Group Policy Logging on Vista/Windows 7,8,10

group_policy_failedAt the end of “Our roaming profiles aren’t being saved …”, I wrote that

For Windows Vista and later, the log information is stored in the Event Log.  Under Applications and Services Logs\Microsoft\Windows\Group Policy\Operational.  Further information of this can be found in this Microsoft Technet post, Group Policy Logging on Windows Vista

Well it is in the event log, but there is another .log file.  You can enable the Group Policy Client Service (GPSVC) log file.  It seems to solely provide information about what Group Policy settings are being applied.

GPSVC(1278.1dfc) 15:09:59:476 DebugPrintGPOList2: Options: 2, GPOName: {31B2F340-016D-11D2-945F-4FB98400C0F9} DisplayName: Default Domain Policy
GPSVC(1278.1dfc) 15:09:59:483 PrintGPWMIInfo: WMIInfo: GPOName:{15A0E08F-4917-F60B-8358-8B78E802A8B7}, QueryId:{81430147-9924-9351-456D-2329BF3F317F}, NameSpace:noddyland.inside
GPSVC(1278.1dfc) 15:09:59:483 PrintGPWMIInfo: WMIInfo: bFilterAllowed: TRUE, Rules:1;3;10;108;WQL;root\CIMv2;select * from Win32_OperatingSystem where (Version like "5.1%" or Version like "5.2%") and ProductType = "1";
GPSVC(1278.1dfc) 15:09:59:484 GetFgPolicySettingImpl (bSync: 1)
GPSVC(1278.1dfc) 15:09:59:485 SaveGPOsToLocalCache(Machine): Server SKU runs in sync mode, skip cache operations.
GPSVC(1278.1dfc) 15:09:59:486 GetGPOInfo: Get 5 GPOs to after filtering.
GPSVC(1278.1dfc) 15:09:59:486 DebugPrintGPOList2: Options: 0, GPOName: Local Group Policy DisplayName: Local Group Policy
GPSVC(1278.1dfc) 15:09:59:487 DebugPrintGPOList2: Options: 0, GPOName: {55DD0EE9-4A06-4707-940B-5482CB34C9EF} DisplayName: Domain Policy - Log files
GPSVC(1278.1dfc) 15:09:59:488 DebugPrintGPOList2: Options: 0, GPOName: {02263A92-9FC5-4B95-B9C0-127ECC8A6C32} DisplayName: COMPUTEROBJECT-Desktops-Everyone
GPSVC(1278.1dfc) 15:09:59:493 DebugPrintGPOList2: Options: 0, GPOName: {E1692B3D-D2DA-4DA6-8683-2663C08C6F69} DisplayName: COMPUTERUSER-User Base settings
GPSVC(1278.1dfc) 15:09:59:494 DebugPrintGPOList2: Options: 2, GPOName: {3140B2F3-016D-11D2-945F-00CFB98044F9} DisplayName: Default Domain Policy
GPSVC(1278.1dfc) 15:09:59:494 GetGPOInfo:  Leaving with 1
GPSVC(1278.1dfc) 15:09:59:495 GetGPOInfo:  ********************************
GPSVC(1278.1dfc) 15:09:59:496 ProcessGPOs(Machine): Get 5 GPOs to process.
GPSVC(1278.1dfc) 15:09:59:496 ReadExtStatus: Reading Previous Status for extension {3378E5AC-683F-11D2-A89A-04FBB00CCFA2}

To enable the log file:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  3. On the Edit menu, point to New, and then click Key.
  4. Type Diagnostics, and then press ENTER.
  5. Right-click the Diagnostics subkey, point to New, and then click DWORD Value.
  6. Type GPSvcDebugLevel, and then press ENTER.
  7. Right-click GPSvcDebugLevel, and then click Modify.
  8. In the Value data box, type 0x30002, and then click OK.
  9. Exit Registry Editor.
  10. At a command prompt, type the following command, and then press ENTER:
    gpupdate /force
  11. View the Gpsvc.log file in the following folder:
    %windir%\debug\usermode

    Note – if the usermode folder does not exist under %WINDIR%\debug\ the gpsvc.log file will not be created. If the usermode folder does not exist, create it under %windir%\debug.

References:

“A referral was returned from the server”

As I finish up version 1 of InstallRunner, I went to set the UAC setting for “Require Administrator Privileges”.  I did that, and got this error:

A referral was returned from the server

Doing some research*, the cause of the error was that I did this:

Application Mainifest - uiAccess True

By default, uiAccess is false.  I changed it to true.  I’m not sure why, ignorance perhaps 🙂

What does uiAccess do anyway?

Continue reading

Corporate bozos – Take 2. “You want to do WHAT with Windows Vista???”

Was asked to comment on a Vista upgrade proposal some time ago, as I’ve been around the block once or twice with SOE designs.

Reading through the proposal document, from a Microsoft Gold Partner no less, was this gem:

“We’ll create a ‘Power User’ group on the Vista PCs.”

WTF???

If you have read my previous posts about Power Users, you’d know my response.  For those which have not …

A POWER USER IS A USER WHO HAS NOT GRANTED THEMSELVES ADMIN RIGHTS … YET.

The Corporate Consulting Bozos who wrote the report think it’s a great idea.  It will get around the heartache of re-packaging “legacy” applications.

Even though, Vista has technologies built right in, to cope with shonky old applications.

There are some other “gems” in the proposal, which will guarantee on-going work for the Consulting Bozos.  Via the use of proprietary tools.

Bookmark and Share

2 and a bit reasons to wait for Windows 7

If you’re a business customer, thinking about making the upgrade from Windows NT4/2000/XP, I’d be waiting for Windows 7.

By all means, plan and test with Windows Vista, and then take the lessons that you learn, to apply for your Windows 7 rollout.

Here are 2 and a bit reasons why:

Reason 1 – Offline Domain Join.
“Offline domain join is a new process that computers that run Windows 7 or Windows Server 2008 R2 can use to join a domain without contacting a domain controller.  This makes it possible to join a domain in locations where there is no connectivity to a corporate network”
Offline Domain Join Step-by-Step Guide

… locations where there is no connectivity to a corporate network

Such as PC build centres, or virtual machines (Windows 2008 R2 based servers for example)

Microsoft also make the point:

“… If there are any problems with the (normal – online domain join process) domain join, such as network connectivity problems or problems associated with necessary servers that are offline, the problems have to be diagnosed and resolved at that time.”

In other words, your PC deployment process STOPS until you fix the problem.  With Offline Domain Join, it removes one less failure point.
Additional italics’ words are mine.

Reason 2 – Bitlocker To Go.
USB memory sticks are a data security nightmare.  You put data on them, then lose them, or leave them where people can read them.  So what’s the solution at the moment?

  1. Deploy the same encryption/decryption software, such as Truecrypt, to all computers in your organisation.
    (what do you do if you have a Sales Exec who wants to share their presentation with a customer, at the customer site?
    how do you recover the data, if an employee gets hit by a tram?)
  2. Use the “”security”” software which comes with the USB memory stick.
    (not standard across your organisation.  requires Administrative Rights to install)
  3. Use a Secure USB memory stick.
    (expensive to buy.  cheaper than data loss, granted, but how many non-IT managers consider that?)

Windows 7 has Bitlocker To Go (BTG).  This Microsoft blog post has more details.
Long story short: Bitlocker encrypts the USB memory stick, places a BTG access program on the drive, and away you go.  You can read BTG files on any Windows Vista (or later) computer.

Reason 3 (the bit reason) – Group Policy Preferences.
Group Policy Preferences are just that, preferences.  And it’s a useful feature.  In a corporate environment, preferences are used every day.  Such as mapping drives as part of a logon script.

Now you can, and should, read the Microsoft whitepaper to see what they think are the benefits, but here are 2:

  1. Mapping drives.
    Don’t need to program this in a scripting language anymore.  No more discussion around “Should we continue to use DOS Batch/Kixtart, or go to VBscript/Powershell”.
  2. INI file updating.
    Based on the user’s location even.  I spent time in previous years writing and maintaining “Localisation” scripting.  Localisation is the process of changing how the computer behaves when you change location.  Simply put, if I travel from Melbourne to Perth for the day, I want to download my updates from the Perth office, not the Melbourne office.
    You can update registry keys as well.

Group Policy Preferences Overview

 Bookmark and Share

Upgrading from Windows XP to Vista.

Is really easy with Windows Easy Transfer
(http://www.microsoft.com/windows/windows-vista/features/easy-transfer.aspx)

I’m a fan of the clean operating system install, rather than an operating system upgrade install.
The bad thing about clean installs is that it removes all of yours, and any other users settings.

You can here the complaints now “I’ve lost my favourites” whinge whinge whine whine.

Windows Easy Transfer can help here.  It can transfer all your settings, documents and pictures across to the new computer.  EVEN computer encryption certificates (EFS and Internet certificates).  Certificate transfer is a BIG THING, as the other Microsoft product, USMT, couldn’t do this, until recently.

Backing up
Windows Easy Transfer Start Screen

You get three choices on how to transfer the files.  I picked the “CD, DVD or other removable medium” because I had an external hard disk, and was formatting the current computer (aka, a bare metal install).
Windows Easy Transfer  - Install choices

You can password protect your backup file.  It’s a good idea, but don’t forget the password.
Windows Easy Transfer - pick a password

You’ll be asked what you want to transfer.  I picked “All user accounts …” as there were several accounts on this Windows XP computer.
Important point: make sure you have the passwords available for all the user accounts, as you will need them later.
Windows Easy Transfer - choices

Windows Easy Transfer now goes off and checks what can be transferred.  You will see this screen.
Windows Easy Transfer - pick what to transfer

You’ll remember that I selected the “All files … ” option.  When it says “All files … “, Windows Easy Transfer goes out looking for everything, including external hard drives.  I’ve deselected them here, and the transfer file size changed from 497GB –> 17GB.
Windows Easy Transfer - deselected choices

Here are some of the Windows settings which will be transferred.
Windows Easy Transfer - Windows Settings

Clicking next will kick off the transfer file creation process.
Windows Easy Transfer - File transfer process - 1 Windows Easy Transfer - File transfer process - 2

And,
Windows Easy Transfer - Backup process completed
you’re done with the export of your data files and settings.

Restoring
Windows Easy Transfer - Start of restore process
… shows the start of the restore process.  Remembering how I said, choose which accounts you want to transfer, this is why.  You have to map an old account to a new account.

Windows Easy Transfer - Restore process no choices
Yes, you do get to see what is going to be restored, but you don’t get a choice to unselect.

Windows Easy Transfer - Restore finished
The transfer is complete, and gee, we transferred a lot of files.

Windows Easy Transfer - Restore password request
This is the end of the process.  Windows Easy Transfer will ask for the password of each user you transferred, when they logged on.  This is so any encrypted files, and web site security certificates, can be used in Vista.  It’s a great feature, as the any other way would see you lose encrypted files and certificates when you backup.

Done!

Things to note:

  1. You need to know the passwords, or have access to them, for the accounts you are backing up.
  2. Only backup those accounts that you need to.  When you are running the restore process, you don’t get a choice of what accounts you are going to restore.
  3. Only backup files and settings you actually need.  That’s because you don’t get to choose what you can restore.
  4. For picky users, screenshot their desktop so you can get the same look and feel in Vista.
  5. While you should not have to, I’d recommend backing up the security certificates for each user you are transferring, separately.
    (here’s one step on instructions http://www.stanford.edu/services/encryption/desktop/windows/efs/backup_xp.html)

Bookmark and Share

How to remember that password on a test system

I have dozens of Virtual PC/VMware images, and can never remember the password for the things.

A cleverer guy than me (Tony Cinanni) suggested this solution:

Windows XP Password Hint

Set a “Password Hint”.  Works with Vista as well.

To set a password hint:

  1. Start the User Accounts Control Panel applet, which you can find in the Start Menu / Control Panel / User Accounts
  2. Select the account for which you want to add a password hint (in the above shot, you can tell it’s LimitedUser)
  3. Click Change the password.
  4. Enter your password in the two locations and enter your password hint (ie. in my example above, it’s the password), type your password hint, and click Ok.
  5. Done!

Bookmark and Share

On Vista performance, Mark Russinovich and others …

Videocast seen over here.

It was worth an hour of my time.

Some of the highlights:

  • If you’re going to deploy it and expect it to run on four year old hardware, wellll, it’s not going to operate very well.
  • Vista SP1 made a huge difference to performance.
  • Using the latest drivers is key.
  • In the corporate environment, never upgrade. Rebuild the PC instead.
  • Set expectations.  If a PC boot is taking 6 minutes, it’s not a “”Vista”” problem, your PC has a problem.  You need to get it fixed Mr. End-user, by telling someone.
  • Review your Group Policies.  Do you really need synchronous blocking enabled?
  • 64-bit Vista is best for systems with >4gb memory and the workload to support it.
  • Defragging makes no difference on a SSD drive.
  • Defragging on a normal drive doesn’t make much difference.
  • Xperf toolkit will allow you to trace the entire Vista boot process.
  • Task Manager has a new option, Resource Manager, located in the Performance tab.
    ”Hard Faults” are virtual memory faults which result in disk I/O being performed.
  • Start with a clean image.  Vendor OEM images add value, and sometimes decrease performance.
  • Autoruns is a better tool to use than MSconfig.
  • Don’t disable SuperFetch.

The other speakers were Stephen L Rose, Michael Boyd, Doug Miller, David Straydee, Gabe Auld, Ed Bott & Celine Allee.
Apologies to those people who’s names I have mangled.

Bookmark and Share