Microsoft just released a free tool to search for errors in Group Policy configuration - totally new and cool tool in the Best Practice Analyzer (BPA) series.

Download here:
GPDBPA for Windows XP
GPDBPA for Windows XP x64 Edition
GPDBPA for Windows Server 2003
GPDBPA for Windows Server 2003 x64 Edition

Read more here:
Microsoft KB 940122 article: “How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data”

Quote from KB article:
You can use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect data about an environment’s Group Policy configuration. For example, you can use this tool to analyze a Group Policy configuration for the following purposes:

• To search for common configuration errors
• To discover and to diagnose problems
• To collect data for archiving

The account that you use to run the tool must have the appropriate permissions to access both the Active Directory database on an environment’s domain controllers and the SYSVOL file structure that is maintained on those domain controllers. Additionally, the account must have local Administrator permissions on the Group Policy client.

There are two additional prerequisites for using the GPDBPA tool:
•The Microsoft .NET Framework version 1.1 or a later version must be installed on the computer on which the GPDBPA tool is installed.
•The Windows Management Instrumentation (WMI) service must be running on the environment’s domain controllers.

I joined a session “Deep Dive into Microsoft Windows Vista Group Policy Changes and Troubleshooting” with Jeremy Moskowitz here in Orlando - and he was very good. He’s a funny guy and it seemed like everybody in the room just loved him. Thanx for the inspiration Jeremy - you put on a nice show.

After the session I joined him at the SpecOps booth (#914) and spoke to some of the other Group Policy Gurus, like Darren Mar-Elia, J. Peter Bruzzese and the SpecOps employees. SpecOps were really focused on sharing info on their SpecOps Deploy product - so why not help them here ;-)

Tomorrow I hope to catch Derek Melber - a ‘colleague’ from www.windowsecurity.com - he was busy preparing for his upcoming Group Policy sessions so he didn’t show today… I’ll try to get back with a report from those sessions when possible.

I have to mention that it turned out Peter Bruzzese not only mentions me, but also quotes me, in his new book “Tricks of the Microsoft Windows Vista Master” * - as a “Vista Master” - thanx for the honor!

* Book is published by Que Publishing
ISBN-13: 978-0-7897-3689-5
ISBN-10: 0-7897-3689-6
Amazon link here!

I received an interesting question by mail the other day regarding my article about MLGO on Windowsecurity.com. The question was, if it is possible to export a local policy assigned to a specific user to a user on another computer…?

After scratching my head and researching a bit it seemed like nobody had a good answer for this and no GUI tool is apparently available - so I had to come up with something myself… This is the result:

The following undocumented - and probably unsupported - method worked for me:

On “Source Computer”:
1. Create/modify a local policy for the “Source User”
2. Go to “C:\Windows\System32\GroupPolicyUsers\” and locate the last modified policy folder
- the folder should be named with the SID (Security ID) of the “Source User”, e.g. “S-1-5-21-452792215-1268730067-2626448776-1108″
3. Copy the folder and content to the “Target Computer” into the same directory structure

On “Target Computer”:
1. Rename the newly copied folder to the SID of the “Target User” (the user who should receive the “exported” policy)
- how to find the SID of a local user?
2. Set NTFS permissions on the newly renamed folder to:
- SYSTEM = “Full Control”
- Administrators group = “Full Control”
- “Target User” = “Read & Execute”
3. Test a logon as the “Target User”, the policies should be correctly applied.

Done! Well, the procedure is a bid “odd”, but it could be scripted if required.