Thursday, July 30, 2009

Group Policy Recommendations

From the mailbag.

Thiago sent me an email via the blog with a question about learning more about group policy. From Thiago's email

"...Im planning to buy in Amazon the Active Directory Book made by Brian Desmond MVP DS ( ) But I would like to have your suggestion to a book that give me a inside about AD and Group Policy....because I don't wanna keep reading that basic concepts. Want more that "how to create GPO, how GPP works, how to map drives..."

Brian Desmond's book does have a group policy section in it and that is a good place to start. I highly recommend Brian's book to anyone that works with AD. All four books in my recommendation section are great. Brian, Laura, and Kouti's books will help everyone.

There are however some resources I'd recommend for group policy specifically because that is what Thiago asked about.

First thing I'd recommend is to have some sort of lab setup if you can. That can be as simple as a virtual DC and one workstation to start with. As you are reading and learning about group policy it helps to test and play and experiment.


There are a few group policy specific books and both are good. The first one I'd recomend is

Group Policy: Fundamentals, Security, and Troubleshooting by Group Policy MVP Jeremey Moskowitz

That is the 4th edition of Jermey's group policy book and at close to 800 pages you will learn about group policy.

The next book is Microsoft's Group Policy Resource Kit by Derek Melber

This one I use as a reference and it has a lot of great info too. If money is tight I'd go with Jeremy's book first.

Speaking of money being tight there are a lot of great free resources on the web that can be very helpful.


Microsoft's Official Group Policy Team Blog Great blog from the group policy team anyone wanting to learn group policy should have this in their RSS feeds.

The GPO Guy Blog Group Policy MVP Darren Mar-Elia's blog. Hands down Darren is one of the top group policy guru's on the planet and his blog is another must read. More to come from Darren later in this post.

Florian's Blog Florian is a Group Policy MVP from Germany and a friend. His blog deals with group policy and Active Directory. He often thinks of blog entries that no one else does. His Restricted Groups entry is the best blog on the subject on the net.

Group Policy Center Another great blog from Group Policy MVP Alan Burchill A lot of great information and his blogs contain a lot of screen shots and step by step which is very helpful when learning about group policy.

Other Great Free Resources

TechNet Virtual Labs Having a test lab is very important as I mentioned above, but if you don't have one yet there are a bunch of great group policy labs provided by Microsoft. The virtual labs are a great learning tool.

Darren Mar-Elia also has some great free Group Policy Training Videos on his site. Definitely worth checking those out.

Group Policy Mail List Run by Darren this is a list that anyone wanting to learn more about group policy should subscribe too. Some really smart group policy folks on that list. You will often see very hard problems being discussed on that list.

So that is my list, I know some may wonder where Jeremy Moskowitz's training classes are. You can find Jeremy's training info here I've seen good reviews of Jeremy's class but I've never taken it so I can't personally recommend it but if you or your company has training dollars to spend it is probably going to be worth your time and money.

So what did I miss? Any blaring omissions? Please let me know and I'm sure this will not only answer Thiago's question but it will help others.



Thursday, July 23, 2009

Find Enabled Users in the Domain Admin Group

Sorry I've been out for a while, I'm back now with a quick hitter and more entries coming...well at least I have them planned in my head :)

I often receive requests from the security group to send them all user accounts in the domain admin group. What I've found is that there are often both disabled and enabled accounts. All they want is enabled accounts.

For this quick hitter I'll use my favorite tool. ADFIND by top MVP Joe Richards

adfind -default -f "name= domain admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn

There are other ways to do that in adfind but I really love playing with adfind being piped into adfind (great feature by joe)

Can anyone see another quick hitter coming about from do you do this in powershell?...what about nested groups (see previous blog entry)...more to come :)

Update from Shariq via comments

I won't be doing a quick hitter for Powershell...thanks for the assist Shariq

Get-QADgroupmember "domain admins" | Get-QADuser -enabled

I also highly recommend checking out Shariq's Blog

Thanks Shariq!!

Wednesday, July 1, 2009

I'm a Microsoft MVP now -- Thank You

I received an email earlier today telling me that I was awarded the MVP for directory services.

This is a really great honor and something I'm very proud of. I really enjoy working in the community and more importantly I enjoy learning from others too. I obviously didn't get to this point alone so I want to take some time to thank some key people that have helped me throughout my career.

Starting back in my Army days I can't say enough and thank those that serve. One of the best things I took away from my time in the Army was some of the good friends I made. So to Daryl, Will, and Todd thank you all. You all were like brothers during my time in and I'm proud to call you friends. Additonal thanks to Todd and all those currently serving during this time of war. Hoooaaaahhh!!

I had a few internships that got me in the door but my first real job was supporting a medium size agency in DoD. I really cut my teeth there and have to single out some folks there too.

First and foremost Kevin Buckman for being a great government manager. No way I'd be where I am today without Kevin's support during those early days. Thank you Kevin!! Honorable mention to Terri C. and Jim R.

Richard Guidorizzi -- thank you Richard for the second half of my DoD career at that agency. You really helped me more than you know and always believed in me and I'll never forget what you did. Honorable mention to Leslie Butler, a great senior manager and owner of the company I worked for.

Mark, David R., Garret, and Richard(again) - the discussions that we still have to this day are really great and I learn from each and every one of you. Definitely all friends for life

A great list of admins and engineers that I worked with at DoD:

Mark, David, Garret, Larry, Greg, Lili, Cesar, Kyle, Louis, Brian T, Stuart, Steve Mc, Alex, Guy, Todd, Steve B, Matt, Jeff H, Kevin D. and last but not least Rusty. I know I missed a lot of people but thanks to everyone there. We made it through a lot there including 9/11. I can still vividly remember watching the Pentagon burn. We will always be bonded by that experience.

Thanks to Keith, TJ, Ryan, Ditter, and John at my next agency. Not the most high speed job but at least I made some good friends. Did we pause the DEN yet haha

At my current job at Unisys there are a few key people that I definitely need to thank. Mark and Eric Jansen are on the top of that list. Really enjoyed the projects I worked on with them. It is so great to work with others that are good and know their stuff. We learned from each other and I think we made a solid and real impact for the agency we supported.

Thanks to the "geek network" Florian, Eric, Mark, Rich, Dave, Brian, and Troy B. We have some good discussions and I've learned a lot from all of you guys.

Thanks to everyone at Experts-Exchange. I hang out in the Active Directory section there and I've learned a lot and hopefully helped a lot of people too. Have to give thanks to some of the other top people over there. Chris Dent, Americom, bluntTony, TigerMatt, Laura Hunter, Brandon Shell, and Brian Desmond.

Thanks to other MVPs that I have learned from for years and years. Top of that list is definitely Joe Richards. Joe is just cool as hell and knowledgeable beyond belief. His tools are a huge part of what I do. I remember the first time I emailed Joe offline and he responded with a very long and thoughtful answer. He didn't blow me off or treat me like I was a pee-on. Thank you Joe for all your work in the community. I really look forward to meeting you at the MVP summit next year.

Other great MVPs that I'd like to thank. I've met some of you in person. Others I only know via email but Thanks to: Joe, Brian Desmond, Laura Hunter, Florian F., Jorge, Mark Minasi, and Darren Mar-Elia.

Thanks to the Directory Services team at Microsoft. Ned, Rob, and everyone else that writes for the AskDS blog. Really great blogs and thanks for what you all do for the community.

Last but not least my brother Andy...thanks Andy I would not be here without you man.

I know I probably forgot people but again I didn't get here alone and I'll continue with help and support from great people.

Ok now this blog entry is starting to sound like one of those rambling Oscar speeches. The red light came on 5 minutes ago and now I'm getting the hook...I've overstayed my welcome :)