be established when the server cannot be authenticated.

This policy setting allows you to specify whether the client will establish a connection to the terminal server when the client cannot authenticate the terminal server. If you enable this policy setting, you must specify one of the following settings:

Always connect, even if authentication fails: The client connects to the terminal server even if the client cannot authenticate the terminal server.

Warn me if authentication fails: The client attempts to authenticate the terminal server. If the terminal server can be authenticated, the client establishes a connection to the terminal server. If the terminal server cannot be authenticated, the user is prompted to choose whether to connect to the terminal server without authenticating the terminal server.

Do not connect if authentication fails: The client establishes a connection to the terminal server only if the terminal server can be authenticated.

If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the terminal server when the client cannot authenticate the terminal server.

This latest reference describes in detail 2,746 group policy settings, including the full explain text, which ones need a reboot, and to which operating systems they can be applied. This is up from the 2,494 which were available when Vista released to manufacture.

There is also one additional security setting for Vista SP1 and Server 2008 which will “Allow UIAccess applications to prompt for elevation without using the secure desktop”. This is intended for use when (for example) an administrator is providing Remote Assistance and may need to be able to provide credentials for a UAC prompt through their interactive desktop, whereas normally this prompt only appears on the secure desktop and is unavailable to anyone except someone at the keyboard in front of the machine. There are other settings relating to this which help to define which applications can be considered to have UIAccess which were already available in prior versions.

This also has the bonus of including the Office Customisation Tool (OCT) which you can use to create an MSP file to customise a centralised network installation of Office for new installations, upgrades, or reconfiguration. You can find out more about the methods for customising Office 2007 setup files here and specifics about the OCT here. In addition the download extracts an Excel workbook “Office2007GroupPolicyAndOCTSettings.xls” that provides information about the 2007 Office release Group Policy settings and OPA settings, making it clear what can be pre-customised at the point of installation and what can only be set through policies.

You will probably also find the Office 2007 settings reference file useful. This is a comprehensive reference for all the settings in the GUI for Access, Excel, Outlook, PowerPoint and Word 2007. This gives the equivalent UI path in 2003 (where there is one), the default setting, what choices can be made, what policy settings exist and which registry keys those change. A very helpful file for understanding how to customise the user experience, and deciding which parts to do through policies and which settings are better left to users (and perhaps prompting you to educate them about the usefulness of some of these).

Author: Jeremy Moskowitz, MCSE, MCSA, MVP

Publisher: Sybex

Suggested Publisher Price: $49.99 US / $69.95 CDN / £34.99 UK

ISBN: 0-7821-4298-2 Softcover, 536 pages (+TOC / index)

Buy the book direct from the Author (and get it signed!) (Update: this link now goes to a page for the replacement fourth edition of this book)

Everything you need to know about Group Policy in one useful reference…and loads more besides

The Group Policy Management Console (GPMC) is a dramatic step forward in the way Group Policy is administered. This book provides all the instruction and insight you need to take full control of your Active Directory with GPMC and other Group Policy tools. You’ll also learn techniques for implementing Intellimirror, making it possible for users to work securely from any location; and you’ll find intensive troubleshooting advice, insider tips on keeping your network secure, and hundreds of clear examples that will help you accomplish all your administration goals.

Topics covered:

• Create and manage all Group Policy functions within Active Directory
• Understand Group Policy differences in Windows 2000, Windows XP, and Windows 2003 systems
• Troubleshoot Group Policy using Support tools, Resource Kit utilities, log files, registry hacks, and third-party tools
• Create and deploy custom settings for managing client systems
• Manage, secure, and audit client and server systems
• Script complex operations, including linking, back-up, restore, permissions changes, and migrating
• Set up Local, Roaming, and Mandatory profiles
• Set up and manage Intellimirror components with Group Policy
• Use Group Policy Software Installation to perform hands-off installations
• Use Remote Installation Services to automate the installation of new Windows systems
• Ensure the safety of your users’ data with Redirected Folders and Shadow Copies

Review

Introduction

This book contains everything you ever needed to know about Group Policy and related topics, including loads of things you probably didn’t even know you should have been asking!

Jeremy Moskowitz covers in great depth the whole subject of group policy, as well as profiles (including roaming and mandatory), redirected folders, offline files, Shadow Copies, Remote Installation Services (RIS) and even finds time to take a preliminary look at scripting. I thought I already had a good grasp of most of these things, but this book still provided a wealth of little details, tips and tricks, up to date information and proper explanations of how all this really works. It was also an easy way to get up to date on many of the changes made with the introduction of XP and 2003, since these are highlighted.

Overview

When I first started reading this book I was not sure it would suit me. It is written in a very conversational, colloquial style more suited to a Tarantino script than a technical manual, and normally I find this irritating when I want precise answers from a reference work. However, I soon changed this first impression. Through this chatty style the author drew me in, got me intrigued by his passion for the subject and seemed to metaphorically drag me in and say “I just want to show you this other really cool thing you can do…”. I found I could read fluidly through huge chunks of the book and actually take in the information presented along the way as well – quite unusual for a book of this depth.

About 70% of the book is concerned solely with group policy – what policies are, how to create, apply and troubleshoot them, and some tips for more complex scenarios such as multiple-forest environments. It is a little difficult to split it in this way since topics like folder redirection depend on a policy for delivery but involve so much more than a mere setting and are dealt with in a section of their own.

I would guess that many people using group policy have probably dived right in without a thorough knowledge of many of the aspects the author deals with, such as exactly when and how policies are applied “under the hood”, what to do about updating templates (.adm files) for newer settings, and consideration of policies being applied across multiple operating systems. There is a great deal to be gained from the author’s experience here, such as sensible shortcuts to and best practice, as well as common pitfalls to avoid.

One area which does not get much coverage in older books on Windows network administration is the use of software restriction policies. In many cases this is because they were written before XP and 2003 made software restriction available through group policy (rather than older NT-style policies or using appsec.exe). This is one of those complex areas which are not just about ticking a box and everything works automagically, but requires proper attention to planning, design and testing before wholesale rollout. This book devotes a whole chapter to the topic to give it the attention it deserves, and recognises the importance for 2003 Terminal Services / Citrix environments as well as desktop administrators.

The remainder of the book deals with what at first appear to be only a loosely related collection of Windows tools for automating and controlling the user experience. A closer look reveals some deeper insights into things such as user profiles which are often skimmed over and taken for granted. It would be tempting for experienced administrators to skim these chapters on the assumption that they already know what they contain, but to do so would miss much of genuine use. I was pleasantly surprised to find many nuggets of new information as well as proper explanations of when to use these tools as well as how to configure and optimise them. Once more the author’s intimate style and obvious real-world experience came together and it is at times like being shown how to do things by a wiser colleague who can say “I’ve been here before, this is how I would approach it…”

The topics covered in the latter parts of the book include tools for automating installation – Remote Installation Services (RIS) and Group Policy Software Installation (GPSI). Again there is plenty of information here for both first-timers and old hands, and should be read particularly by anyone that has tried and given up on these powerful but troublesome subjects. Coverage is also given to features which were not available in Windows 2000 such as using advanced WMI filters on policies (particularly valuable for GPSI) and this may be enough to justify revisiting this. There is also a brief discussion of how all this fits with more complex tools such as Microsoft Systems Management Server (SMS).

Style, Coverage and Detail

As I said at the start, I was impressed by how well Jeremy Moskowitz has managed to take a potentially dry subject and get across many important details in a relaxed style. This is really important in the many chapters where there is a temptation to skip over things that you “already know”. By keeping the reader engaged it is almost easier to keep reading than to miss sections out.
The author makes good use of screenshots, boxed-off text for extra notes and details and plenty of cross references to other parts of the book and web-based resources. These all help the flow, keeping the important things in the body of the text and leaving you to read the extras which you find particularly relevant. Each chapter has a useful conclusion, bringing together the areas covered, rather like a lesson summary.

The amount of information in the book is a double-edged sword – I expect I will refer back to it frequently as a reference, but I found it occasionally frustrating not being able to get straight to something I knew I had read before, and skim reading large sections was quite hard. The index could have been a little more comprehensive – sometimes you have to know what heading something is under before you can find it. It is easy to get used to being handed things on a plate by search engines these days, so maybe I am being a bit harsh, but at the risk of too much duplication it could be useful if the index were expanded a little. The front and back panels of the book go some way to help using the book as a reference when you first pick it up – one highlights which parts of the book cover different group policy topics and the other lists the areas which are new, which is ideal for people using this as a means to bring old skills up to date.

As an example of the level of detail in this book, it even discusses the subtle differences between the way XP and 2003 handle software restrictions in reality and discusses how XP sp2 may change that (the edition reviewed was published when sp2 was still in Beta; the third edition expected soon will bring this properly up to date). It is this kind of attention to little details which makes this book stand out as a really useful practical reference work for the real-world administrator, especially when it comes to troubleshooting.

When I first saw the book I thought it would be a bit like a “three-in-one” – basically separate topics lumped together with a solid group policy book for padding or publishing convenience. I was not convinced there was enough to be said about profiles, folder redirection and software installation to contribute any real benefit to my bookshelf. This partly highlights how little I thought was involved in some of these topics, but this was largely brought about by many other books giving only a surface-level treatment of such things. Too often I had read other sources which I now realise only described how things appear to work, only with the latest OS in a simple environment, and assuming everything behaves as it should. The real world is a little more complicated than that, a fact which this book easily takes in its stride.

There are a few things which the author acknowledges might be considered missing from this otherwise comprehensive book such as IPSec, PKI and EFS. Clearly there is a limit to fitting in a discussion of every possible policy, and the author does attempt to mitigate these omissions by some useful URLs for relevant MS references. Hopefully some of these might get some space in the third edition as more organisations start to adopt these built-in security features.

Overall, this book covers just about every aspect of delivering, managing and controlling the user environment across your enterprise. It is not intended to cover all aspects of systems security, nor provide a comprehensive manual for writing scripts to automate non-policy events, but it does give both of these a suitable level of attention in the wider context of the whole subject of systems management.

Target Audience

I have read many MS Press, Sybex and other publishers’ titles about Windows servers, active directory design and management and been an administrator and systems architect for several years. I was pleasantly surprised to find so much information that I had not come across before in a single book. Whether you want to consolidate your knowledge for your personal training plan, update your skills from Windows 2000, or have a real issue you are trying to resolve, this is the book for you.

Conclusion

Even if you don’t feel you or your organisation are ready for using group policy extensively (although after reading this you may not be able to resist!), the rest of the book is probably justification for adding a copy of this book to your library.

This is a sound collection of tutorials for anyone who wants to give users a better experience, tighten control of their systems, increase security and do it all without leaving their desk. Rather than being seen solely as a technical reference on a few specific topics, this possibly deserves the broader title of “Managing Windows Systems (using Group Policy and Intellimirror)”.

I would say without hesitation that “Group Policy, Profiles, and Intellimirror” is an essential handbook for any administrator wanting to improve their systems for their users, the business and themselves. This book receives a hard-earned rating of 10/10, and I look forward to the third edition with great anticipation.

This review is © Copyright Adam Vero 2005 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

There were various articles announcing Vista sp1, including one on the official Vista team blog which managed to say lots about all the good stuff and conveniently forget some things like the removal of the very useful GPMC, which is only mentioned in the whitepaper (and later reported on by various bloggers and journalists of varying degrees of credibility).

I have to admit that reading whitepapers can sound pretty dull, particularly when they relate to something I can’t download yet. I tend to think “I’ll read it nearer the time, once I have actually downloaded <whatever> and can apply what I am reading”. On this basis it is easy for people to overlook this announcement amid the other marketing hype.

In my mind there are two key questions here:
Firstly, I know there is supposed to be a new enhanced version of GPMC available at some point, but will it be available in time for the Beta testers? Or even for the final release of sp1? This remains unanswered at the moment, and is crucial. If it is available, it lessens the impact considerably.

Secondly, why take a retrograde step to remove something which is already in there? This second question is the one which most other commentators have addressed.

Jeremy Moskowitz, MVP for Group Policy makes some valid points on a post entitled “Vista + SP1 = Gbye GPMC” in his blog (sorry but I can’t find a way to link to the specific post):

Today, the GPMC is part of Vista. That’s great. One less thing to load.
But what’s also (now) true is that if you install SP1 for Vista (not yet available) the GPMC will be uninstalled. Why?

Because this allows for something that I’ve personally advocated for. That is, when new goodies are ready to be launched in Group Policy land, let’s GET IT OUT THE DOOR. And it used to be this way. The GPMC was a simple download and simple install. When bugs were found in the GPMC, that meant it was a quick fix to jam the fixes in, and re-upload the file for the masses.

But now (today) the GPMC is part of the Longhorn and Vista operating systems. Is this good? Not really, in this one dude’s opinion. Because what if some new whiz bang feature is suddenly available? Then you’ll have to wait until MAYBE an operating system service pack, or at worst a full operating system revision until it’s updated.

Darren Mar-Elia (another GP MVP) wrote a very extensive post about the Vista sp1 release, specifically pointing out lots of errors in one of the many articles about sp1. In it he takes up the same idea as Jeremy:

Back when GPMC first shipped, out-of-band of the OS, I’m sure Microsoft heard complaints that it should be in the OS, since it became such a crucial part of managing GP for many shops. So, they went and did the most logical thing – they put it in the box in Vista.

But to do that resulted in GPMC having to become part of the behemoth that is the Operating System release cycle at MS. This has obvious limitations if you know how glacially things move within MS when it comes to OS revs. Once inside the OS, they could no longer rev the GPMC and make enhancements to it on their own schedule.

However, I can’t see that the GPMC is so tightly integrated to the operating system as to prevent an update independently of the service pack cycle. The GP processing engine, sure (although making that its own process in Vista outside of winlogon should help with any patches that are needed). But the GPMC is an application. It does nothing until invoked by the user. I realise that it can still use shared code, but does it, in fact?

Anyway, if the GPMC so woven into the fabric of the OS that it can’t be independently tested and upgraded, how are they managing to take it out so easily? Surely that is contradictory?

Other OS components installed by default have upgrades made available periodically, the most obvious being Internet Explorer and Media Player. MS have claimed for a long time that both of these are fundamental components of the OS and it would not be possible to ship Windows without them unless it was severely crippled. This has been the basis of its defence in previous anti-competitive practices (antitrust) lawsuits. Microsoft just spent three years appealing a decision by the EU courts that ruled they had to produce a version of Windows XP without Media Player (which they have subsequently done for both XP and Vista)

Darren goes on to say:

But, with GPMC installed on every desktop, any joe user with normal non-administrative rights in the domain can open GPMC and view the settings on any GPO they have read access to! Further, they can also backup all GPOs that they have read permissions on, to, say, their USB keys

Technically true, and echoed by others. However, this overlooks the fact that to run GPMC on Vista in a default configuration the user requires local admin rights on their domain account (the local admin account won’t be able to access the domain policies, only the local ones). So yes, if you have domain users with local admin rights on their machines, they could run GPMC as described and take a copy of your policies. I’ll ignore for a moment the lack of security inherent with that model (because I accept there may be users who have a second account for doing admin things occasionally via a runas or UAC).
My question is this: surely a user sophisticated and malicious enough to do what Darren suggests would also be able to take the trivial step of installing GPMC if it was not already on their machine?

If they don’t have local admin rights they could still take a copy of the files for the policies they have read access to by going directly into the sysvol share. This would then take more effort to interpret than a GPMC report but they could easily restore them into another domain (in a virtual machine, say) in the same way you would have done before GPMC.

As a counter to this, surely we should be advising people to take more care in the creation of their Group Policies? It is very easy to ignore the security filtering for most purposes if you have designed your AD to enable you to target your policy links exactly where you need them. However, it may be prudent to remove “authenticated users” from the security filter (or via the delegation tab) and add back in only those groups who actually need to receive each policy.

You could start by having a security group for all computer accounts and another for users if you are following recommended practice of keeping the two types of settings separated and only enabling one ‘half’ of the policy. This would immediately secure your computer policies against the sort of access that we are concerned with here, including via sysvol. More granular groups would be ideal, but would increase the overhead of managing things.

So, I remain to be convinced that having GPMC pre-installed actually makes anything less secure than it already is. I am also unconvinced that it needs to be removed in order for independent updates to take place, as that would imply it was very tightly integrated in the OS, which would imply it could be quite hard to take out of the codebase, which seems to me a little contradictory.

I’ll just have to live without it, or install the enhanced version as long as it is available soon enough. It just still seems illogical.

Share this post :