A GPO unlike any other

Not sure this is the sort of thing I want to see in an email from Microsoft.

I’ve never seen anything like it in the 13 years I’ve been working with Group Policy

I wasn’t going to elaborate on that statement from Mike Stephens, but I was asked to share the details behind it.  It isn’t an especially interesting story nor is it all that useful of knowledge to share, but I’m not one to disappoint my readers.

Back before Server 2008, I used the free edition of DesktopStandard’s PolicyMaker to to set and enforce registry settings and other non-policies on the systems at work.  Microsoft bought DesktopStandard in 2006 and the functionality that was PolicyMaker (PM) re-emerged as Group Policy Preferences (GPP). When we switched over to GPP, I manually transferred some settings from PM to GPP because there was no migration utilities available. It wasn’t until 2009 when Microsoft released Group Policy Preference Migration utility (GPPMIG), and gave us a tool to transition from PolicyMaker.

A blog post from the Ask the Directory Services Team blog — Migrating from PolicyMaker to Group Policy Preferences with GPPMIG — describes the utility and what it can do, but its main feature is the ability to migrate settings from PM to GPP, either copying them to a new GPO or adding them to the original GPO.  It can also remove PM settings from a GPO.

I discovered the tool in 2010 and downloaded it, but ran into an error related to strong name validation. An updated build (52) that corrected the problem was made available and eventually showed up in my Inbox. Where it sat… for three years. I came across the tool while I was cleaning out some old email. When I went to try out the program, I discovered that the attachment had been stripped out by antivirus software along the way. I emailed the support address (gppmsup@microsoft.com) and asked if GPPMIG was still available, and was shocked to discover that it still was and that there was even a newer build (62) to be had.

I exported the PM settings, mostly to see if there was anything that I missed back when we setup GPP all those years ago, then tried to use it to remove the settings form my GPOs. I figured, “why not clean things up?” only to run into another error. Back to support I went, they asked for some logs, and was told that they would have a new build for me this week that should solve the error I ran into. Apparently most people don’t use the “remove” option so a bug that was fixed in other functions was missed here.

But that’s when I also read the statement that there was something in one of my GPOs that was something new.  A GPO has two attributes, gPCMachineExtensionNames and gPCUserExtensionNames, which contain Group Policy Extension GUID pairs for computer policy settings and user policy settings, respectively. If you want to know more about GP Extensions, see the MSDN entry for Group Policy Extensions.

These GUID pairs are listed in the verbose longs for the GPPMIG tool. The only problem was the entry for the user policy settings was three-of-a-kind instead of a pair.  From the debug log:

gppmig Verbose: 16 : 2013-04-01T14:27:45 : GPOItem: useExt: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F73-3407-48AE-BA88-E8213C6761F1}]

That list is one GUID too many, and it is something that Mike says he has never seen. It doesn’t seem to cause a problem, at least we’ve never noticed one. He admitted that his not having seen it doesn’t mean that much.  He said that the protocol is somewhat ambiguous, not making it clear whether having multiple snap-in IDs is allowed in that value That they come in pairs is implied, but never definitively stated.

So what does it all mean? Not much since everything appears to be working. If you actually read the post and made it here to the end, you’ve learned that:

  • I have way too much old mail in my mailbox… really old mail.
  • When you’re short of staff, you often have small projects that slip through the cracks… for three years.
  • Sometimes even small environments like ours can surprise the folks at Microsoft who I’d think have seen it all.

Who knows what secrets or oddities may be hiding in your Active Directory?