I’m doing a lot of Group Policy work at the moment (who’d have guessed) and I’ve run into an old friend of mine: The 2008R2/Win7 Group Policy Management Console keyboard bug. As Microsoft put it:
- You have a computer that is running Windows 7 or Windows Server 2008 R2.
- You customize a Microsoft Management Console (MMC) that has the Group Policy Management Console (GPMC) snap-in. (As far as I can tell it happens just as often with the provided gpmc.msc)
- You select any Group Policy object (GPO), and then you click the Settings tab in the details pane.
- You select another node in the console tree, and then you use the BACKSPACE or arrow keys to perform some operations.
- In this scenario, the BACKSPACE or arrow keys do not work. You have to use the mouse to perform operations.
Which is extremely annoying, as you might imagine. As with many of their Known Issues, Microsoft have opted not to make a generally available patch for this, probably because it affects such a small proportion of their users. Nonetheless, there is a Hotfix available for it, which can be acquired here: http://support.microsoft.com/kb/2466373
If you do any serious amount of GPO work on a Windows 7 or 2008 R2 box, you will want to install it.
As we all know, there are certain published standards for things like Windows Security and Group Policy that companies can use as baselines for their systems; standards such as the CIS Security Configuration Benchmarks. These standards often mandate the configuration of certain GPO settings that fall under the “MSS” category which do not appear in the Security Configuration Editor or Group Policy Management Editor by default.
In order to add these settings so that you can easily configure them without screwing around in the registry or writing your own ADMX templates, you can download and import them as part of the Microsoft Security Compliance Management Toolkit. Unfortunately, getting access to this toolkit requires the installation of the Management software with its associated requirement of a SQL Express instance, which is ludicrous.
So, I am including below, the WSF script that is required to import these settings into the Group Policy Editor on a given 7/2K8R2 machine (and probably Vista/2K8 as well, but I haven’t tried it). Use
cscript LocalGPO.wsf /ConfigSCE to import the settings, which will then appear under “Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options” in the Group Policy Editor (Or the appropriately reduced path in the Security Configuration Editor).
If you’re dumb enough to download and run a VBScript from an untrusted source without doing the usual safety checks then you probably shouldn’t be using this kind of “hack” in a production environment (in fact, you probably shouldn’t be allowed near a production environment in the first place…).