Introduction xxviiChapter 1 Group Policy Essentials 1
Getting Ready to Use This Book 1
Getting Started with Group Policy 4
Group Policy Entities and Policy Settings 4
The 18 (Original) Categories of Group Policy 6
Understanding Local Group Policy 11
Local Group Policy on Pre-Vista Computers 11
Local Group Policy on Vista and Later 13
Active Directory–Based Group Policy 17
Group Policy and Active Directory 18
Linking Group Policy Objects 20
An Example of Group Policy Application 21
Examining the Resultant Set of Policy 23
At the Site Level 23
At the Domain Level 24
At the OU Level 24
Group Policy, Active Directory, and the GPMC 26
GPMC Overview 28
Implementing the GPMC on Your Management Station 29
Creating a One-Stop-Shop MMC 33
Group Policy 101 and Active Directory 34
Active Directory Users and Computers vs. GPMC 35
Adjusting the View within the GPMC 36
The GPMC-centric View 38
Our Own Group Policy Examples 39
More about Linking and the Group Policy Objects Container 41
Applying a Group Policy Object to the Site Level 45
Applying Group Policy Objects to the Domain Level 48
Applying Group Policy Objects to the OU Level 50
Testing Your Delegation of Group Policy Management 55
Understanding Group Policy Object Linking Delegation 57
Granting OU Admins Access to Create New Group Policy Objects 57
Creating and Linking Group Policy Objects at the OU Level 59
Creating a New Group Policy Object Affecting Computers in an OU 62
Moving Computers into the Human Resources Computers OU 64
Verifying Your Cumulative Changes 65
Final Thoughts 67
Chapter 2 Managing Group Policy with the GPMC 69
Common Procedures with the GPMC 70
Raising or Lowering the Precedence of Multiple Group Policy Objects 73
Understanding GPMC’s Link Warning 74
Stopping Group Policy Objects from Applying 75
Block Inheritance 81
The Enforced Function 82
Security Filtering and Delegation with the GPMC 84
Filtering the Scope of Group Policy Objects with Security 85
User Permissions upon Group Policy Objects 94
Granting Group Policy Object Creation Rights in the Domain 96
Special Group Policy Operation Delegations 97
Who Can Create and Use WMI Filters? 98
Performing RSoP Calculations with the GPMC 100
What’s-Going-On Calculations with Group Policy Results 101
What-If Calculations with Group Policy Modeling 107
Searching and Commenting Group Policy Objects and Policy Settings 110
Searching for GPO Characteristics 110
Filtering Inside a GPO for Policy Settings 111
Comments for GPOs and Policy Settings 121
Starter GPOs 127
Creating a Starter GPO 129
Editing a Starter GPO 129
Leveraging a Starter GPO 130
Delegating Control of Starter GPOs 132
Wrapping Up and Sending Starter GPOs 132
Back Up and Restore for Group Policy 135
Backing Up Group Policy Objects 136
Restoring Group Policy Objects 138
Backing Up and Restoring Starter GPOs 140
Backing Up and Restoring WMI Filters 141
Backing Up and Restoring IPsec Filters 141
GPMC At-a-Glance Icon View 142
The GPMC At-a-Glance Compatibility Table 143
Final Thoughts 144
Chapter 3 Group Policy Processing Behavior Essentials 147
Group Policy Processing Principles 147
Don’t Get Lost 150
Initial Policy Processing 150
Background Refresh Policy Processing 152
Security Background Refresh Processing 161
Special Case: Moving a User or a Computer Object 166
Policy Application via Remote Access, Slow Links, and after Hibernation 167
Windows 2000 and Windows XP Group Policy over Slow Network Connections 167
Windows 7 Group Policy over Slow Network Connections 169
What Is Processed over a Slow Network Connection? 169
Using Group Policy to Affect Group Policy 174
Affecting the User Settings of Group Policy 174
Affecting the Computer Settings of Group Policy 176
The Missing Group Policy Policy Settings 184
Final Thoughts 186
Chapter 4 Advanced Group Policy Processing 189
WMI Filters: Fine-Tuning When and Where Group Policy Applies 189
Tools (and References) of the WMI Trade 191
WMI Filter Syntax 192
Creating and Using a WMI Filter 193
Final WMI Filter Thoughts 194
Group Policy Loopback Processing 196
Reviewing Normal Group Policy Processing 196
Group Policy Loopback—Merge Mode 197
Group Policy Loopback—Replace Mode 197
Group Policy with Cross-Forest Trusts 204
What Happens When Logging onto Different Clients across a Cross-Forest Trust? 205
Disabling Loopback Processing When Using Cross-Forest Trusts 207
Older Machine Types and Cross-Forest Trusts 208
Understanding Cross-Forest Trust Permissions 208
Final Thoughts 209
Chapter 5 Group Policy Preferences 211
Powers of the Group Policy Preferences 213
Computer Configuration Preferences 214
User Configuration Preferences 226
Group Policy Preferences Architecture and
Installation Instructions 233
Installing the Client-Side Extensions on Your Client Machines 234
Group Policy Preferences Concepts 237
Preference vs. Policy 238
The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 240
The Lines and Circles and the CRUD Action Modes 255
Common Tab 262
Group Policy Preferences Tips, Tricks, and Troubleshooting 273
Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 273
Multiple Preference Items at a Level 276
Temporarily Disabling a Single Preference Item or Extension Root 277
Environment Variables 278
Managing Group Policy Preferences: Hiding Extensions from Use 279
Troubleshooting: Reporting, Logging, and Tracing 282
Final Thoughts 288
Chapter 6 Managing Applications and Settings Using Group Policy 291
Administrative Templates: A History and Policy vs. Preferences 292
Administrative Templates: Then and Now 292
Policy vs. Preference 293
ADM vs. ADMX and ADML Files 298
ADM File Introduction 298
Updated GPMC’s ADMX and ADML Files 300
ADM vs. ADMX Files—At a Glance 301
ADMX and ADML Files: What They Do and the Problems They Solve 302
Problem and Solution 1: Tackling SYSVOL Bloat 302
Problem 2: How Do We Deal with Multiple Languages? 304
Problem 3: How Do We Deal with “Write Overlaps”? 305
Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 305
The Central Store 307
The Windows ADMX/ADML Central Store 308
Creating and Editing GPOs in a Mixed Environment 312
Scenario 1: Start Out by Creating and Editing a GPO Using the Older GPMC. Edit Using Another Older GPMC Management Station. 313
Scenario 2: Start Out by Creating and Editing a GPO with the Older GPMC. Edit Using the Updated GPMC. 314
Scenario 3: Start Out by Creating and Editing a GPO Using the Updated GPMC. Edit Using Another Updated GPMC Management Station. 316
Scenario 4: Start Out by Creating and Editing a GPO Using an Updated GPMC Management Station. Edit Using an Older GPMC Management Station. 316
ADM and ADMX Templates from Other Sources 316
Leveraging ADM Templates from Your Windows Management Station 317
Microsoft Office ADM Templates 319
Using ADMX Templates from Other Sources 323
ADMX Migrator and ADMX Editor Tools 324
ADMX Migrator 325
ADMX Editor 326
PolicyPak Community Edition 328
PolicyPak Concepts and Installation 330
Creating Your First PolicyPak 331
Final Thoughts 339
Chapter 7 Troubleshooting Group Policy 341
Under the Hood of Group Policy 343
Inside Local Group Policy 343
Inside Active Directory Group Policy Objects 346
The Birth, Life, and Death of a GPO 349
How Group Policy Objects Are “Born” 349
How a GPO “Lives” 351
Death of a GPO 377
How Client Systems Get Group Policy Objects 378
The Steps to Group Policy Processing 379
Client-Side Extensions 381
Where Are Administrative Templates Registry Settings Stored? 389
Why Isn’t Group Policy Applying? 391
Reviewing the Basics 391
Advanced Inspection 394
Client-Side Troubleshooting 405
RSoP for Windows Clients 406
Advanced Group Policy Troubleshooting with Log Files 418
Using the Event Viewer 418
Turning On Verbose Logging 420
Group Policy Processing Performance 432
Final Thoughts 434
Chapter 8 Implementing Security with Group Policy 437
The Two Default Group Policy Objects 438
GPOs Linked at the Domain Level 439
Group Policy Objects Linked to the Domain Controllers OU 443
Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 445
The Strange Life of Password Policy 446
What Happens When You Set Password Settings at an OU Level 446
Fine-Grained Password Policy with Windows Server 2008 448
Inside Auditing With and Without Group Policy 458
Auditable Events using Group Policy 459
Auditing File Access 464
Auditing Group Policy Object Changes 465
Advanced Audit Policy Configuration 470
Restricted Groups 475
Strictly Controlling Active Directory Groups 476
Strictly Applying Group Nesting 478
Which Groups Can Go into Which Other Groups via Restricted Groups? 479
Restrict Software: Software Restriction Policy and AppLocker 480
Inside Software Restriction Policies 480
Software Restriction Policies’ “Philosophies” 482
Software Restriction Policies’ Rules 483
Restricting Software Using AppLocker 489
Controlling User Account Control (UAC) with Group Policy 506
Just Who Will See the UAC Prompts, Anyway? 510
Understanding the Group Policy Controls for UAC 513
UAC Policy Setting Suggestions 522
Wireless (802.3) and Wired Network (802.11) Policies 525
802.11 Wireless Policy for Windows XP 527
802.11 Wireless Policy and 802.3 Wired Policy for Windows Vista and Later 527
Configuring Windows Firewall with Group Policy 528
Manipulating the Windows XP and Windows Server 2003 Firewall 531
Windows Firewall with Advanced Security (for Windows Vista and Windows Server 2008)—WFAS 534
IPsec (Now in Windows Firewall with Advanced Security) 542
How Windows Firewall Rules Are Ultimately Calculated 548
Final Thoughts 551
Chapter 9 Profiles: Local, Roaming, and Mandatory 553
What Is a User Profile? 554
The NTUSER.DAT File 554
Profile Folders for Type 1 Computers (Windows 2000, Windows 2003, and Windows XP) 555
Profile Folders for Type 2 Computers (Windows 7, Windows 2008, and Windows Server 2008 R2) 557
The Default Local User Profile 563
The Default Domain User Profile 566
Roaming Profiles 570
Setting Up Roaming Profiles 572
Testing Roaming Profiles 578
Migrating Local Profiles to Roaming Profiles 581
Roaming and Nonroaming Folders 583
Managing Roaming Profiles 587
Manipulating Roaming Profiles with Computer Group Policy Settings 590
Manipulating Roaming Profiles with User Group Policy Settings 601
Mandatory Profiles 606
Establishing Mandatory Profiles from a Local Profile 606
Mandatory Profiles from an Established Roaming Profile 609
Forced Mandatory Profiles (Super-Mandatory) 611
Final Thoughts 612
Chapter 10 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 615
Overview of Change and Configuration Management 616
Redirected Folders 617
Available Folders to Redirect 618
Redirected Documents/My Documents 619
Redirecting the Start Menu and the Desktop 637
Redirecting the Application Data 638
Group Policy Setting for Folder Redirection 639
Troubleshooting Redirected Folders 640
Offline Files and Synchronization 643
Making Offline Files Available 644
Inside Windows XP Synchronization 648
Inside Windows 7 File Synchronization 652
Handling Conflicts 660
Client Configuration of Offline Files 662
Using Folder Redirection and Offline Files over Slow Links 680
Synchronizing over Slow Links with Redirected My Documents 681
Synchronizing over Slow Links with Regular Shares 683
Using Group Policy to Configure Offline Files (User and Computer Node) 692
Using Group Policy to Configure Offline Files (Exclusive to the Computer Node) 703
Troubleshooting Sync Center 708
Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 710
Final Thoughts 718
Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 719
Group Policy Software Installation (GPSI) Overview 720
The Windows Installer Service 721
Understanding .MSI Packages 722
Utilizing an Existing .MSI Package 723
Assigning and Publishing Applications 728
Assigning Applications 728
Publishing Applications 729
Rules of Deployment 730
Package-Targeting Strategy 731
Understanding .ZAP Files 738
Testing Publishing Applications to Users 741
Application Isolation 742
Advanced Published or Assigned 744
The General Tab 744
The Deployment Tab 745
The Upgrades Tab 750
The Categories Tab 751
The Modifications Tab 751
The Security Tab 755
Default Group Policy Software Installation Properties 757
The General Tab 757
The Advanced Tab 758
The File Extensions Tab 758
The Categories Tab 759
Removing Applications 759
Users Can Manually Change or Remove Applications 759
Automatically Removing Assigned or Published .MSI Applications 760
Forcibly Removing Assigned or Published .MSI Applications 761
Removing Published .ZAP Applications 762
Troubleshooting the Removal of Applications 763
Using Group Policy Software Installation over Slow Links 764
Managing .MSI Packages and the Windows Installer 766
Inside the MSIEXEC Tool 766
Affecting Windows Installer with Group Policy 769
Deploying Office 2007 and Office 2010 Using Group Policy 778
Office 2007 and Group Policy 779
The “Right” Answer for Office 2007 and Office 2010 Deployment (Using Group Policy) 784
Do You Need a “Big” Management Tool for Your Environment? 785
SMS vs. GPOs: A Comparison Rundown 786
GPSI and SMS Coexistence 789
Final Thoughts 790
Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Deploying Printers, and Shadow Copies 791
Scripts: Logon, Logoff, Startup, and Shutdown 792
Non-PowerShell-Based Scripts 792
Deploying PowerShell Scripts to Windows 7 Clients 798
Managing Internet Explorer with Group Policy 799
Internet Explorer Maintenance (IEM) and Group Policy Preferences Settings 799
Internet Explorer’s Group Policy Settings 804
Restricting Access to Hardware via Group Policy 807
Devices Extension 808
Restricting Driver Access with Policy Settings for Windows 7 812
Getting a Handle on Classes and IDs 813
Restricting or Allowing Your Hardware via Group Policy 815
Understanding the Remaining Policy Settings for Hardware Restrictions 816
Assigning Printers via Group Policy 818
Zapping Down Printers to Users and Computers (a Refresher) 819
Shadow Copies (aka Previous Versions) 827
Setting Up and Using Shadow Copies for Local Windows 7 Machines 827
Setting Up Shadow Copies on the Server 827
Restoring Files with the Shadow Copies Client 830
Group Policy Settings for Shadow Copies 833
Final Thoughts for This Chapter and for the Book 834
Appendix A Group Policy Tools 837
Securing Workstations with Templates 837
Incremental Security Templates 838
Other Security Template Sources 839
Applying Security Templates with Group Policy 840
The Security Configuration Wizard 841
Security Configuration Wizard Primer and Installation 842
A Practical SCW Example 843
Converting Your SCW Policy to a GPO 849
SCW Caveats 851
Migrating Group Policy Objects between Domains 851
Basic Interdomain Copy and Import 851
Copy and Import with Migration Tables 855
Microsoft Tools Roundup 859
Group Policy Tools from Microsoft 859
Profile Tools from Microsoft 862
Utilities and Add-Ons 862
Third-Party Vendors List 863
Index 867