My new Group Policy Web site www.grouppolicy.biz

I have just setup a new web site called “Group Policy Center” that you can see at http://www.grouppolicy.biz this site is now where I am going to post all my tutorials and news articles. I have also migrated all my existing Group Policy articles on this site over this site so you don’t have to keep coming back to this web site.

However this site is not going away so please don’t delete it from your favourites as I still plan to use this site for all my non-group policy relates tech news and information…

If you are interested in Group Policy please add http://feeds.feedburner.com/GroupPolicyCenter to your RSS reader.

Advertisements

Group Policy Setting of the Week 8 – Group Policy refresh interval for computers

This weeks (and first for the year) Group Policy Setting of the Week is a Group Policy setting that configures Group Policy. The “Group Policy refresh interval for computers” can be found under Computer Configuration > Policies > Administrative Templates > System > Group Policy and is used to control how often the background computer refresh interval of a performed.

image

By default the refresh will happen every 90 minutes however it has a 30 minute random offset so it could potentially take between 1 to 2 hours for a policy refresh to occur. Keep in mind however that if configured the policy refresh to a shorter interval it will potentially not take affect to all your computers until the longest refresh interval of the last refresh interval setting. Normally this setting it set to a short interval before a major change to group policy setting is made to an SOE so that any rollback of the change can be implemented faster (example see How to use Group Policy Preferences to set change Passwords).

Group Policy Setting of the Week – 7 Exclude directories in roaming profile

Today on Group Policy Setting of the Week we are going to be taking a look at “Exclude directories in roaming profile” which can be found in the deepest darkest regions of User Configuration > Policies > Administrative Templates > System > User Profiles. This setting is useful in organisations that have Roaming Profiles configured but want to make sure that the roaming profile size does not blow out thus slow doing the users logon and log off or the computer. This option can be used to exclude specific folders of poorly written application from the roaming profile if they write large amounts of data (e.g. caches) to incorrect locations.

Exclude directories in roaming profile

A classic example of this was when Google Earth was first released it saved cache files to the users roaming profile folder which meant their profile size quickly swelled to over 1gb. User then quickly started to complain that it took a a long time to logon and logoff their computer (go figure). Enabling this option allowed the specific cached folders to be excluded from their roaming profile and therefore a much smaller roaming profile was copied to and from the server making their login’s and logoffs much quicker. The side affect of this is that the setting saved to the folders you exclude will no longer roam with the user when they logon a new computer.

Very handy if you want to keep roaming profiles to a small size which in turn will speed up the users logon and logoff processes.

This setting will work with Windows 2000 or greater and multiple paths can be appended with a ; as a delimiter between the entries.

Group Policy Setting of the Week – 6 Add Logoff to the Start Menu

This weeks simple Group Policy Setting of the Week (GPSW) is called “Add Logoff to the Start Menu” which can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar. This option adds the “Log Off <username>” to the users start menu and is normally configured to be enabled on Terminal Servers where you don’t want them accidently shutdown the server.

  

Now hopefully your normal users don’t have admin access to your Terminal Servers however if you are a Server Administrator then you could have admin access and as such having the shutdown button on a desktop that looks a LOT like you local computer could be very dangerous. So this is one of the few group policy settings that should be configured to loopback that should be applied to the server administrator via a Loopback merge setting (we will talk about Loopback setting another day).

But how do I shutdown the server then I hear you ask? No prob you can either run the “shutdown.exe” command line (tshutdn.exe on Windows 2003) or by CTRL-ALT-END and then shutdown from the secure desktop.

Group Policy Setting of the Week – 6 Add Logoff to the Start Menu

This weeks simple Group Policy Setting of the Week (GPSW) is called “Add Logoff to the Start Menu” which can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar. This option adds the “Log Off <username>” to the users start menu and is normally configured to be enabled on Terminal Servers where you don’t want them accidently shutdown the server.

image 

Now hopefully your normal users don’t have admin access to your Terminal Servers however if you are a Server Administrator then you could have admin access and as such having the shutdown button on a desktop that looks a LOT like you local computer could be very dangerous. So this is one of the few group policy settings that should be configured to loopback that should be applied to the server administrator via a Loopback merge setting (we will talk about Loopback setting another day).

But how do I shutdown the server then I hear you ask? No prob you can either run the “shutdown.exe” command line (tshutdn.exe on Windows 2003) or by CTRL-ALT-END and then shutdown from the secure desktop.

How to configure Group Policy to use Data Recovery Agents with “Bitlocker to Go” drives – Part 2

This article can be seen on its new home at http://www.grouppolicy.biz/tag/bitlocker-to-go/

As I previously mentioned in Part 1 “use Group Policy to save “How to use BitLocker to Go” recovery keys in Active Directory – Part 1” one of the cool new features in Windows 7 is the ability to encrypt removable storage devices to help prevent the loss of data within an organisation while storing a copy of the decryption key in Active Directory. Another way to encrypt the removable storage devices and still have the ability to recover a encrypted devices if the unlock key is lost is to use a Data Recovery Agent digital certificate.

Now before you begin you first need to have deployed you a PKI infrastructure in your organisation so that you can issue the data recovery certificate to your nominated recovery agents.

So lets get started…

How to configured Group Policy to use a Data Recovery Agent with “BitLocker to Go” drives

Issuing the EFS Data Recovery Agent

First you need to create/issue at least one account with the Data Recovery Agent certificate that will be used for when encrypting all the Bitlocker to Go drives.

Step 1. Click Start, and then type certmgr.msc to open the Certificates snap-in

Step 2. In the console tree, expand Personal, and then click Certificates.

Step 2. Right click on Certificates and click on All Tasks and then Request New Certificate…

image

Step 3. Click Next to the first page of the Certificate Enrollment wizard and then then click on Active Directory Enrollment Policy and click Next

image

Step 4. Tick the EFS Recovery Agent policy and then click Enroll

image

Step 5. Click Finish once your account has enrolled as the EFS Recovery Agent certificate.

image

You should now see the File Recovery Certificate in you Personal Certificate store.

image

Exporting the DRA Certificate

You now need to export the DRA certification information to be used in the BitLocker Drive Encryption group policy in a future step.  

Step 1. Double-click the BitLockerDRA certificate to display the certificate properties sheet.

image

Step 2. Click the Details tab

image

Step 3. Click Copy to File

image

Step 4. Click Next on the Welcome to the Certificate Export Wizard page

image

Step 5. Leave the No, do not export the private key selected and then click Next.

image

Step 6. On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next.

image

Step 7. On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLocker. In Save as type, verify that DER Encoded Binary X.509 (.cer) is selected, and then click Save to return to the File to Export page.

image

Step 8. The File name box on the wizard page should now display the path to the BitLocker.cer file in your document library. Click Next.

image

Step 9. On the Completing the Certificate Export Wizard page, verify that the information displayed is correct, and then click Finish.

image

Step 10. When the certificate has been exported, the Certificate Export Wizard dialog box will be displayed with the message The export was successful. Click Close to close the dialog and the wizard.

Configuring the Bitlocker Data Recovery Agent in Group Policy

In this section we are going to take the Data Recover Agent certificate we exported above and import it into the group policy to apply to computers that will have DRA certification for encrypting Bitlocker drives. The screenshots below are from a Windows Server 2008 R2 server with the group policy management console installed but if you are on a Windows 7 computer you will need to have install the Remote Server Admin Tools installed.

Step 1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

Step 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

Step 3. In the console tree under Local Computer PolicyComputer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies, right-click BitLocker Drive Encryption, and then click Add Data Recovery Agent to start the Add Recovery Agent Wizard.

image 

Step 4. Click Next on the Add Recovery Agent Wizard welcome screen

image

Step 5. On the Select Recovery Agents page, click Browse Folder

image 

Step 6. Browse to the location you have a copy of the BitLocker.cer file that you exported in the previous procedure select the certificate and click Open

image

Step 7. Click

image

Note: You can repeat this process as necessary to add multiple data recovery agents. After all data recovery agent certificates you want to use have been specified, click Next.

Note: The example above has USER_UNKNOWN because the DRA file was manually imported.

Step 8. On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent

image

Below is the BitLocker Drive Encryption setup with a DRA installed.

image

Additional Group Policy Configuration

BitLocker Identification Field

You now need to configure the BitLocker Identification field on all the computers you are going to use Bitlocker on as this helps identify what removable devices belong to your organisation.

Step 1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

Step 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

Step 3. In the console tree under Computer ConfigurationAdministrative TemplatesWindows ComponentsBitlocker Drive Encryption and then double click on Provide the unique identifiers for your organization

image

Step 3. Enter you specific Bitlocker identification name that you use to identify your Bitlocker encrypted devices in the BitLocker identification field

Note: You can add additional Bitlocker identifiers from other trusted organisations in the Allowed BitLocker identification field 

image

Enable Allow Data Recovery Agent

Continuing on from above you will need to configure you computers to Allow the Data Recovery Agent option.

Step 4 (cont.). In the console tree under Computer ConfigurationAdministrative TemplatesWindows ComponentsBitlocker Drive EncryptionRemovable Data Drive and then double click on Choose how Bitlocker-protected removable drives can be recovered , then you will need to click Enabled and tick Allow data recovery agent then click OK

Note: You still have the option of configuring the standard AD recovery keys in this window. The Allow Data Recovery Agent option as far as I can tell has no bearing of the other options.

image

You have now configured Group Policy to use a Data Recovery Agent certificate to be used to encrypt all the “Bitlocker to Go” drives in your organisation.

How to unlock a “BitLocker to Go” drive with a Data Recovery Agent

Below are the instructions explaining how to use the Data Recovery Agent to unlock a BitLocker to Go encrypted drive

Step 1. Put the drive into the computer you want to unlock.

Step 2. Right Click on a Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

Step 3 (optional). If you want to get information on the volume before you unlock it you can run manage-bde -status E:

image

Step 4. Now you need to get the “CertificateThumbprint” of the drive you want to unlock type the command manage-bde –protectors –get E: where E: is the volume you are trying to unlock

image

Note: Take a note of the Data Recovery Agent (Certificate Based) Certificate Thumbprint (see circled in red).

Tip: You could also mark the thumbprint by using the Edit > Mark option of the command prompt.

image

Then select the thumbprint by clicking on the first character of the thumbprint and dragging to the last character.

image

Step 4. To unlock the drive, type the following command Manage-bde –unlock E: -cert –ct  88d07b2874031569e17eedf402e0a098fc0f7b81

image

You have now successfully unlocked the drive using a Data Recovery Agent.

Note: You will need to have the Data Recovery Agent Certificate (with the private key) installed in the Personal certificate store on the computer you are performing this task.

Step 5 (optional). Try getting running the following command again to view more information about the drives encryption manage-bde -status E:

image

Form more information about BitLocker drive encryption with Data Recovery Agents see the following pages:

Group Policy Setting of the Week – 4. Shared Printer

This week I have selected the “Shared Printer” Group Policy Preference as my Group Policy Setting of the Week (GPSW). This is arguably one of the most wanted group policy settings by Group Policy admin’s that was missing before group policy preferences. It was possible previous to preferences to map printers natively in group policy using the pushprinterconnections.exe option but like the Star Trek Deep Space Nine episode “Trials and Tribble-ations” we defiantly “do not discuss it with outsiders” as this is just a setting we would rather forget.

The “Shared Printer” options can be found under by right clicking on “User Configuration > Preferences > Control Panel Settings > Printers”. As with most group policy preference settings you also have the option to CRUD (see Group Policy Preferences Colorful and Mysteriously Powerful Just Like Windows 7) which means you can also use this option to remove any printer mapping that people have to printer queues that no longer exist.

new shared printer

Now it has always been fairly straight forward to map printers via logon script either via batch, vbscript or even kix scrtip however the real power of this setting is that it can now take advantage of the really powerful targeting options. More commonly you can map a printer via a single security group or IP range but you can really start to do some really advance targeting when you start to combine multiple targeting setting using Boolean logic. If you want to see some more advanced targeting options for printer mappings then check out my “How to use Group Policy Preference to dynamically map printers when using Roaming Profiles” article.

new shared printer properties

As you can see above you can also use this option to set the default printer for your users which can be very handy if people have a habit of always printing to the really expensive A3 colour printer on your floor when you are trying to reduce cost. Just use the default printer option wisely however as you could end up annoying your manager who likes to printer to their locally attached printer.

Enjoy!