5 GPO MDM Mistakes

In this week’s episode, Stephen talks to Jeremy Moskowitz about the top 5 mistakes IT Pros make when transferring Group Policy to MDM.

Thanks to this episode’s sponsor: PowerApps911

PowerApps911 logo
PowerApps911

Transcript

Hey everyone, welcome to Unplug IT. I’m your host, Stephen Rose. Thanks for joining. You know, when I think of different experts, there are different topics that there are just some people who are absolutely, you know, the person to go to. Like when I think of Tech Tips, I think of Jeremy Chapman in the Mechanics series. IPv6 is at Orly. Deployment, Michael Niehaus. But when I think of JPOs, I think of Jeremy Moskowitz. Now I’ve known Jeremy for years. It’s written a bunch of books, but he is the guy. In fact, I even wrote an intro to one of his books at one point because he really nails it and he really knows this stuff. So I am so excited to have, I mean, Moskowitz join us today.

Hey, Jeremy, how are you? – Thank you so much. I just, I love the show idea. I like the topic. I just, I really think you’ve hit it on the head here. So I’m super excited. – I appreciate it. Thank you. – You have been around for a long time. You’ve been doing this longer than I was at Microsoft and even doing stuff before that. We met many, many years ago, but take a moment and kind of talk about your background as the sort of GPOMDM mystifier. – Sure. –

So let’s do it. – Yeah, I mean, it started off where I, you know, I used to be a consultant a hundred billion years ago, doing, don’t say it out loud or I should explode into flames, SMS. – Yeah. – Which I, which it was a good idea, but totally, you know, it was terrible. And then it got better. And I was like, wait, this Active Directory thing, it’s pretty nifty. And it’s got a built-in way to manage the heck out of your desktops. I love that thing. And I just fell in love with it. I wrote a book in 2001. I kept updating it. I know you’ve got a copy of the big green group policy book that’s on desks of admins everywhere. And then you wrote the intro, the foreword for the MDM book, which is, you know, the modern way of doing things. But the idea is that I think we all know not everybody’s there yet.

We have to be able to speak both things. We have to be able to still deal with this on-prem GPO stuff, why we’ve got a foot in cloud. Eventually we’ll have some more toes in cloud and then finally two feet. So we have to be able to do both. So it’s not like we can just like throw our hands up in the air and pretend our old infrastructure doesn’t exist or pretend our new infrastructure doesn’t exist. – Right. – We need to be able to speak both things. And I’m happy to be able to generally be able to speak both things. – Awesome. So you own Policy Pack for a long time. You guys have sold that. Take a, just walk us through that. – For folks who know you as the Policy Pack person. – Fair enough. Yeah. So Policy Pack is a way to hook into group, both group policy and MDM. And if you’ve got nothing at all, I’ve got a Policy Pack cloud service to make admins just like you more bad-ass and to enhance things that the Microsoft team can’t or won’t do. So the idea is that if you want to manage the heck out of your applications, your browsers, overcome UAC prompts or transition on-prem GPOs to the cloud, we can help you do that. We’ll talk about a little bit of those things.

Yeah. So we were acquired by Netrix in 2001. And I’m still on board as the founder, CTO, and general manager and still kicking butt and taking names and making that product even more awesome every day.

– Love it. Now, before we get started, I, you know, it’s probably a good thing to remind people go ahead and mess them with your GPOs while it’s very important. You do want to be careful. Cause if you hit something wrong, do something wrong. All of a sudden, everybody has permission to everything or nothing, which is even worse. So what should folks kind of keep in mind before they start digging into these policies and playing with it?

– Well, I cannot tell you how many times people have said to me, “No, no, no, Jeremy, I don’t need to do group policy backups. No, no, no, of course I have that covered,” they say, with a full bore, you know, backup ability of my active directory. I’m like, “I don’t think you do, okay? Have you tried it? Have you tried to actually restore one single GPO from that backup?” And even then, I have seen where people have had it work and not work. For me, there is exactly one way to go, which is when you can right click over the GPO node or the group policy objects node, right click and backup all, it will dump that, those two pieces of group policy. One part is an active directory and one part is in syspall.

So kind of like a metadata and also like the real data and it smashes them into a file format that’s really, you can make portable and put on a USB stick and put in a safe somewhere. If you can’t physically touch those files, I would say you don’t have the backup. And you can also do that automatically with PowerShell, but the idea is that you should definitely be making raw GPO backups using the API. I don’t feel like customers are fully protected unless they do that. Like I said, I’ve seen people were like, “Oh my gosh, I made this problem, but I thought I had an 80 backup.”

Can’t get it back from the dead. So that’s my first piece of advice. – No, absolutely, I’m with all backups. You should actually test it to a full recovery occasionally, don’t just assume that everything is backing up correctly or just cause it’s in the cloud, you’re good. You really do need to make sure that this stuff works. All right, before we jump into our first tip, I do wanna take a moment and thank our sponsors. – Thanks, Steven. Just a reminder to all of you, if you have Office 365, you have the Power Platform. Power Platform is a low code, no code platform that lets you build your own apps, workflows, reports, all without writing you that hard code. If you wanna learn more about it, you can go to training.powerapps.91.com. We’ve got on-demand training, we’ve got live training, we’ve got private training, we even have a whole immersive university program, or heck, we’ll even do the project for you if you don’t wanna get your hands too dirty. All right, back over to Steven. – All right, we’re back.

Number five. – Now we have to do that in the cool radio voice. – That wasn’t, I already do that, and that was pretty bad. – Pardon, it’s using loopback urge mode. – Yeah, so tip number five is, remember these are– – Or actually we get to say, in a world, right, in a world where children are hunted for sports, no.

And remember, these are tips, these are mistakes that people make, okay, right? – Right, exactly, sorry, yes, very good clarification. So number five mistake to not make. – Go to not make, okay, right. So here we are, this is a screenshot for the Microsoft documentation. I can’t tell you how many times I’ve seen customers trip over this, which is they want, they’ve got this idea where they know they’ve got user-side stuff, and they want to apply it to computer-side, and they can’t figure out, because I’d like to say the users can only use our side settings, and computers can only use computer-side settings. So how do you take a user-side thing and smash it into a computer?

Well, admins will discover this idea of merge mode. So the problem, however, is that merge mode, and I’ve highlighted the key problem set here, is that merge mode, when you log on, will of course get all the user-side stuff, and then literally do a second function, and log you in again, basically, calling again the Computer-Side Location Act of Directory, the list of GPOs for the computer is then added to the list of GPOs for the user. This causes the computer’s GPOs to have higher precedence, and basically what happens is that you log on twice. So let me say that again. You are doubling your log-on time, because you had to have this concern, okay? Now, you might say, “How do you get away from this concern?” Well, there’s of course third-party solutions. I’ve heard of some that might help with this, but we’re not gonna talk much about that. But the idea is that this is a hard problem to solve. I just want you to know, even if you can’t get out of it, why your log-ons are slower when you’re using loopback merge mode, because you’re literally logging on two times.

– Now, what is the advantage of loopback merge mode? Why would somebody in the beginning even say, “I wanna go ahead and do this”? What is the appropriate situation to consider this? – Yeah, so I generally see this when people have a flattened OU structure or they refuse to move computers and users into where God intended them to be. Users over here, computers over here, different computers over here, different users. And they just have this big flat structure. I had seen this back in the day a lot when we were connecting Active Directory to our HR system and HR was dumb and it would just add computers and users to one big flat OU. We just had to kind of live that way. I’m sure some HR systems are still like that. And then you have this problem where you wanna get user side things to computers. What do you wanna do?

This is the only thing. Well, if you don’t have something that can help you out with that, like a policy pack to help you with that, that will reduce your log-on times, well, this is what you’re stuck with. And there’s not really a great workaround, but at least you know why you’re slower. And I just wanted to, like people don’t even know, like I get, how do I make things go faster? The number one thing I could say to help you make things go faster is to get out of loopback merge mode if you’re already in it. – Perfect. All right, let’s take a look at number four.

Number four. So this is again, one of the, you know, remember, these are tips for people that are, things that people are doing wrong. So what are we doing wrong? This is just kind of a, a little bit of a tongue in cheek one, which is just about GP update slash force versus not force. So I get people who, you know, I’ll do tons of demos and I’ll just run GP update and like, oh no, Jeremy, you made a mistake. You forgot to put a slash force on the end. – Right. – No, I didn’t. What do you mean, no you didn’t? You read a slash force. No, yes you do. No, you don’t. So I have to explain what is, and this is, I just, I thought this would be a fun one to just chat about. What’s the difference between GP update with and without the force? And the answer is that the group policy client on the endpoint generally knows the name of the game. It knows the last time it connected the group policy. It knows the last GPOs that it saw. It knows that the last GPOs that it saw were the same ones as before, and there were no changes. It does this thing through this internal thing called the version number.

That’s cool. So the idea is that if you make a change in group policy land and you do a GP update, it automatically looks for changes. So what, what’s the difference? What the heck does force do? Force says, regardless of the changes, regardless of the internal version number, just go ahead and freaking download everything as if I’ve never seen it before. Right. So the upshot is GP update will take less time, way less time to perform its operation and get you back to work, as opposed to GP update slash force, which basically says, pretend I’ve never seen group policy before, go ahead and freaking download everything as if I’ve never seen it, thus taking the longest time it would ever take.

Well, because we all got taught to do when you do a DNS to go ahead and do force and flush and all that. And that’s the force that can happen. So it starts to become this sort of, oh, well that’s what I’m supposed to do. So you just assume if you have to do it for things like DNS or DHCP, you have to do it everywhere else. And there’s no downside, honestly. I mean, if you add another 30 seconds or 10 seconds to your day, because it makes you feel better, that’s fine. There is, of course, there is one special little bonus plan for actually using force that most people don’t know about, which I’m going to reveal here on your podcast as one of the extra secrets that almost nobody knows. There is a excellent time to use the force, which is if you move a computer from say sales– – I’m sorry, hang on, hang on. You just say there’s a good time to use the force.

– I did, I did. You caught me on it, that’s correct. – I wouldn’t have my Star Wars shirt and not my Space Invaders one if I would have known. I’m sorry. So there is a good time– – Yes, there is a good time to use the force. Yes, you correctly use the force when if you move a computer or a user from sales to marketing or something, and you just want a GP update, the Group Policy Engine doesn’t know to check to see if a user or computer has been moved, but a slash force will give it an extra goose and say, let me double check to see if that user or computer has been moved from sales to marketing, and thus also reapply our Group Policy. So that is an excellent time to use the force. – I love it, and we got to– I think that that’s like your next t-shirt that you should be using.

– Use the GP update slash force. Yes, exactly, use the, and then just slash force. I think that would be perfect. – There you go, excellent.

All right, number three. – Number three. Okay, so I do this thing called a Group Policy Health Check. It’s a paid consulting service if somebody needs for me to take a look and help them unwind what they’re doing, help them get to the bottom of all the bad things they really are doing. I write like a 30-page report or more, depending on what they’re looking at. This is like one of those things that I think we can all be doing better, one of those things that constantly comes up on my Group Policy Health Check reports, which is that you are not an island, my friend. Okay, you work with other people, and other people have come before you, and I’m sure other people will come after you. The least we can do is have a nice clean house about explaining and expressing what the heck we’re trying to do in Group Policy Land. So here are a couple of ways that you can help the next guy or even help yourself. You ever find five bucks in a shirt pocket somewhere, like, woo-hoo, pass, Steven, help me.

This is the same idea. Help yourself out, help your future self or help your next, your successor out. And what are we talking about? These are inbox documentation notations that you can lead yourself. On any given Group Policy object, you can right-click over the main node here, it’s called new, whatever. You just right-click, go to properties in that right-hand column there. You can see it says, use comments to help future you, okay? – I’ve never noticed that. – Yeah, you can put some stuff in there. And then the result is in the details report. You don’t have to go into the GPO to see that. You could just click on the GPO itself, click on the details report, and boom, out pops the comment.

And you can say, we created this for ticket ID 12345. You know, Steven, my boss told me to do that, whatever it is, you put it here, and you’ve got some commentary about what the heck you’ve done. So this is part one, and there’s a part two, I think, which is on the next slide. Oh, no, oh, oh, there is, I thought there was another slide there. You know what, what the, we’ll go back. I’ll just finish the file, I’ll just finish the file, which is okay. So there’s another location that you can do this at, which is inside a Group Policy preference item. Any given Group Policy preferences item, there’s a comment field. So why are we making this drive map? Why are we creating the shortcut? Why are we doing this ODBC connection? Whatever the thing is, there’s a comment field, and that will also show up in the settings report as well. So you can literally look at the settings report, and inside there will dictate what you said about why you were doing that. So there’s at least two places that you can do documentation.

– And create standardization when you do this. I’ve done this when I’ve done active director designs and things like this. So creating a standardization by not calling it, you know, sales or sales team or changing it up and saying, hey, this is to allow our sales, you know, senior sales people to do this, et cetera. It’s really important you use that standardization. So that way when you, sorry, when you search, you could actually find all the ones that match up to it and not have to try 12 different terms to find all the ones that are there. Because you can also search by this too, which is great. And that will help to make things easier as well. – Yeah, the more normalization you can do, the better. But yeah, this is a great location for you to put your comments to future you or your successor or anything like that. And that’s it, this is one of those things that, you know, if you’ve got a hundred GPOs or a thousand GPOs or even 10 GPOs, explaining why you’re doing a thing is absolutely going to help the next guy. Especially because group policy can, you know, you can see here at any given GPO, you can have 80 billion things. – Right. – You can’t comment on each other’s 80 billion things, but maybe you can tell me what you’re thinking and that will help me help the next guy. – Love it. All right, so now, now we can move to number two. – No. – And then I know the demo’s coming up in a minute.

– Yes, yes, yes. Okay, so number two, in fact, I’m going to kind of, here we go, great. Oh, there we go, this is it. This is the number three, the slide, the slide should have, this is, oh, it’s called– – I messed up, all right, I messed up. – That’s it, you’re fired. Okay, this is it though. Anyway, the point is, this is right here, here in double click speed, you can see, I’ve added a description here to this group policy preferences registry item. And if you had 3000 registry items, you can explain why. Anyway, this is what I was driving at. It’s okay, we’ll call this the sequel. – All right, fair enough. All right, so then we have– – There we go. – Now this is the real number two.

– The real number two. – All the group policy object settings. – That’s right, yes. So look, as you know, you can see, I’m a big fan of both group policy and MDM, but we have to be realistic. Not every setting in the universe is there for Intune or your non-Intune MDM, okay? – Sure, because let’s watch Mobile Iron, et cetera. – Precisely, okay, there’s going to be, let’s think about how it’s architected. Intune and Mobile Iron or VMware Workspace One or any of those guys, honestly, they’re all pushing the same buttons, already at the hood. The operating system can do these things and Intune and those things are just pushing buttons and those buttons are received. That’s it, so it’s a nice overlay, okay? It’s not a big secret, I’m not beating up on Intune. They’re all, you know, they all have the same buttons they’re pushing, okay, fine. So now what we’re saying is some of these MDM services have this interesting ability to push some buttons that are group policy related. So the question is, are the things you’re trying to do in group policy convertible over to MDM lab? Now, Intune has a special guest star called Group Policy Analytics. Its job is to let you take a GPO’s backup report, not the GPO backup, like we talked about at the beginning of our show. – Right.

– One file in the GPO backup, this thing that’s called the report and it’ll consume it here in Intune and analyze it. It’ll look for it. And you can see in that column that says MDM support, you can see I’ve got a variety pack of items that I’ve uploaded and man, some are really good, a hundred percent, wow, okay, that’s great. Oh gosh, others are 47, oh 84, that’s good. Oh, now back to 26. Okay, so you can see it’s a little all over the place depending on what you’re trying to do. Some of these things may be, you know, things that are supported and in there and other things are not so much. So the idea is that this is a good baseline to help you know if any given GPO has the characteristics that can be uploaded into it. But you’re not gonna get to a hundred percent generally. And I can prove it because none percent of the Group Policy preferences like drive maps or shortcuts or RWC connections or any of these other things that you might’ve come to rely upon are in Intune at all.

So you’re gonna need some way to convert those important Group Policy, ADM, ADMX, Group Policy preferences and other kinds of settings up to Intune or your MDM service and that is what my demo is all about.

All right, well then let’s go, let’s take a break and let’s go to the demo. – All right, here we are in my test lab and this is a GPO that’s got a bunch of stuff you might be familiar with. You might have some security settings in it like rename the guest account. You might have some admin templates like control panel, show only specified control panel items like sound, date and time, program and features. You might have some Group Policy preferences, shortcut items, okay? So what I’m gonna do here is show you how Policy Pack can take these items, okay? This is the commercial part of the message, sorry, no good man, this is how it works. So we’re gonna take some of these, yeah, we’re gonna take some of these items like let’s take a look at policies, like I said, windows settings. Let’s just look at these in real time again. So security settings and take a look at local policy, security options and hey look, rename the guest account. I’ve renamed to pp guest or if I go to preferences down here and I take a look at my shortcut items, I think is what I said earlier, a windows, I can never find that thing, here we go, shortcut items. Yep, there’s a shortcut item that I want and I’ve got a bunch of admin templates that I might want to manipulate policies, admin templates and find a control panel, specify control panel.

Okay, so I’ve got all these things that I wanna convert over to an Intune or any other MDM land. What are we gonna do? Well, the good news is we make this drop dead simple for you. So the idea is that you can see here, this GPO and all GPOs are now gonna have the Policy Pack nodes in them here. You’ve got this GPO reduction and transition pack where you can transition to cloud, our cloud service or an MDM service. Let’s go to the GPO export manager and start exporting stuff you just saw. So if we want to export admin templates, okay, the idea is that you just saw that I had the control panel, you know, limiter thing here. Let’s go ahead and click on next.

There it is, show only specify control panel items. You can see sound, date and time and program and features. Next, next, next. And we’re just gonna drop this to XML. So I’ll put this on the desktop to keep it simple. I’ll call this Steven Juan, right? You’re a PH, right? – I am. – Yeah, Steven Juan. – I’m just kidding. – Yeah, okay, there we go. So we’ll call this PPATM1. So I’ve taken those settings, I’ve exported those puppies right there. That’s the first one. Then the second thing I wanna do is I want to export my preferences items. I can just click on next and take that shortcut item and go ahead and export that puppy and put that in the same folder. Excuse me. Go back to desktop here and find Steven Juan. Next, next, next. And the last thing we said was a security item. So we wanted to find that security item. That was on the computer side. So we’ll go over here, go back to GPO reduction here and export that puppy too. So we’re taking all these important group policy settings that you need to transition properly. You’ve already done your check.

You see that you can’t do 100%. So we’re taking these items and we’re chucking them in and dropping them into XML as we call this PP sec one. So now that we’ve got them as raw XMLs, let’s take a look at those raw XMLs and see what we can do here, Steven Juan. Okay, take these guys. And now we’re ready to get them into Intune. Oh wait, Intune doesn’t know what to do with them. Intune doesn’t have a brain for our XML file. Okay, fine. So what we can do instead is use this thing called the policy pack, exporter tool, there it is. And the exporter tool will let you consume these XML files into an MSI. So I’m gonna create a new MSI file, add these existing files, go to the desktop, go to Steven Juan, consume those puppies, and I’m done. And as you know, Intune and every other piece of software on the planet knows how to deploy MSI. So we’ll call this outline.msign. And that’s all there is to it. So let’s see the result. I’m not gonna go into Intune.

I’m not gonna spend any time there. It takes too freaking long. So we’ll just jump right to the S. So here is my example station. So if I were to go to control panel here, take a look at control panel, you see, there’s no changes yet. You can see there’s all the icons of the, it’s no change. If I were to run gpedit.msc here, no changes yet. Go over to Windows settings and take a look at security settings and take a look at local policies, security options. No changes yet, and I don’t have that shortcut. So we’re gonna play pretend for a second. I’ve got the same MSI that I just created over there, just over here to make it a little simpler. And you can see I’m connected to Intuland, and I’m just pretending I’m using Intune to do this. Don’t blink. This wouldn’t normally happen in real life. That’s just the Intune getting it deployed simulation. Now, if we just wait a minute, we’re gonna look for that shortcut that didn’t exist, that there’s no way to really do that in Intuland. There we go, that’s it. We just got it deployed using Intune. When we take a look at control panel, they go ahead and close out and return to control panel. We’ll see that guy go to control panel. Go back to control panel here.

We said we didn’t wanna see all the things in control panel, we wanted to limit our access and ability to control panel. There we go. – And there it is. – And the last thing we said was, was make sure we get that important security setting, which is going to be in Windows settings, security, and take a look at local policies. And lastly, there we go. We’ve renamed the guest account. So we’ve taken these important growth policy settings that we know we need to fill the gap in Intune and MDM land. We can export, wrap them up, ship them out, how we’re off to the races.

– Right, and these are things that either you can’t do or just are so time consuming that leveraging a third party product can really make things considerably easier for you. And that’s one of the things that we encourage is to find those tools and share tools with the rest of the industry that have really helped you to make it. – We can also do targeting in a way that Intune and all those products can’t do, because we can literally use the group policy preferences, item level targeting that you know and love. So on any given setting, if you wanted to target it for, let’s see, go back to, where was I? So go back to preferences land and go to shortcut item.

If your shortcut is targeted for only when they’re on the network or whatever new shortcut item, only when they’re on the network, you can do that. And this is built right into the product and we just kind of steal it. So we use item level targeting and say, hey, anytime you’re on this IP range in the network, do this and not on the network, do that. If you’re in this security group, do this. If you’re in this computer name, do that. So you can do all these things because the group policy preferences and policy back support item level targeting.

That’s awesome. Can you also do things like geofencing and stuff along that line at this point? – No, it’s, I mean, just basically IP address ranges typically where people land on that. – Got it. All right, which you could do if you have unique ones for different locations or something along that line. – Yeah, that’s probably so. There may be a way to do it if like your Windows device knows where it is based on WMI and you could do a WMI query and say, if you’re in this geo, do this. If you’re out of this geo, do that. So that might be a way to do it. There we go. – Right. – Thus ends number four or yeah, number two. Number two.

– Yes, let’s go back to our slides here. So let’s see, that takes us now to on chip number one. – Number one, number one. So most people don’t know that there’s a new lapse in town. There’s this thing called Lapse 2. It’s not its real name, it’s just called Lapse and then Legacy Lapse, but I’m gonna call it Lapse 2 and Lapse 1. So Lapse, of course, is this idea where you can use this tools and tooling from Microsoft to rotate all of your workstation’s passwords. Because of course, Steven, I know that you use like a One Pass or a Last Pass or something like that on your machine so that if your Citibank accounts gets compromised, that your Bank of America account can’t be recycled the same password. Well, of course you wanna do that on all your endpoints. If you’ve got a thousand or 30,000 endpoints, you wouldn’t wanna have the same exact local password on all of them because if I know one, I know the one. But if only there was some password manager to make that easier, man, that would be amazing. So the number one thing I think people should be doing but probably aren’t doing is using Lapse or now they should start converting from Lapse 1 to Lapse 2. And the best part about Lapse 2 is that it’s kind of built into the operating system. There’s a couple of jiggery poker to make it work but if you go to the next slide, you’ll see the result of it working. Which as you can see, there’s now a Lapse tab on any given computer and you can see the user that has the password and the password itself and it works perfectly. So it’s a password manager for your local Lapse 2.

But the number one thing that I think people do wrong with Lapse 2 is that they give this password to the user to overcome UAC problems and to get out of UAC channel and to do what they should do. So let me ask you a question, Steven. Do you wanna give me your local password on your machine for even five minutes? Is that a good idea to give me your password? – Yeah, probably not the best idea. – No, not the best idea. And any user could do what if you give them this password? Uninstall software, turn off the virus, remove protection, install, you don’t know what they’re gonna– – Install a remote access client, et cetera, yeah. – All sorts of things. So the number one thing I think people do wrong with Lapse is that they break Lapse in case of emergency, hand over the sticky note to the user and say, use it for five minutes and I’ll reset the password on the backend. – Right. – Terrible idea.

So with that in mind, let’s talk about how to, what the right way to deal with these things. – All right, well, let’s take a look at the demo then. So again, what we’re trying to do is make sure that you don’t just give the keys away to the castle when some problem that a user needs occurs. And the kinds of things that you might encounter are all sorts of things. Like you’ve got a developer that needs to run a developer tool, but oh, you can’t do that without full-bore local admin rights. So you can see UAC prompt here, where a standard user needs to upgrade their pet software from time to time. I’m using Skype as that example here, but it could be some bank branch app or iTunes or some specialty app that they need to, you don’t wanna repackage in, you know, SCCM land or In2 land, you just want them to go on their very way. Or you’ve got somebody out in the field that’s got some need to go to Device Manager and update their camera, change their IP address, add a printer, those kinds of things.

When you get to those, what happens is that you get, for a little bit different, you get a look, but you can’t, how does message from Windows? Windows, hey, you logged out as a skitter, but I can’t do anything like that, I need to do, so you try to write, I can’t, okay, can’t do a thing. So what we’re gonna do here is use Policy Pack to increase the depth of coverage of what you can do with regards to UAC prompts and overview of those puppies. So, don’t run with local admin rights, go ahead. Go ahead, so I thought you were asking, okay, so don’t run with local admin rights, create a GPO or use in, or use Volume Back Cloud to do PPLPM overcome UAC, all right. So right click and click edit here. Get inside the group policy object, and you can do this either on the user or the computer side. I’m gonna do it on the computer side to keep it simple. You can see we’ve got the policy for admin, that’s a privilege, or no, the least privileged manager for Policy Pack is now touched on this node, just a little bit of a marketing thing, but also a better together story thing. But now I can create some policies to overcome those.

Let’s kind of do a one by one. A new executable policy, so we’re gonna make a match, I’m gonna prof bond, I’ll make a simple rule that says, hey man, anytime I see prof bond, I’m gonna use hash, or I can say if it’s by signature, file is bodge, and I use hash to keep it simple. And if I were to leverage that version of prof bond, which I happen to have here, anytime I see that puppy, they run it with elevated privileges, bing, bang, boom, and you can target it if you want to, like we talked about earlier, and so on. That’s it, rule number one, done. Rule number two, let’s create a control pattern for the policy to overcome for just these users, the idea of say going into device, whoops, go into device manager. Anytime we would have had a device manager, UAC strong like thing, let’s just overcome it, run it with elevated privileges, and we’re done. The last one, let’s do a little bit slower, a little bit different, it’s a Windows installer policy for that Skype install. Let’s create a combo rule, because we wanna let the user install it, but not have to come back to us again and again. So we’ll see it’s signed by the Skype guys. Let’s go ahead and do that, signed by the Skype guys. Let’s take a look there, there we go. But only let the user install it if it’s a particular version and later.

I don’t want them to fall backward and go back in time. I only want them to go this version and later, because that’s the supported version in our environment. And run the installer with elevated privileges. So now that I’ve got these locked and loaded, we’ll go back over here, we’ll just run a quick GP update, no force required, run a quick GP update here, get the latest, greatest group policy settings. Again, you could do this, I’m using group policy, you could export and wrap up like I showed you in their previous demo and use your, yeah, whatever it was like in Intus.

And if you’ve got nothing at all, you can use our policy back-aloud service or your not domain joined or even your domain joined machines. It’s all the same thing. So now the result here is Prokmon 10 seconds ago, requiring you wearing a required admin credentials on the sticky note to make it work. But now I don’t give them a sticky note, I don’t have to use the laps to break the last of the emergency to do this thing. It just keeps on working the way you would expect. Skype set up, instead of having to give them the sticky note with an admin password that they could do any number of millions of things, I’m endorsing just this operation, not every, just this operation, letting them go ahead on their merry way, doing Skype install. Skype itself isn’t running all of it, it’s just Skype install.

Or take a look at device manager. And device manager before had a look but you can’t touch the message. Now with that in mind, you can get into device manager and take your camera driver and update that, add a printer, change the IP addresses and any number of things that you may need to do. Only if you had full admin rights, but were bypassing right, dictating, slicing and dicing, the least privilege is required to do your job. And that is least privilege manager in a nutshell.

This is all really good stuff. I wanna kind of go back here and you could do some of this through AppLocker. And that’s all thing is you can do some of this manually, it’s just gonna take you a lot of time and using tools like Policy Pack, using tools like SpecOps are really going to reduce the amount of time that you have to spend doing these, just fine consuming things that are eating at your day. And the goal of IT, and I’ve said this all the time is to get away from being reactive and get to a point where you’re proactive, where you’re able to do these things more quickly so you can focus in on the things like, hey, I wanna make sure I can restore a backup. I wanna take a look at where we’re going, I wanna be able to take a look at how much bandwidth we’re using and fix switchers and take a look at these sort of things that helped you create a better environment, not getting bogged down with these things that just take forever and really can slow you down. I mean, how often have you had, and I know you’ve had it a lot, but what are the two or three really important bits of advice that you give to an IT pro admin in how they move from being reactive to proactive? –

Well, before I get to that, I just wanna say that AppLocker doesn’t do this thing. AppLocker doesn’t help with UAC prompts or overcoming and changing the– – But it will allow you to pick versions of the apps and which ones can be installed or not, but it’s not gonna get you past those things. – The UAC prompts, that’s right, great. Just making sure you’re on the same page. Yeah. – Out on the shelf things along that line. – The number one thing that I think that’s important for, well, it’s a good life skill and very important for IT admins in general, is to be as organized as humanly possible. What I like to say is, do you know where your scissors are right now? There you go. If you know where your scissors are, you’re generally an organized person. If you don’t know where your scissors are– – Well, I’m not an organized person, but I use my scissors a lot. – It’s just a, right? And so the– – No, I get it. No, you’re right. And so what does it mean? And are you consistent about how you file things away? How you document stuff? Are you setting it and forgetting and moving on? Are you leading great problems for the next guy, like we talked about with documentation and setting yourself up for success?

Generally being organized and methodical, walk without running. We all have goals to hit, but I see people just, like a bird, just slam their face into the glass instead of carefully trying things out in a test lab first, making sure things are great, and then moving it on to production. Those are the kinds of skills that I think are good for all IT admins of all stripes. Old fellers like us, young pups coming up, I think, organized and also doing small-scale testing before large-scale testing is going to be one of your best two skills that you could probably do for the long term. – Absolutely, and at some point, you are gonna move on. You’re gonna take on another job, and when you do, having, being, going to a new role and having someone who’s done that IG is gonna make things much easier, and you’re gonna make it much easier for people not to mess up all the hard work that you did when they get there and take over and continue that, and hopefully someone will have done the same to you. There’s that whole wall, if nobody knows how to do it than me, then I’m irreplaceable, and I will tell you no one is irreplaceable. No one, nobody, you know, does that. Within six months, you’re forgotten, and people are all focused in on the new person. It’s happened over and over and over again. – You ever have somebody come to you, you ever have like a plumber come to your house or an electrician, he’s like, “Oh my God, the last guy did it terribly.” Oh, oh my God, every single contractor tells you the last guy did it wrong, and so I think the more you can leave breadcrumbs for the next guy to say, “Here’s why we did it, “and here’s why it makes sense,” you’re welcome to rip it out because I don’t live here anymore, but the reason why I did this is, oh man, you’ll have left something there that will have value instead of like some VB script spaghetti code that’s mapping drives left, right, and sideways.

There’s some understanding about why you did something, and maybe even in its legacy, maybe this worthwhile keeping end, so you can keep yourself alive at that organization, not by hiding, but by being open. – I used to say whenever I would go into a company to do consulting work, I would walk in, and there would always be somewhere in the corner, like under an admin’s desk was a 386 or a 486 with a turbo button, and I go, “What’s that?” And they’re like, “Oh, that runs this really archaic system “that we use for transferring POs “from one company or another.” I’m like, “Why isn’t it in the server?” Like, “We’re terrified to move,” and I’m like, “Why?” They go, “Because it’s a custom app “that some guy wrote 20 years ago, “and we’re terrified if we touch it, it will break, “but it’s really important to business.” I’m like, “Why aren’t you just virtualizing that “and sticking it on a virtual server somewhere?” And it goes without saying there’s always that one stuck in a closet or something like that.

So yeah, be kind, think about ways to do that, to modernize, and think about the first other people, if you step out for a few days, that they can come in and not mess up what you’re doing and be able to work and that you’re showing that kindness to everybody else. One last final tip or trick for admins or something that they should think about, 20 years plus you’ve been doing this, what’s the one piece of advice you give people over and over and over?

Number, more advice I give people over and over again. I read a variety pack of things that are not necessarily super tech, just to keep my eye on the prize. I read the “Wall Street Journal” every day. I read “Wired” magazine every month. I read retro computing magazines too, because even though it’s old and dusty, it kind of kicks up interesting memories for me. So while of course we’re always learning and always trying to do our craft and trying to do what’s next for us, I also think it’s important as just a life skill to, like I said, my sources, I use “Wall Street Journal” daily, I use “Wired” as a monthly, and then I also like to go back in time and read stuff from interesting people. Like I recently bought the hard to acquire Steve Jobs hardcover book. It’s actually, you can only get it in PDF, but there were like a thousand copies made in print format and I bought it special on eBay, I paid it, I just had to have it. And so anyway, so long story short, it’s like learning from interesting minds from various sources will inform you, inform you a way for the stuff to come out from here and eventually show out here in a way that you may not know unless you’ve got a variety pack of sources. So that’s–

– And that’s why we do this show. The one bit of advice that I give folks constantly is, no matter what you’re talking about, if you’re talking about the latest stuff, assume your customer is 18 months behind because most of them are, most of them are just getting to the stuff that we talked about a year, a year and a half ago, they’re now just getting there, that that’s very new to them. And again, just because something got released doesn’t mean it’s GA, doesn’t mean that they’ve tested it and it’s gone in. We have this feeling, especially when I was at Microsoft, that people are on the latest stuff and the more that I got out and felt it was so important that every eight to 10 weeks I was out with the masses, chatting with people, hearing, I realized folks were a year to a year and a half behind. And that’s something really important to remember if you’re a consultant or you’re a speaker or an expert is don’t assume that folks are always on the latest stuff. And that’s why this show, things like GPOs and things like that are still so important for people because we get so focused on new stuff and automation and power platform, which are all great stuff, but it’s important to be able to get back to the old school stuff and to be able to do it. Jeremy, this was awesome. Where do people go to learn more about you and Policy Pack? – Yeah, sure. So I mentioned a couple of things. If you’re interested in the books, I can get you signed copies of books at gpanswers.com slash book.

And if you’re interested in the group policy health check and analysis, that’s also at gpanswers.com. If you’re interested in Policy Pack, you can find me at policypak.com. And of course, because our parent company is Netrix, you can sign me on netrix.com. I love taking people’s questions. You can always hit me up on LinkedIn or Twitter, I’m pretty active there and happy to help you in just about any way I can within a reason. – Yeah, and I will tell you, Jeremy will do that. But the folks that he’s worked with, who I’ve known again for many years and seen at many conferences, just love to dig in and do stuff. So Jeremy, I wanna thank you. I wanna thank all the folks at Policy Pack.

I wanna remind folks to go out to check out your site because you’ve got demos and things that folks can play with. Folks can do the same at spec ops as well, try all the different software, play with it. But thanks so much for being with us and sharing your wealth of experience and knowledge with you all. – Thank you so much for having me, appreciate it. – All right, for this episode of Unplug IT, I wanna thank everybody for joining us and we will see you on our next episode. Take care, have a great day. Talk to you all soon. – Use the force. – Use the force. Love it. (mumbles) (mumbles)