Merging Group Policies with PowerShell

As most environments grow they end up having many group polices enforcing a variety of different settings. At a certain point they become unmanageable and are in need of a cleanup. Merging GPOs is a pain as there isn’t really a good way of doing it – without PowerShell anyway. We faced this exactly scenario recently and lucky for us we came across this blog post by Ashley McGlone on TechNet. His script takes advantage of the Get-GPRegistryValue function to capture all of the settings and then copies them to a destination policy.

#--------------------------------------------------------------------
# Copy GPO Registry Settings
# Ashley McGlone, Microsoft PFE
# http://blogs.technet.com/b/ashleymcglone
# January 2011
#
# Parameters:
# dom FQDN of the domain where the GPOs reside
# src string name of the GPO to copy settings from
# dest string name of the GPO to copy settings to
# newDest switch to create dest GPO if it does not exist
# copymode part of GPO to copy: all, user, computer
#--------------------------------------------------------------------

Param (
$dom,
$src,
$dest,
[switch]$newDest,
$copymode
)

# We must continue on errors due to the way we enumerate GPO registry
# paths and values in the function CopyValues.
$ErrorActionPreference = "SilentlyContinue"
$error.PSBase.Clear()

Import-Module ActiveDirectory
Import-Module GroupPolicy

#--------------------------------------------------------------------
# Help
#--------------------------------------------------------------------
if ($dom -eq $null -and `
$src -eq $null -and `
$dest -eq $null -and `
$copymode -eq $null) {
""
"Copy-GPORegistryValue by Ashley McGlone, Microsoft PFE"
"For more info: http://blogs.technet.com/b/ashleymcglone"
""
"This script copies registry-based GPO settings from one GPO into another."
"Use this script to copy and/or merge policy settings."
"NOTE: This version does not copy GPO preferences."
""
"Syntax:"
".\Copy-GPRegistryValue.ps1 [-dom DomainFQDN] -src `"Source GPO`""
" -dest `"Destination GPO`" [-newDest]"
" [-copymode all/user/computer]"
""
"The -dom switch will default to the current domain if blank."
"The -copymode will default to all if blank."
"The -newDest switch will create a new destination GPO of the specified"
"name. If the GPO already exists, then the copy will proceed."
""
Return
}

#--------------------------------------------------------------------
# Validate parameters
#--------------------------------------------------------------------
if ($dom -eq $null) {
$dom = (Get-ADDomain).DNSRoot
} else {
$dom = (Get-ADDomain -Identity $dom).DNSRoot
If ($error.Count -ne 0) {
"Domain name does not exist. Please specify a valid domain FQDN."
$error
Return
}
}

if ($src -eq $null) {
"Source GPO name cannot be blank."
Return
} else {
$src = Get-GPO -Name $src
If ($error.Count -ne 0) {
"Source GPO does not exist. Be sure to use quotes around the name."
Return
}
}

if ($dest -eq $null) {
"Destination GPO name cannot be blank."
Return
} else {
if ($newDest -eq $true) {
$desttemp = $dest
$dest = New-GPO -Name $desttemp
If ($error.Count -ne 0) {
"The new destination GPO already exists."
"Do you want to merge into this GPO (y/n)?"
$choice = Read-Host
if ($choice -eq "y") {
$dest = Get-GPO -Name $desttemp
} else {
Return
}
}
} else {
$dest = Get-GPO -Name $dest
If ($error.Count -ne 0) {
"Destination GPO does not exist. Be sure to use quotes around the name."
Return
}
}
}

if ($copymode -eq $null) {
$copymode = "all"
} else {
if ($copymode -ne "all" -and `
$copymode -ne "user" -and `
$copymode -ne "computer") {
"copymode must be one of the following values:"
"all, user, computer"
Return
}
}
#--------------------------------------------------------------------


#--------------------------------------------------------------------
# Echo parameters for this run
#--------------------------------------------------------------------
""
"Domain: $dom"
"Source GPO: $($src.DisplayName)"
"Destination GPO: $($dest.DisplayName)"
"New Destination: $newDest"
"CopyMode: $copymode"
""
#--------------------------------------------------------------------


#--------------------------------------------------------------------
# Copy GPO registry values recursively beginning at a specified root.
#--------------------------------------------------------------------
# THIS IS THE HEART OF THE SCRIPT.
# Essentially this routine does a get from the source and a set on
# the destination. Of course nothing is ever that simple, so we have
# to account for the policystate "delete" which disables a setting;
# this is like a "negative set".
# We recurse down each registry path until we find a value to
# get/set.
# If we try to get a value from a path (non-leaf level), then we get
# an error and continue to dig down the path. If we get a value and
# no error, then we do the set.
# User values have a single root: HKCU\Software.
# Computer values have two roots: HKLM\System & HKLM\Software.
# You can find these roots yourself by analyzing ADM and ADMX files.
# It is normal to see an error in the output, because all of these
# roots are not used in all policies.
#--------------------------------------------------------------------
Function CopyValues ($Key) {
$Key
$error.PSBase.Clear()
$path = Get-GPRegistryValue -GUID $src.ID -Key $Key
$path
If ($error.Count -eq 0) {
ForEach ($keypath in $path) {
$keypath
$keypath | ForEach-Object {Write-Host $_}
If ($keypath.HasValue) {
$keypath.PolicyState
$keypath.Valuename
$keypath.Type
$keypath.Value
If ($keypath.PolicyState -eq "Delete") { # PolicyState = "Delete"
Set-GPRegistryValue -Disable -Domain $dom -GUID $dest.ID `
-Key $keypath.FullKeyPath -ValueName $keypath.Valuename
} Else { # PolicyState = "Set"
$keypath | Set-GPRegistryValue -Domain $dom -GUID $dest.ID
}
} Else {
CopyValues $keypath.FullKeyPath
}
}
} Else {
$error
}
}
#--------------------------------------------------------------------


#--------------------------------------------------------------------
# Call the main copy routine for the specified scope of $copymode
#--------------------------------------------------------------------
Function Copy-GPRegistryValue {

# Copy user settings
If (($copymode -eq "user") -or ($copymode -eq "all")) {
CopyValues "HKCU\Software"
}

# Copy computer settings
If (($copymode -eq "computer") -or ($copymode -eq "all")) {
CopyValues "HKLM\System"
CopyValues "HKLM\Software"
}
}
#--------------------------------------------------------------------

# Start the copy
Copy-GPRegistryValue

# ><>

Steve Jobs 1955 - 2011

Like him or not, Steve Jobs was one of the greatest innovators of our time. His creative vision saved Apple from the brink in the late nineties and turned it into a consumer electronics powerhouse. Just look at how the iPod, iPad and the iPhone has changed our lives. With his health failing he passed the torch one final time to now CEO and Chairman of the board Tim Cook this past August. It will be interesting to see how Apple fairs in the coming years without the innovation and creativity of Jobs. He touched a lot of people and his loss will be felt throughout the world.

"The world rarely sees someone who has had the profound impact Steve has had, the effects of which will be felt for many generations to come. For those of us lucky enough to get to work with him, it’s been an insanely great honor. I will miss Steve immensely."

- Bill Gates

An error occurred when loading the task sequence

Recently I ran into a problem where I was unable to open and edit any of my task sequences. It didn’t matter whether I was accessing ConfigMgr from a remote console or locally on one of my site servers – they would fail to open. The error that I was getting:

"An error occurred when loading the task sequence"
I tried rebooting the problem site server but still no luck. According to KB2468097 this is caused because the BDD_* WMI classes are no longer correctly registered under the \root\SMS\site_ namespace in WMI.

• Close all of your remote and local SCCM admin console sessions
• Log on to your Configuration Manager server and select Start -> All Programs -> Microsoft Deployment Toolkit -> Configure ConfigMgr Integration
• In the Configure ConfigMgr Integration wizard, select “Remove the ConfigMgr custom action definitions” and then click next to remove all the definitions
• Re-run Configure ConfigMgr Integration again, and select “Install the ConfigMgr extensions”

I also found that my site server needed to be rebooted after following the steps outlined above before the issue was resolved. This problem occurred on consecutive days a few weeks back but has yet to resurface since.

KB982399 - ConfigMgr site server stops responding while processing status messages

I find that from time to time a ConfigMgr site will stop responding. Some of the first symptoms that are noticed are software distribution will stop, site backups fail and you no longer get site status messages. In the Application event viewer you may notice the following error:

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SMS_EXECUTIVE service.

Generally restarting the SMS Executive service and the SMS Site Component Manger service or rebooting your site server will resolve the issue. (Temporarily) Microsoft has released a hotfix for ConfigMgr SP2 site servers that resolves this issue http://support.microsoft.com/kb/982399 According to the article the issue is caused by a deadlock situation in the SMS Executive service. I’ve applied the hotfix to one of my problematic site servers and I have not experienced a reoccurrence of this issue.

Windows XP SP3 - update.exe extended error code 0xf00d

Every once in a while an old Windows XP machine will make its way back onto our network – most of the time it’s an old laptop that has been sitting in someone’s desk or in some storage room. Machines are checked out for missing patches or Anti-Virus dat updates prior to the machine being added back onto our domain however once in a while a machine will be missed. For this reason we are still scanning for pre Windows XP SP3 machines and if one is detected SP3 is pushed to it so that the machine can catch up on patches. (We are looking at quarantine solution for rouge machines but that’s another story) The other day a Windows XP SP2 laptop was detected but the SP3 upgrade kept failing. The only sign of a problem in Event Viewer was an entry stating that the update had been cancelled and when I ran the update interactively, same thing.  When I checked the install log (C:\Windows\svcpack.log) it had the following entry: update.exe extended error code 0xf00d 

After some searching I found that if you browse to C:\Windows\System32 and rename spupdsvc.exe to something like spupdsvc.old and then reapply the update, spupdsvc.exe will get recreated and Service Pack 3 will complete successfully. 

Office File Validation Add-in Causes Excel 2003 Workbooks to open slower over networks

In an enterprise environment this is an understatement - test KB2501584 very carefully. During each patching cycle we roll out patches to about 400 workstations for testing in order to QA the deployment. Shortly after deploying the latest round of Microsoft patches we started to get reports of Excel 2003 would stop responding when trying to open up files across the network. Local workbooks were fine. When the exact symptoms were identified it wasn’t long before I found a Microsoft knowledgebase article outlining the same symptoms and referencing the Office File Validation Add-in (OFV) as the culprit.

Office 2007 and 2010 will copy the file locally and then validate it to see if it is safe to open. Office 2003 tries to complete this process across the network. A workbook that normally takes seconds to open was taking upwards of 10 – 15 minutes if the user had Excel 2003. (Keep in mind that this is across a well connected LAN)

Microsoft has published a workaround but as I quickly found out it had little effect. The registry key that is referenced in KB2570623:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\

According to this post should be:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0

And then follow the steps outlined below:

1. After you select the key that is specified in step 3, point to New on the Edit menu, and then click Key.
2. Type Excel, and then press ENTER.
3. Select Excel, point to New on the Edit menu, and then click Key.
4. Type Security, and then press ENTER.
5. Select Security, point to New on the Edit menu, and then click Key.
6. Type FileValidation, and then press ENTER.
7. Select FileValidation, point to New on the Edit menu, and then click DWORD Value.
8. Type EnableOnLoad, and then press ENTER. (Note: The default value is 0 which disables the validation)

Once the correct key has been added to the user’s profile, workbooks will open normally using Excel 2003. Long story short upgrade to Office 2010.

Office 2010 SP1 To Be Released Soon

Microsoft is planning on releasing Office 2010 Service Pack 1 at the end of June 2011. SP1 will be available for all 40 SKU languages of Office. Each product in the suite will have updates included in SP1 and as always they will be cumulative. For a list of some of the highlights check out the Office Sustained Engineering blog.

Update: Microsoft has released Office 2010 SP1 http://www.microsoft.com/download/en/details.aspx?id=26622

ConfigMgr PXE Certificate Renewal

When I originally setup my ConfigMgr environment setting up my OSD PXE certificaates was kind of a set and forget process so when my deployment team started getting a prompt about an expiring cert I thought "Oh ya I forgot about those."

In order to update your PXE certifcate you need to locate the site system that hosts the PXE Service Point where you want to update the certificate, double click the PSP role, on the database tab select create a self-signed PXE certificate and specify an appropriate date range and then click apply. As soon as you create your new certificate your old one will be blocked. It's just that simple but it's one of those tasks that you probably don't do that frequently.

If you are running in Native mode will have to import your new certificate from your root certificate authority. (CA)

Installing KB977384 ConfigMgr R3 Client Upgrade in a Task Sequence

R3 is the latest feature pack to be released for ConfigMgr 2007 – it is also the first R3 release in Microsoft’s history. The update includes a server side component as well as an upgrade for your ConfigMgr clients. Pushing the update out to your clients is one thing but when it comes to updating your OSD task sequences it gets a little tricky. If you simply attach the update as a install software step or call it from a script during your task sequence the sequence will fail because the R3 update stops the winmgmt service. In order to install the update during a task sequence you must add the correct command line to the installation properties of your ConfigMgr client install step. There are a couple of ways of doing this.

Locate the “Setup Windows and ConfigMgr” step in you task sequence and on the properties tab under Installation properties add one of the following command lines:

PATCH="%_SMSTSMDataPath%\OSD\Package ID\i386\hotfix\KB977384\SCCM2007AC-SP2-KB977384-x86-enu.msp"

Or you might need to specify a drive letter instead of using the SMSTSMDataPath variable

PATCH=”C:\_SMSTaskSequence\OSD\Package ID\i386\hotfix\KB977384\sccm2007ac-sp2-kb977384-x86-enu.msp"

However if you have set the advertisement for your task sequence to access content directly from a distribution point when needed by the running task sequence then you’ll need to change the SMSTSMDataPath variable or your local drive reference to the network location of your R3 patch. Like this:

PATCH=”\\Network Location\ConfigMgr Client Source Files Directory\hotfix\KB977384\sccm2007ac-sp2-kb977384-x86-enu.msp"

System Center Updates Publisher 2011

While at MMS 2011 I attended a session on the new release of SCUP - System Center Updates Publisher 2011. If you are not familiar with SCUP, SCUP is an application that indirectly interfaces with ConfigMgr and allows you to create, manage and publish third party updates by using the WSUS engine. Currently only Adobe, Dell and HP are publishing their update catalogues for use with SCUP but interest is high so hopefully we’ll see more major vendors follow suit. Microsoft has pretty much completely rewritten the product which makes it much more user friendly. Some key features include:


• No database required
• The ability to set automatic publishing rules
• Support for ConfigMgr 2007 & 2012
• Software update cleanup wizard which help with any unreferenced updates

An important component that is still required by SCUP 2011 is a self-signed certificate. When an update is approved it is then made available to WSUS, once the update has been imported into WSUS it can be made available to ConfigMgr clients using your normal software update process. Watch for SCUP 2011 to drop sometime in Q2 of this year.

Unable to Delete Management Object in ConfigMgr

Recently I was having problem with one of my branch distribution points. I could no longer replicate packages to it and after some investigation I found that it had two machine records. (one was marked obsolete) The problem is that you can't delete the obsolete record until remove the Distribution Point role from the site system. After I removed the Distribution Point role from the server I was still unable to delete the record and this time the console gave me this error:

"Failure deleteing management object"

and if I expanded the details I got:

ConfigMgr Error Object:
instance of SMS_ExtendedStatus
{
 CauseInfo = "9";
 Description = "Error deleting discovery data in SQL";
 ErrorCode = 2168655109;
 File = "e:\\nts_sms_fre\\sms\\siteserver\\sdk_provider\\smsprov\\sspresource.cpp";
 Line = 388;
 Operation = "DeleteInstance";
 ParameterInfo = "SMS_R_System.ResourceId=3090";
 ProviderName = "WinMgmt";
 StatusCode = 2147749889;
};

I found the following post on myitforum.com and I ran the four SQL queries that were posted (about half way down the page) in the forum and I was then able to delete the record.

SELECT *
FROM PkgServers
WHERE NALPath='["Display=\\DP Name\"]MSWNET:["SMS_SITE=Site Code"]\\DP Name\'

DELETE
FROM PkgServers
WHERE NALPath='["Display=\\DP Name\"]MSWNET:["SMS_SITE=Site Code"]\\DP Name\'

SELECT *
FROM PkgStatus
WHERE PkgServer='["Display=\\DP Name\"]MSWNET:["SMS_SITE=Site Code"]\\DP Name\'

DELETE
FROM PkgStatus
WHERE PkgServer='["Display=\\DP Name\"]MSWNET:["SMS_SITE=Site Code"]\\DP Name\'

Windows boot error NTOSKRNL.exe is Missing or Corrupt

If you have every spent any time supporting Windows boxes this error will be very familuar to you. Every once in while when you reboot a workstation or server you'll get the famous NTOSKRNL.exe is Missing or Corrupt error  Windows NT could not start because the following file is missing or corrupt:
         C:\Windows\System32\Ntoskrnl.exe
It's fairly straight forward to resolve this problem. Start by booting your machine from the install media when prompted follow these steps
- Boot to the recovery console (http://support.microsoft.com/kb/326215)
- Select your Windows installation that you want to recover
- When prompted provide the local administrator password
- Once you are into the recovery console you will probably be sitting at a C:\WINDOWS prompt
- Change the directory to the i386 folder on your CD / DVD drive (If you only have one partition it will most likely be D:\)
- Copy the following files to the C:\ drive
        copy ntldr C:
        copy ntdetect.com C:
- Change your source directory back to C:\Windows
- Next you will need to fix your boot record
       fixboot C:
- Most likely you will also have to fix the boot .ini using the bootcfg command
 bootcfg /rebuild
- Add the required Windows installation to your boot list
- Add the Load Identifier (Custom description)
- Add the OS Load Options (/fastdetect)
- Type exit to reboot the machine
Your machine should now be recovered from the NTOSKRNL.exe is Missing or Corrupt" error. If you are looking for a little more detail here is a pretty good post. Use this information at your own risk.

Windows 7 & Server 2008 R2 Service Pack 1 released for public consumption

Today Microsoft made available Service Pack 1 for Windows 7 and Server 2008 R2 via its Windows Update and download center sites. SP1 includes the new RemoteFX feature which delivers Direct3D acceleration and on the server side SP1 includes Dynamic Memory. This essentially allows on-the-fly adjustment of memory allocation for virtual machines being hosted on Hyper-V.

http://windows.microsoft.com/en-CA/windows/downloads/service-packs

Internet Explorer 9 Preview

I’ve been running IE 9 since the early beta versions were released and I must say it's pretty solid. IE 9 offers a cleaned up interface which by default removes the status bar, favourites bar an many of the command buttons. Microsoft still gives you the option to add these features back on but I like the fact that they are trying to make the interface as clean as possible.  Some of the nicest features includes a download bar that allows you to manage your downloads independently from your browsing session, the "new tab" window now includes a list of your most popular sites and the ability to reopen closed tabs but I think that the nicest feature is that Microsoft has finally integrated the address bar and the search bar – much like Google’s Chrome. However, if you're still running Windows XP you're out of luck as IE 9 is currently only available for Windows Vista or Windows 7 and it doesn't look like Microsoft is going to change their stance. Try it today…

http://windows.microsoft.com/ie9

Windows Update Error Code 80072F8F

From time to time patch installations will fail during our OS deployment process leaving the workstation not fully patched. Once a machine has finished imaging someone from the deployment group will usually do a spot check and connect to Windows Update just to ensure that the workstation is fully patched. Last week I started to notice that many of the new Windows 7 workstations would not connect to Windows Update and get the following error:

An error occurred while checking for new updates for your computer.
Error(s) found:
Code 80072F8F

Checking online I found a Microsoft article that explained that this error usually results from a time mismatch between your machine and the Windows Update servers. However, these workstations were members of our domain and all of the time settings were correct. I found another post referencing root cert problems and the Windows Update error 80072F8F which reminded me of my post about Windows 7 failing to update its root certificates and causing Windows Live Messenger sign-in to fail. After updating to the latest root certificates (KB931125) Windows Update connected just fine.

Office 2010 and the Dell OMCI client

When I first started to deploy Windows 7 using ConfigMgr our task sequence included Office 2010 Professional Plus. Early on I noticed that during the deployment Office 2010 would never get installed yet all other application were. All of my image development is done using Hyper-V (which worked without issue) and this only occurred on physical machines. After going over countless ConfigMgr logs, recreating task sequences and internet searches I found a random post mentioning that the Dell OMCI client changes permissions on two folders:

C:\Windows\System32\winevt
C:\Windows\System32\winevt\Logs

The permission change on these two folders can also prevent Office 2010 from installing. Once I moved the Dell OMCI install to the end of the task sequence so that it installed after Office 2010 I had no issues.