Windows Server 2008 Manageability Feature: Group Policy Preferences: Part 3 Local Groups

Another use of Local Users and Group preference extension to enable us to add a specific domain groups or accounts to the local machine group. for this example I’m going to add all manila employees as administrators of local machines, to do this you must navigate from  the GPMC and to the Group Policy editor, editing the GPO that we need to add the preference, like what we did on my first post. Like the second post, navigate to the Computer Configuration, Preferences Control panel settings and right click Local Users and Groups, choose New – Local Group.


On the Group Action I will chose to update this because we already have built-in administrators on local computers, you can now click the add button and type in the member name or navigate with the ellipsis. I will chose to add this new members to the current group and to apply just click ok twice.



A simple yet powerful extension from Group policy preferences for adding / deleting a domain OU to a local machine group.


Windows Server 2008 Manageability Features: Group Policy Preferences, Part 2 The Local Administrator

On my previous post, I had a chance to take on Group Policy Preferences with a very quick very humble description of it. On our part 2 we will demo on "How to manage local administrator accounts on machines" which has been a one of the favorite topics on the web before, even at the Microsoft Philippines Community Forum way back 2007.  Before what we do is create a script to do this and run thru GPO, now with Windows Server 2008 Group Policy Preferences, we can do it in just a few clicks.

To start open your Group Policy Management Console and Create or Edit the GPO you want to use.


On the Computer Configuration, Go to the Preferences, and Expand Control Panel Settings:


Right Click Local users and Groups and Select New Local User.








Chose the action to UPDATE the Built-in Administrator Account.

I also chose that the local built-in administrator cannot change its password and it never expires. You can also chose to disable it if you want to. In order to assign a new password to it, fill up the Password and the Confirm password. Apply or click Okay and there, you have successfully deployed a GPO that updates Built-in Local Administrator and its passwords for all of the machines that this GPO applies to.

If you have not visited my first post, here is a link for more info on Group Policy Preferences.

Windows Server 2008 Manageability Feature: Group Policy Preferences

Group Policy Preference is a new feature to the Windows Server 2008 that enables you to configure other computer or user preferences that are not covered with Group Policy Settings. An example of which is the mapping network drives, which traditionally we use a logon script that is being executed by a Group Policy Settings.

Quick Overview:

Making this overview short, Group Policy Preferences are initial configurations and can be re-configured by the end user , while the Group Policy Settings are strictly enforced to the target object (a user / machine). This makes your environment FLEXIBLE and HUMAN FRIENDLY. Also. flexibility is most exampled in the scenario where you can apply once and do not re-apply again. This also helps with deployment if you are deploying hundreds of machines but with different group initial preferences which can be configured by the end user.

Group Policy Preference Extensions:

The Group Policy Preference can be used thru the Server manager Feature Snap in.


But most administrators, like me, most of us don’t really like going to the server room or going remote desktop, if you are like me (having Vista Enterprise, Business for clients + Server 2008 Forest) you can use the Remote Server Administration Tool, RSAT: A how to is described in this link. I would really recommend this if you are managing a whole forest say with 5 local domain and 1 global domain.

If you still do not have an RSAT you can also download the Group Policy Preference Client Side Extensions for Windows Vista x64 Edition (KB943729)




Quick Note: you must have a Genuine Vista in order to download this update.







Launch the Group Policy Management Console from your Administrative Tools
















I already created my GPO which is called "Preferences" (to create this just right click on the level you want to apply the GP, then either Create a GPO or link an existing GPO) . This sample GPO will be our test bed for our Group Policy Preferences. You can right click it and on the context menu, select edit.





just a quick side by side comparison on the Group Policy with Preferences and Policies group with the local Group Policy. you will notice that there is a new grouping and that’s what separates the Policies and the Preferences. There is this usual Computer and User groups and is being used still even with the introduction of preferences making our configurations more flexible.





For the first preferences that we will configure I have chosen to map a network share thru Group Policy Preference, which otherwise we are going to configure and deploy using a combination of standard GPO and a batch file.

With the Group Policy Preferences, we can now deploy Mapped Network Drives by just going to the User Configuration, navigate to the PREFERENCES, then expand Windows Settings. On the Map Drives icon, right click new and then Click Map Drive.

From there everything is straight forward, you can create, replace, update and delete existing network drive. Put your network location, specify drive letter and thats it.

You can also specify the account that will be used to connect to this drive.


Group Policy References is available on Windows Server 2008,

Group Policy Preferences are initial configurations and can be re-configured by the end user , while the Group Policy Settings are strictly enforced to the target object (a user / machine).

Can be managed using Server Manager Feature snap-in, Vista RSAT or via Group Policy Preference Client Side Extensions for Windows Vista .

This gives more ease of management, rather than thinking if the script we wrote will run at all, we now focus on the business objectives which is far more important.

More information is available about Group Policy preferences here:

PHIWUG Monthly Meeting – March 2009

The Philippine Windows Users Group has just had its Monthly meeting and for March 2009 we had a chance to talk with the GUYS and what can I say more, this would be a busy but exiting month for PHIWUG, there would be alot of community activities and TechNet sessions such as Interoperability of Windows Server 2008 and a tech talk on Windows Server 2008 / Windows 7 Security. I hope this all push thru, including the Windows 7 day install fest day. And We need to update our website!

Also there now 2 mythological things that PHIWUG has formulated, aside from the demo gods, Windows 7 has a spirit that seemingly and magically heals it self 😀 (The story goes that an application launched on W7, it did not worked on the 4th time it did without any of us configuring or even re-installing it, we will demystify this, right Faelmar?)

Hey guys thanks for the Burger moments at burger king in Glorieta 3, see ya all in our planned events!

PHIWUG is @ the Computer World Magazine, get your March 2009 Copy!

Have you already seen the March 2009 copy of the Computer World mag? 


PHIWUG is featured in the Industry Group Column of the Computer World, and its a 3 page article about what really is PHIWUG, why we do this and what is our definition of the word COMMUNITY. Also featured in this article are our events like as the our TechNet Session on Terminal Services and the Hyper-V event.


Community Sharing. As their slogan says, “Where IT pros in the Philippines meet together,” the Philippine Windows Users Group or PHIWUG is a relatively new group that sprang from the desire to have a venue where ideas and useful information can be shared.

Thanks to Computer World for featuring PHIWUG, hope we can do this again.

Makati TechNet Session: Windows Server 2008 Manageability Features


Thank you so much for attending another TechNet session with the Philippine Windows User Group last March 24 2009. The Session about Windows Server 2008 Manageability Features.







In this event we had a very intimate sharing session on how we manage Windows Server 2008 from the basic Server Manager to Monad’s WMI capabilities up to enterprise class management using System Center Operations Manager 2007 and it was a blast!





Elczar Adame on his Microsoft IO slides, as PHIWUG’s initiatives on Infrastructure Optimization.


Its a life, without walls 😀



Installing, configuring and managing! 

A demo on Server Manager.

Any body, for some monad scripts?

Jay Paloma, (fresh from Singapore) gave a quick overview of Windows Deployment and free assessment tools for deploying Server, Clients and Office systems.

The event is recorded, oh my 😛

It was a good attendance which includes of course the PHIWUG members.


The rest of our event photos are here, go check it out 😀




So again and in Behalf of the PHILIPPINE WINDOWS USERS GROUP, thank you so much for attending hope to see you all in another of our TechNet Sessions! There is more where these came from!

Internet Explorer 8 has been launched, ARE YOU READY? (Quick fix on IE8 Compatibility using IIS 7.0 HTTP response Headers)

So IE 8 is out in the Internet, everybody will be using this (including those that are using a public beta of Windows 7, which hey MIILLIIOONSS) is your site ready?

If you cannot re-work your site and you just want to tell the IE8 to just display the site as IE7. You must add a meta http header "X-UA-Compatible: IE=EmulateIE7". That’s per page 😦 well if you use master page this may sound a little less frustrating.




But there is a quick and veeerryy easy fix to do this, thru IIS 7.0 HTTP response headers!

To do this, all you have to do is go to your IIS 7.0 Manager, click the site you are hosting and under IIS group launch HTTP Response Headers, just double click it.








And this window appears




On the Response Headers window, right click then choose add..





  Then this dialog box will come up.

for the name type "X-UA-Compatible" and for the Value type "IE=EmulateIE7"

(No quotes please)




Click OK and its already fixed!

There you have it, fixing and making your IE7 sites be viewed in IE 8 without any code changes thru IIS 7.0 HTTP Response Headers.

Installing and Managing Windows Update Service: Part 4 of 4

Part 4: Synchronize and Manage Updates

We already have WSUS installed, now its time to manage the updates!


What we will do now is we need to install a remote administrator for our WSUS, we don’t want to remote desktop every time we need to approve WSUS, right?

With the same WSUS installer hopefully you have the same architecture of the server, I also have a 64 bit Vista Enterprise, So I right click the installer, and Run as administrator.


And the installation dance begins..

Looks familiar? Dejavou? No not really. Lets click Next > to begin.


For this instance we will just install the Administration Console Only, then click Next >


Lets accept the License Agreement, click Next >

And the install process..


There, Just click finish and you have already the administration console. As i have said before, you can never go wrong with a Wizard!


Here is the new Icon that you need to access, launch the WSUS admin now.



With the Update Services Console open, go to the right hand pane, click Connect to Server…


This dialog box appear, and you have to put in the Server name of our WSUS server. By default it runs on port 80.

There I have allot of updates to approve!


You can now select them all or select a few, then click Approve..

When this dialog box appears, you can have the approval by the drop down before the name. Actually its very intuitive, very nicely done software. So dropdown, install, then click ok.

Ok we haven’t deployed a big service pack for SQL 2005. Could have been a total waste of bandwidth.

I already took extra steps on creating computer groups and viewing reports, I think I can leave you now here, explore the possibilities, see the feature sets that WSUS has to offer that I did not able to show in this post. So there you have it the Windows Server Update Services 3.0 with Server 2008 and Windows Vista!

For more info about WSUS visit TechNet: and the WSUS product team blog here:

Installing and Managing Windows Update Service: Part 3 of 4

Part 3: Client configuration using GPO

We already installed the WSUS Server and we want to use it, right? So we want our client machines to get update to our new and shiny WSUS server.

We can do that thru GPO: So on our domain controller, go to the Server Manager, expand Features, Group Policy Management. Expand our Forest, domains and on the level of organizational unit that you want to apply the new GPO, right click and choose Create a GPO in this domain, and Link it here…


Because I want to do this domain wide, I’m applying the policy in the entire domain. My new GPO will now be called as Windows Update Service Configuration. Its really better to name your GPO verbosely, after a good night sleep you will forget this 😀

Click OK if you are finished.

After creating the GPO, it would appear on the tree. Right click it and from the context menu, chose edit.

Navigate to the Configuration, Policies, and then Administrative Templates, Windows Components and to Windows Update.

You will now see a couple of settings in there, one of the important things in there for this scenario was the Specify intranet Microsoft update service location. Let us now enable it by right clicking it and then click properties.


On this window, specify what is the Update Service URL.

Type it there, and click apply and OK.












Fine tune this GPO according to your enterprise policies, apply it and your clients are now connecting to your WSUS server!

PS. If you are like me that doesn’t want to wait for a GPO to be replicated to the client, you can always do the gpupdate /force on an elevated command prompt. To do that, go to your Start Menu, find the command prompt and right click, run as administrator.

Type-in gpupdate /force then hit enter. After the policies has updated, the clients are now connecting to our WSUS server. (You may need to restart the client for the settings to take effect.