The GPO Policy Definitions are again not all in either W8 or Windows Server 2012. Here are screenshots from both so you can see the difference:
So this makes it tedious to get your Central Store up to date
Luckily this one has it all, in one place: http://www.microsoft.com/en-us/download/details.aspx?id=36991
Sami
Here’s a link to my presentation with Daniel Pearson at Helsinki Techdays 2013 (in English
I luckily won Techdays’ best session award third year in a row but not with the English one but with this one with Petri Paavola:
This blog post was originally posted at: http://blog.avecto.com/2013/05/migrating-put-admin-rights-in-the-past/
Do you give local administrative rights to all your users? Or maybe it’s just to the executives or laptop users? As companies now have under a year to move away from Windows XP, this is the perfect, once-in-a-decade opportunity to make your environment more secure, raise user productivity and make the lives of your support personnel easier.
It’s not easy to change user permission levels during the lifetime of an operating system but with the introduction of Windows 7 to users the changes can stay hidden behind bigger changes like a new logon screen.
I’ll start off with a short personal story: I was 16 years old when I first got Domain Admin rights to a company that had more than 30,000 workstations. I couldn’t have been more proud of my godly powers that most users did not have, so I was happy to blindly agree when users asked me to install the games on their computers that they couldn’t! “Sami, I heard you can install Solitaire on our NT4 – could you help me out after work?” they would whisper to me, “Yes” I would reply, “I sure can”.
It was only when I moved on to a new training and development role and a new company that I realized the extra work that my administrator rights had elicited. I was sitting at my new desk when a lady ran to me and started yelling: “Infrastructure department!? We have three new employees: install their laptops, make sure they have network connectivity, activate their user accounts and configure their email!” I thought for a moment and replied with a calm voice: “I can’t – I don’t have rights to do that”.
I could say that that moment changed my life: after years of being pestered to abuse my admin rights unnecessarily, I had just figured out that the less user rights I had the less work I had to do that was outside my area of responsibility. This was my first lesson: from then on, I’ve tried my best to only have the user rights I actually need to do my job – no more, no less.
As sure as I was that I didn’t want administrator rights at work, I was initially more relaxed about their use at home. However, not long after, another user installed a bunch of Outlook ‘Smileys’ on my home computer: I was so angry that people didn’t keep that stuff in their own profiles, I removed everyone’s admin rights from the machine. ‘Smileys’ were no more, but a much more significant side effect of this action took almost a year to figure out.
Prior to removing admin rights from the PC, I had been forced to reinstall my Windows (and that of most of my friends!) every 6 – 12 months because of the inevitable slow-down of the Operating System. What happened with this computer was significant: it was 5 years before I had to do a reinstall and, even then, this was due to a hard disk break, not because of the OS being slow! I’d learnt my second lesson about user privilege: it’s not only security that should prompt you to give up admin rights but also the cold-hard fact that Windows just stays cleaner and more operational that way.
Since then, one of my company’s specialties has been educating organizations on how to get rid of admin rights for end users. I show people the dangers of admin rights by demonstrating how to break into computers and how this can be prevented. To this day, with Anti-malware, Firewalls, AppLocker and BitLocker, the most important and first step for making environments more secure is getting rid of end user admin rights.
What’s the easiest way to rid your organization of admin rights when migrating to Windows 7? With Windows 7 and 8 the gap between standard users and administrators is even bigger because of the lack of “Power Users” group. UAC is designed to help, but it is unsuitable for use in an enterprise environment as it continues to place emphasis on the user to make decisions regarding the safety of applications and processes or facilitates a scenario where usability is impacted in an overly locked-down environment.
There’s an effective solution for everyone, but my preference is always to implement software which applies admin rights by process rather than by user or computer. When I get granular control of admin rights, I can remove them and keep them from coming back. I used to say it’s impossible to take admin rights away from two user groups: developers and kids – nowadays, with the right tools, even that is possible.
Windows RT’s both IE versions have built-in support for Adobe Flash but flash objects are only allowed from sites that are on the compatibility list of IE. This list is administered and updated by Microsoft.
If your site is not on the list you can have one site at a time (only one) that bypasses this check. This happened to me while trying to watch a movie from headweb.com.
This instruction can be found on MSDN: http://msdn.microsoft.com/en-us/library/ie/jj193557(v=vs.85).aspx. Here’s a short version:
You need to create a registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Flash\DebugDomain
where DebugDomain is a string value specifying the domain name as its data like the one I used:
Until Jan 31 2013 you can download Media Center for free:
As today is the general availability date on Windows 8 it’s more than convenient that my dearest project Wioski 2.0 is also available to help everyone with their brand new W8 slates and other form factor computers.
Wioski is a free SteadyState replacement that resets a Windows 7 or 8 machine to its original state as fast it normally takes the computer to reboot.
First question I got today morning was: Do Windows 8 Reset or Refresh functions compete with Wioski or even make it obsolete? Well it depends probably on who you ask but I’d say the don’t stand a chance! You can check the result on Wioski’s YouTube channel: http://www.youtube.com/user/AdminizerAndWioski?feature=watch but to sum it up here are the results:
- Windows 8 Reset = 22 minutes
- Windows 8 Refresh = 15 minutes
- Wioski reset = 28 seconds!
How often do we hear that Windows works for some time and then needs to be reinstalled – What if your Windows would reinstall every time it reboots – think about it! It doesn’t take longer than a normal reboot with Wioski 
I would personally like to thank Ronald Beekelaar for giving me a small but stepping on the Moon –type tip for Wioski. Ronald is an MVP in virtualization and I encourage everyone to follow him on Twitter!
“Ronald Beekelaar / Virsoft Solutions / www.virsoft.net / TwitterID @virsoft”
As many of you know what Wioski is here’s a short list of what’s new in 2.0:
- Faster reset
- Support for Windows 8
- One installation media for Windows 7 and 8, for USB and DVD/ISO, and for both x86 and x64
- Ability to enable or disable the automatic reverting on every boot making it ideal for use in classrooms
- A lot of small fixes
Check out videos and download the free tool at http://www.wioski.com/
Many students asked me about how to figure out if you have what it takes to run Client Hyper-V in Windows 8. As I mentioned in an earlier post Coreinfo.exe from Sysinternals tells you but what I didn’t provide was what to look for in the coreinfo output. I believe you can find what you need in this post: http://www.groovypost.com/howto/can-my-windows-8-pc-run-hyper-v-slat/
