SCM 2 CTP released (whoops, a month ago)

Hey all, Ned here again. Jeff Sigman let me know that the new pre-beta version of Security Compliance Manager became available last month. It adds the number one feature request you’ve all been demanding: GPO Import. Grab it here: Email them your feedback and bugs at  Remember, this is a CTP release so… Read more

Restrictions for Unauthenticated RPC Clients: The group policy that punches your domain in the face

Hi folks, Ned here again. Around six years ago we released Service Pack 1 for Windows Server 2003. Like Windows XP SP2, it was a security-focused update. It was the first major server update since the Trustworthy Computing initiative began so there were things like a bootstrapping firewall, Data Execution Protection, and the Security Configuration… Read more

AGPM Operations (under the hood part 2: check out)

Sean again, here for Part 2 of the Advanced Group Policy Management (AGPM) blog series, following the lifecycle of a Group Policy Object (GPO) as it transitions through various events. In this installment, we investigate what takes place when you check-out a controlled GPO. Before editing an AGPM controlled GPO, it is checked out. There… Read more

Getting the Effective Audit Policy in Windows 7 and 2008 R2

Ned here again folks. We introduced granular auditing in Windows Vista and a few years later we released Advanced Audit Policy Configuration. Legacy Windows audit policy didn’t go away, of course. To make things interesting, all of this can be configured through domain policy, local policy, multiple-local policy, per-user, or using command-line tools. Like most… Read more

Friday Mail Sack: The Year 3000 Edition

Hello all, Ned here again. Today we talk DCDIAG, DFSN, DFSR, group policy, user profiles, migrations, USMT, and the fuuuuuuturrrrrrrrre. DCDIAG failing RPCSS test Disabling DFS targets via command-line RSOP.MSC errors on Win7 The future of AD MIGAPP.XML compatibility between USMT 3.01 and 4.0 Mixing DFSR versions between OSes Profile conversion from workgroup to domain joined… Read more

AGPM Production GPOs (under the hood)

Hello, Sean here. I’m a Directory Services engineer with Enterprise Platforms Support in Charlotte. Today, I’d like to talk about the inner workings of Advanced Group Policy Management (AGPM). Let’s begin by discovering what occurs behind the scenes when you take control of a Production GPO using AGPM. The term “Production GPO” is used frequently… Read more

Friday Mail Sack: Cluedo Edition

Hello there folks, it’s Ned. I’ve been out of pocket for a few weeks and I am moving to a new role here, plus Scott and Jonathan are busy as #$%#^& too, so that all adds up to the blog suffering a bit and the mail sack being pushed a few times. Never fear, we’re… Read more

Announcing the Group Policy Search service

Hello, Kapil here. I am a Product Quality PM for Windows here in Texas [i.e. someone who falls asleep cuddling his copy of Excel – Ned]. Finding a group policy when starting at the “is there even a setting?” ground zero can be tricky, especially in operating systems older than Vista that do not include filtering…. Read more

Friday Mail Sack – It’s About To Get Real Edition

Hello Terra, it’s Ned here again. Before I get rolling, a big announcement: On May 16th all the MSDN and TechNet blogs are being migrated to a new platform. This will get us back in line with modern blogging software, and include new features, better search, more user customization, and generally remove a lot of… Read more

Group Policy Script Processing Behavior

Hi Everyone, Mike here. Today I am discussing the default processing behavior for Group Policy scripts. Microsoft changed the default behavior of Group Policy startup and logon scripts processing from synchronous to asynchronous starting with Windows Vista and Windows Server 2008. This behavior is the same in Windows 7 and Windows Server 2008 R2. I’ve… Read more