In the last few posts we’ve looked at moving away from Internet Explorer Maintainence within Group Policy as it has been deprecated from Internet Explorer 10 and above. There are two clean methods to remove these settings from Group Policy, the first is simply unlinking the GPO that has been configured with these settings. However if you have configured IEM within your Default Domain Policy or another GPO that you’d like to continue using, you are able to remove any settings configured with Internet Explorer Maintenance by right clicking and choosing Reset Browser Settings.
There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.
Site to Zone Assignment List
Create a new Group Policy Object and browse to
User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.
Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
In this example I have added http://intranet.corp.local to the Trusted sites (2).
Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.
If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.
Group Policy Preferences Registry Items
This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.
I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.
Create a new Group Policy Object and browse to
User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
- Value name will typically be http or https
- Value type is REG_DWORD
- Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
This is what you will see on the client machine.
If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- Value name is Flags
- Value type is REG_DWORD
- Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal
- User Site to Zone Assignment to prevent users from editing the Security Zone Sites
- User Group Policy Preferences to allow users to edit the Security Zone Sites
With Internet Explorer 11 being released a couple of days ago for Windows 7 / Server 2008 R2 and Internet Explorer Maintenance being deprecated since IE10- you’re going to want to use one of the alternative methods (Group Policy Preferences, Administrative Templates or the Internet Explorer Administration Kit) to configure Internet Explorer for your organisation. If you’re used to configuring Internet Explorer with Group Policy Preferences, you’ll be thinking “not a problem” and install IE11 onto an administration machine or a server assuming it will add the option to create a new GPP for Internet Explorer 11. This is what you’ll see if you try that.
Where is the option to add an Internet Explorer 11 Group Policy Preference Internet Settings Policy?
There is no option. The Internet Explorer 10 option actually covers Internet Explorer from version 10 to … 99! That’s right 99. To prove this and to visually confirm this is the case, create a policy by using Internet Explorer 10 Internet Settings and find the unique ID of the GPO.
\\DC\SYSVOL\Domain\Policies\uniqueID\User\Preferences\InternetSettings and open the InternetSettings XML document in notepad. Note the 5th line which states version 10.0.0.0 -> 188.8.131.52.
If you’re looking to use Group Policy Preferences to configure Internet Explorer 11, using the Internet Explorer 10 Internet Settings option will work for version 11 and future releases of Internet Explorer.
If you’ve used Group Policy Internet Explorer Maintenance (IEM) to configure your organisations Internet explorer settings and are looking to upgrade to IE10 or above you will find that the settings defined with IEM will no longer work. Not only that but if you try to modify the GPO from a machine running IE10 you will not be able to modify the GPO settings.
Settings configured with IEM are not automatically removed when you upgrade from IE9 -> IE10, however any changes made to the IEM GPO will not be reflected by the clients and any new users logging onto a machine with IE10 will not receive the IEM settings.
- If UserA is logged onto a Windows 7 machine running IE9 and the user updates to IE10. The settings from IEM will be retained- but not enforced by Group Policy.
- If UserB logs onto the same Windows 7 machine for the first time after IE10 has been installed, they will not receive any IEM settings.
- If you are deploying or using Windows 8 (which ships with IE10) no settings from IEM will apply, ever.
IEM has been dropped in favour Group Policy preference, Administrative Templates and the Internet Explorer Administration Kit 10 (IEAK 10). This post will run you through a couple of common settings you may need to migrate across. I will cover setting the home page and proxy settings.
Setting Home Page with Group Policy Preferences
Open the Group Policy Management Console and create a new GPO. Browse to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings. Right click and choose New -> Internet Explorer 10.
Enter the URL of the Home page you wish to set, and select start with home page. Notice the red dots underlining the home page entry.
You must press F5 (or F6), to confirm the entry. If you do not the setting will not be applied. Once you have done so, the entry turns green.
F5 – Enable all settings on the current tab.
F6 – Enable the currently selected setting.
F7 – Disable the currently selected setting.
F8 – Disable all settings on the current tab.
Setting a Proxy with Group Policy Preferences
Create or modify an existing Internet Settings policy as explained above, this time head over the connection tab -> Lan Settings.
Specify the proxy, again note the red dots showing that the setting have not been confirmed. Press F5 to confirm.
- Internet Explorer Maintenance will NOT apply to to Internet Explorer 10 or above
- You will not be able to modify existing IEM GPOs from machines with IE10 or above installed
- Press F5 to confirm entries made to Group Policy Preferences Internet Settings, basically- made sure you’re green!
Around this time a year ago, I took a look at SolarWinds Server and Application Monitor version 5.2 and came away pretty impressed with the package. Version 6.0 has just been released and introduces some cool new features. Today I’ll take a look at a couple of the new features, namely the Real-time event log viewer and AppInsight for SQL.
For those unfamiliar with the Server and Application Monitor product, please head over to the SolarWinds product page.
SolarWinds 6.0 New Features
- AppInsight for SQL – AppInsight is a new feature, with SQL being the first domain released. AppInsight for SQL provides deep insights into SQL performance to include details on the most expensive queries, index fragmentation, database and transaction log size and much more.
- Baseline threshold calculator – This feature allows admins to calculate thresholds from baseline data for both day and night system performance. Warning and critical thresholds are calculated at 2 and 3 standard deviations from normal performance.
- IT Asset Inventory Dashboard – Administrators can now maintain a view of current hardware and software asset inventory to include server warranty status, driver software, hard drive inventory, and custom properties like PO number and purchase price.
- Real-time Event Log Viewer – This feature allows administrators to view and filter Windows events logged by applications, security events, system failures and DNS events. Customers can filter logs by type, event source and severity.
Bringing up and trialing the 6.0 release candidate was as straight forward as you would hope for and I was able to have a fully functioning installation within 15 minutes or so. The installation has retained its straight forward express or advanced installation methods, with the express method installing a local copy of SQL.
AppInsight for SQL
SAM 6.0 introduces a new concept to the product titled AppInsight, with the view of giving you a greater level of detail and monitoring ability for a given application. The first application to get the AppInsight treatment is Microsoft SQL Server, which is typically at the heart of most businesses and can be fairly complicated and time consuming to monitor correctly.
Discovering MSSQL servers as you’d expect with SAM is very straight forward by either adding an individual node, scanning a subnet, list of IP Addresses or adding directly to AppInsight for SQL:
Once setup, the initial polling takes a little while and the counters begin to populate for that particular server, which takes us nicely onto the default AppInsight dashboard… and boy, has this thing got everything covered! The depth of information on one page is fantastic, essentially putting any performance counter that matters for SQL at your fingertips.
The performance counters can be easily switched between 1 hour, 12 hour and the last 24 hours depending on your requirement. Other information such as SQL Error logs can be configured to show x events from the event log.
Basic information like SQL Server version and product level is available, leading you to the real-time process explorer, event log viewer and service control manager. The top 10 databases by active user connection breaks down the active users by database and displays this via a pie chart and expandable list. Beneath this we have the top 10 expensive queries by CPU time, allowing you to hone in on inefficient queries- enabling you to look at optimizing them or scheduling them for off-peak.
AppInsight doesn’t just work at the MS SQL server level, you can also dig into individual databases and access a wealth of information including top 10 indexes by fragmentation, top 10 tables by size, database and transaction file size and white space per database.
Real-time Windows event log viewer
The real-time Windows event log viewer allows you to view, filter and setup monitors directly from the Node details summary within SAM. The interface itself is very similar to the standard Windows MMC, and allows you choose between the various Windows logs types (application, security, system and others depending on the services installed). You then have the ability to dig down into event levels (error, warning, information, security audit and failures). The interface polls via WMI and refreshes every 20 seconds or so, handy if you’re wanting to keep an eye out for a particular event as it happens.
The real-time event log viewer is positioned next to the real-time process explorer and service control manager which were both added in recent versions. This puts 3 very common troubleshooting and monitoring tools right at your fingertips. The reboot button is also very close, but luckily SolarWinds have added a prompt for you to confirm before rebooting the machine! Having these available from one console reduces the need to fire up a remote session to the server, or launch a custom MMC.
I love AppInsight! Having that level of information readily available really takes the complexity out of troubleshooting and monitoring a given application. For those who don’t have the experience or knowledge to choose the right performance counters, this is a great time saver. It will be interesting to see what application SolarWinds choose next to give the AppInsight treatment to. It’s hard to capture just how much AppInsight displays, I’d recommend installing a trial of the software and having a play around yourself. The real-time event viewer, whilst not being revolutionary is a welcome addition.
Device collections in System Center 2012 Configuration Manager represent a logical container for a grouping of devices. These collections can then be used to perform a number of tasks, such as deploying software, compliance settings or task sequences. I’ve outlined 4 of the most common collection types below.
Device Collection based on OU
1. Browse to Assets and Compliance, right click on Device Collections and select “Create Device Collection”.
2. Give the collection a meaningful name, and set the limiting collection.
3. Add a Query Rule.
4. Edit Query Statement.
5. Head to the criteria tab, and click on the new star item.
6. Click on Select, and set the attribute class to System Resource and attritube to System OU Name.
7. Operator should be set to is equal to, click on values to choose the desired OU. It should read Domain/OU/ChildOU.
8. Next, Next through the rest of the wizard.
9. The device collection has now been created.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "THESYSADMINS.LOCAL/LONDON/LAPTOPS"
Device Collection based on an Active Directory Security Group
Group Policy Preferences allow you to deploy and modify registry settings quickly and easily. This post will run through a couple of examples to give you a starting point and some guidance for using this in your own environment. As with any Group Policy based changes, use a test Organizational Unit to confirm and test changes before making them live.
You have made some changes to HKEY_LOCAL_MACHINE on a reference machine, and would like to deploy the same registry settings to an OU of computers.
1. Open the Group Policy Management Console
2. Right click Group Policy Objects and select New, give the GPO a meaningful name, this does not link it to an OU so will not affect any computers or users. This is a good practice to get into. If you create at a live OU level, any changes (and mistakes) will be deployed if you’re unlucky enough for the computers or users to perform a Group Policy refresh as you’re creating the GPO. Always link the GPO later, when you have tested it.
3. Right click the New GPO, and select edit
4. Expand Computer Configuration, Preferences, Windows Settings and head down to Registry. Right Click and select New, you will be present with 3 options.
- Registry Item allows you to manually change single entries of the registry
- A collection simply allows you to organize registry preference items into a folder, this can be useful if you need to set item level targeting over a bunch of registry changes
- Registry Wizard allows you to use the local machine as a reference, or connect to a remote machine to add multiple entries, this is the method we will use this this example
When using the Registry wizard, the remote computer must have the Remote Registry service enabled, otherwise you will be greeted with the error message “The network path was not found”.
To resolve this, enable the service on the remote machine with the following commands
sc config remoteregistry start =demand
(this sets the service to manual, it’s disabled by default)
net start remoteregistry
It will then allow you to select items from the HKEY_LOCAL_MACHINE and HKEY_USERS on the remote machine, if you need other areas of the registry you will need to install the Remote Server Administration Tools onto the reference computer and add the Group Policy Preferences Console via Programs and Turn Windows Features on or off. Run through the same process on the remote machine’s console to import the relevant registry items.
In this example we’re okay, as we want to pull settings from the HKEY_LOCAL_MACHINE.
5. Browse to the required location and tick the required keys and values to import into the GPP. Click Finish.
6. Now you can expand the entries we imported with the wizard to review. Common tasks are available, as usual with Group Policy Preferences, if you right click an entry and select properties, then choose the common tab. By default the entries are set to Update
If you ever notice that the hive column isn’t populated after the import, double click on the entry or right click and select properties. Without changing anything click OK, this will then populate the hive entry. I’ve only seen this a couple of times… but if it isn’t populated the settings won’t get deployed, so it’s worth mentioning!
If you want to manually add, remove or change a registry key you can do so using the registry item. You can only add one entry at a time with this method.
Example below, it will create new keys if needed so if you enter HKEY_LOCAL_MACHINE\Software\1\2\3\4\5 it’ll create the 1,2,3,4,5 keys if they are not already present.
The default behavior when using Group Policy Preferences to modify the registry is “update”. Let’s look at the 4 options and what they mean.
- Creates the item
- Does nothing if the item already exists
Let me expand on the 2nd point. If there is already a DWORD with the value of 1, and you create a Group Policy Preference with the same DWORD set to 2 with the option of Create- nothing would happen to the DWORD. It would remain at 1.
- If the item already exists, it will update with the configuration specified in the Group Policy Preference
- It the item does not exist, it will be created
It is important to understand that Group Policy Preferences doesn’t lock the registry item, it merely (as it’s name suggests) uses it as a preference. So if you set a DWORD to 1, depending on the area of the registry a user could go and set that to 0 which would stick until a Group Policy update occurred and the item was re-evaluated.
- Delete existing item if it already exists and create a new object
There aren’t many situations where you would need to delete an item before populating it again, I can’t say I’ve used this to modify registry items before. But there may be a case for you to use it.
- Deletes the item
I’d like to thank you for reading and I hope it’s been informative for you!