Group PolicyFundamentals, Security, and the Managed DesktopSecond Edition

Group PolicyFundamentals, Security, and the Managed DesktopSecond Edition

Jeremy Moskowitz

Acquisitions Editor: Mariann BarsoloDevelopment Editor: Sara BarryTechnical Editor: Alan BurchillProduction Editor: Elizabeth CampbellCopy Editor: Liz WelchEditorial Manager: Pete GaughanProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Publisher: Neil EddeBook Designers: Judy Fung and Bill GibsonCompositor: Craig Woods, Happenstance Type-O-RamaProofreader: Sarah KaikiniIndexer: Nancy GuentherProject Coordinator, Cover: Katherine CrockerCover Designer: Ryan SneedCover Image: © Mehmet Hilmi Barcin / iStockPhoto

Copyright © 2013 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-118-28940-2

ISBN: 978-1-118-33392-1 (ebk.)

ISBN: 978-1-118-33174-3 (ebk.)

ISBN: 978-1-118-83356-2 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Fur-ther, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2012950506

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

Dear Reader,

Thank you for choosing Group Policy: Fundamentals, Security, and the Managed Desktop. This book is part of a family of premium-quality Sybex books, all of which are written by out-standing authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing con-sistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com. If you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feed-back is critical to our efforts at Sybex.

Best regards,

Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley

To my wife, Laura, who always gives me the support I need.

—Jeremy

AcknowledgmentsI want to thank Alan Burchill for taking on the not-so-glamorous job of Technical Editor. I’m really glad to have you on my team, helping me clean up the little messes I made during the writing process and taking on a heavy responsibility. Note: If there are still any techni-cal problems with the book, blame me, not him. Alan was awesome.

I want to thank Sara Barry for taking my initial chapters and kneading them from a wad of dough into tasty pizza. And thanks go to Elizabeth Campbell, who has worked with me through every major project to completion for almost 12 years now. We joke that she’s “been making Jeremy sound like Jeremy since 2001.” And it’s mostly true. Thank you.

Special thanks to my Sybex and Wiley compatriots: Peter Gaughan, Mariann Barsolo, Jay Lessandrini, Connor O’Brien, Rayna Erlick, Rebekah Worthman, and Neil Edde. Once again, your dedication to my book’s success means so much to me. You take everything I create and deal with it so personally, and I really know that. Thank you, very sincerely.

Thanks to Jeff Hicks, PowerShell MVP, who helped me write the downloadable bonus chapter on Group Policy and PowerShell. Jeff, you did a smashing job, thank you.

Thanks to Brad Rudisail, who is a shining light of awesomeness; helping me out with both Group Policy and PolicyPak duties, left and right. Very glad you’re on my team, and thanks for doing all the un-fun jobs you seem to actually find very fun.

Thank you to the Microsoft Group Policy team and the Group Policy MVPs who support me directly and indirectly and help me out whenever they can.

Thank you, Mark Minasi, for being a trusted friend, and a great inspiration to me personally and professionally.

Finally, I want to thank you. If you’re holding this book, there’s a good chance you’ve owned the previous edition or multiple previous editions. Thank you for your trust and for purchasing and repurchasing each edition of this book I work so hard to bring you each time.

When I meet you, the reader of this book, in person, it makes the hours and hours spent on a project like this vaporize away to a distant memory. Thank you for buying the book, joining me at my live events, joining me at GPAnswers.com, and for using my PolicyPak software. You all make me the best “me” I can be. Thanks.

About the AuthorJeremy Moskowitz, Group Policy MVP, is the founder of GPanswers.com and PolicyPak Software (PolicyPak.com). He is a nationally recognized authority on Windows Server, Active Directory, Group Policy and Windows management. He is one of fewer than a dozen Microsoft MVPs in Group Policy. His GPanswers.com is ranked by Computerworld as a “Top 20 Resource for Microsoft IT Professionals.” Jeremy contributes to Microsoft Springboard series, Windows IT Pro Magazine, and Redmond Magazine. Jeremy is a sought-after speaker and trainer at many industry conferences and his training workshops helps thousands of administrators every year do more with Group Policy. Contact Jeremy by visiting GPanswers.com or PolicyPak.com.

About the ContributorsJeffery Hicks (MCSE, MCSA, MCT) is a Microsoft PowerShell MVP with 20 years of diverse IT experience. He works today as an independent author, trainer, and con-sultant. Jeff is a columnist for MCPMag.com and a regular contributor to the Petri IT KnowledgeBase. His latest books are PowerShell in Depth: An Administrators Guide (Manning, 2012) and Learn PowerShell 3 in a Month of Lunches (Manning, 2012). You can follow Jeff at jdhitsolutions.com/blog and twitter.com/jeffhicks.

Alan Burchill works as a Senior Consultant for Avanade based in Brisbane, Australia. He is a Microsoft Valuable Professional in the area of Group Policy and regularly blogs about Group Policy topics at his website called Group Policy Central at www.grouppolicy.biz. You can reach him via Twitter at @alanburchill.

Contents at a Glance

Introduction xxv

Chapter 1 Group Policy Essentials 1

Chapter 2 Managing Group Policy with the GPMC 73

Chapter 3 Group Policy Processing Behavior Essentials 163

Chapter 4 Advanced Group Policy Processing 215

Chapter 5 Group Policy Preferences 235

Chapter 6 Managing Applications and Settings Using Group Policy 311

Chapter 7 Troubleshooting Group Policy 355

Chapter 8 Implementing Security with Group Policy 447

Chapter 9 Profiles: Local, Roaming, and Mandatory 561

Chapter 10 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 617

Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 697

Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, and Printer Deployment 757

Appendix A Group Policy and VDI 791

Appendix B Security Configuration Manager 803

Appendix C Windows Intune (And What It Means to Group Policy Admins) 825

Index 835

ContentsIntroduction xxv

Chapter 1 Group Policy Essentials 1

Getting Ready to Use This Book 2Getting Started with Group Policy 7

Group Policy Entities and Policy Settings 7The Categories of Group Policy 9

Active Directory and Local Group Policy 13Understanding Local Group Policy 14Group Policy and Active Directory 17Linking Group Policy Objects 20Final Thoughts on Local GPOs 25

An Example of Group Policy Application 26Examining the Resultant Set of Policy 27

At the Site Level 28At the Domain Level 29At the OU Level 29Bringing It All Together 29

Group Policy, Active Directory, and the GPMC 31Implementing the GPMC on Your Management Station 32Creating a One-Stop-Shop MMC 36

Group Policy 101 and Active Directory 38Active Directory Users and Computers vs. GPMC 38Adjusting the View within the GPMC 39The GPMC-centric View 41

Our Own Group Policy Examples 43More about Linking and the Group Policy

Objects Container 44Applying a Group Policy Object to the Site Level 47Applying Group Policy Objects to the Domain Level 50Applying Group Policy Objects to the OU Level 52Testing Your Delegation of Group Policy Management 58Understanding Group Policy Object Linking Delegation 59Granting OU Admins Access to Create New

Group Policy Objects 61Creating and Linking Group Policy Objects at the OU Level 61Creating a New Group Policy Object Affecting Computers

in an OU 66Moving Computers into the Human Resources

Computers OU 67Verifying Your Cumulative Changes 69

Final Thoughts 71

ContentsIntroduction

icy Objects

xvi Contents

Chapter 2 Managing Group Policy with the GPMC 73

Common Procedures with the GPMC 74Raising or Lowering the Precedence of Multiple

Group Policy Objects 78Understanding GPMC’s Link Warning 79Stopping Group Policy Objects from Applying 80Block Inheritance 87The Enforced Function 88

Security Filtering and Delegation with the GPMC 90Filtering the Scope of Group Policy Objects with Security 91User Permissions on Group Policy Objects 100Granting Group Policy Object Creation Rights in

the Domain 102Special Group Policy Operation Delegations 103Who Can Create and Use WMI Filters? 104

Performing RSoP Calculations with the GPMC 106What’s-Going-On Calculations with Group Policy Results 107What-If Calculations with Group Policy Modeling 113

Searching and Commenting Group Policy Objects and Policy Settings 116

Searching for GPO Characteristics 116Filtering Inside a GPO for Policy Settings 118Comments for GPOs and Policy Settings 129

Starter GPOs 135Creating a Starter GPO 136Editing a Starter GPO 136Leveraging a Starter GPO 137Delegating Control of Starter GPOs 139Wrapping Up and Sending Starter GPOs 140Should You Use Microsoft’s Pre-created Starter GPOs? 141

Back Up and Restore for Group Policy 142Backing Up Group Policy Objects 143Restoring Group Policy Objects 146Backing Up and Restoring Starter GPOs 148Backing Up and Restoring WMI Filters 148Backing Up and Restoring IPsec Filters 149

Migrating Group Policy Objects between Domains 150Basic Interdomain Copy and Import 150Copy and Import with Migration Tables 157

GPMC At-a-Glance Icon View 160Final Thoughts 160

Contents xvii

Chapter 3 Group Policy Processing Behavior Essentials 163

Group Policy Processing Principles 164Don’t Get Lost 165Initial Policy Processing 166Background Refresh Policy Processing 168Security Background Refresh Processing 182Special Case: Moving a User or a Computer Object 187Windows 8 and Group Policy: Subtle Differences 188

Policy Application via Remote Access, Slow Links, and after Hibernation 189

Windows XP Group Policy over Slow Network Connections 190

Windows 8 Group Policy over Slow Network Connections 190

What Is Processed over a Slow Network Connection? 192Using Group Policy to Affect Group Policy 197

Affecting the User Settings of Group Policy 197Affecting the Computer Settings of Group Policy 199The Missing Group Policy Preferences’ Policy Settings 211

Final Thoughts 212

Chapter 4 Advanced Group Policy Processing 215

WMI Filters: Fine-Tuning When and Where Group Policy Applies 215

Tools (and References) of the WMI Trade 217WMI Filter Syntax 218Creating and Using a WMI Filter 219WMI Performance Impact 220

Group Policy Loopback Processing 221Reviewing Normal Group Policy Processing 222Group Policy Loopback—Merge Mode 223Group Policy Loopback—Replace Mode 223

Group Policy with Cross-Forest Trusts 229What Happens When Logging onto Different Clients

across a Cross-Forest Trust? 229Disabling Loopback Processing When

Using Cross-Forest Trusts 232Understanding Cross-Forest Trust Permissions 232

Final Thoughts 234

xviii Contents

Chapter 5 Group Policy Preferences 235

Powers of the Group Policy Preferences 237Computer Configuration a Preferences 238User Configuration a Preferences 249

Group Policy Preferences Concepts 258Preference vs. Policy 259The Overlap of Group Policy vs. Group Policy

Preferences and Associated Issues 261The Lines and Circles and the CRUD Action Modes 275Common Tab 282

Group Policy Preferences Tips, Tricks, and Troubleshooting 294Quick Copy, Drag and Drop, Cut and Paste, and Sharing

of Settings 294Multiple Preference Items at a Level 296Temporarily Disabling a Single Preference Item or

Extension Root 298Environment Variables 298Managing Group Policy Preferences: Hiding Extensions

from Use 301Troubleshooting: Reporting, Logging, and Tracing 302

Final Thoughts 310

Chapter 6 Managing Applications and Settings Using Group Policy 311

Administrative Templates: A History and Policy vs. Preferences 312Administrative Templates: Then and Now 312Policy vs. Preference 313

ADM vs. ADMX and ADML Files 318ADM File Introduction 318Updated GPMC’s ADMX and ADML Files 318ADM vs. ADMX Files—At a Glance 320

ADMX and ADML Files: What They Do and the Problems They Solve 321

Problem and Solution 1: Tackling SYSVOL Bloat 321Problem 2: How Do We Deal with Multiple Languages? 321Problem 3: How Do We Deal with “Write Overlaps”? 323Problem 4: How Do We Distribute Updated Definitions

to All Our Administrators? 324The Central Store 325

The Windows ADMX/ADML Central Store 327Creating and Editing GPOs in a Mixed Environment 331

Contents xix

Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC. Edit Using Another Older GPMC Management Station. 331

Scenario 2: Start by Creating and Editing a GPO with the Older GPMC. Edit Using the Updated GPMC. 332

Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC. Edit Using Another Updated GPMC Management Station. 334

Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station. Edit Using an Older GPMC Management Station. 334

ADM and ADMX Templates from Other Sources 334Using ADM Templates with the Updated GPMC 335Using ADMX Templates from Other Sources 337

ADMX Migrator and ADMX Editor Tools 338ADMX Migrator 339ADMX Creation and Editor Tools 341

PolicyPak Community Edition and PolicyPak Professional 341PolicyPak Concepts and Installation 344PolicyPak Pregame Setup 344PolicyPak Quick Installation 345Getting Started Immediately with PolicyPak’s

Preconfigured Paks 346PolicyPak Final Thoughts and Wrap-Up 352

Final Thoughts 353

Chapter 7 Troubleshooting Group Policy 355

Under the Hood of Group Policy 357Inside Local Group Policy 357Inside Active Directory Group Policy Objects 360

The Birth, Life, and Death of a GPO 362How Group Policy Objects Are “Born” 362How a GPO “Lives” 364Death of a GPO 391

How Client Systems Get Group Policy Objects 392The Steps to Group Policy Processing 392Client-Side Extensions 395Where Are Administrative Templates Registry

Settings Stored? 403Why Isn’t Group Policy Applying? 405

Reviewing the Basics 406Advanced Inspection 408

Client-Side Troubleshooting 418RSoP for Windows Clients 419

xx Contents

Advanced Group Policy Troubleshooting with Log Files 428Using the Event Viewer 428Turning On Verbose Logging 429Group Policy Processing Performance 443

Final Thoughts 444

Chapter 8 Implementing Security with Group Policy 447

The Two Default Group Policy Objects 448GPOs Linked at the Domain Level 449Group Policy Objects Linked to the Domain

Controllers OU 453Oops, the “Default Domain Policy” GPO and/or “Default

Domain Controllers Policy” GPO Got Screwed Up! 455The Strange Life of Password Policy 456

What Happens When You Set Password Settings at an OU Level 457

Fine-Grained Password Policy 458Inside Auditing with and without Group Policy 463

Auditable Events Using Group Policy 464Auditing File Access 470Auditing Group Policy Object Changes 470Advanced Audit Policy Configuration 475

Restricted Groups 480Strictly Controlling Active Directory Groups 481Strictly Applying Group Nesting 484Which Groups Can Go into Which Other Groups

via Restricted Groups? 484Restrict Software: Software Restriction Policy and AppLocker 485

Inside Software Restriction Policies 486Software Restriction Policies’ “Philosophies” 487Software Restriction Policies’ Rules 488Restricting Software Using AppLocker 495

Controlling User Account Control with Group Policy 514Just Who Will See the UAC Prompts, Anyway? 517Understanding the Group Policy Controls for UAC 521UAC Policy Setting Suggestions 530

Wireless (802.3) and Wired Network (802.11) Policies 534802.11 Wireless Policy for Windows XP 534802.11 Wireless Policy and 802.3 Wired Policy for

Windows 8 536Configuring Windows Firewall with Group Policy 537

Manipulating the Windows XP Firewall 539

Contents xxi

Windows Firewall with Advanced Security (for Windows 8)—WFAS 542

IPsec (Now in Windows Firewall with Advanced Security) 551How Windows Firewall Rules Are Ultimately Calculated 556

Final Thoughts 560

Chapter 9 Profiles: Local, Roaming, and Mandatory 561

What Is a User Profile? 562The NTUSER.DAT File 562Profile Folders for Type 1 Computers (Windows XP

and Windows 2003 Server) 563Profile Folders for Type 2 Computers (Windows Vista

and Later) 565The Default Local User Profile 570The Default Network User Profile 573

Roaming Profiles 578Setting Up Roaming Profiles 579Testing Roaming Profiles 583Roaming and Nonroaming Folders 586Managing Roaming Profiles 590Manipulating Roaming Profiles with Computer

Group Policy Settings 592Manipulating Roaming Profiles with

User Group Policy Settings 604Mandatory Profiles 609

Establishing Mandatory Profiles for Windows XP 610Establishing Mandatory Profiles for Windows 8 612Mandatory Profiles—Finishing Touches 612Forced Mandatory Profiles (Super-Mandatory) 613

Final Thoughts 615

Chapter 10 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 617

Overview of Change and Configuration Management 618Redirected Folders 620

Available Folders to Redirect 620Redirected Documents/My Documents 621Redirecting the Start Menu and the Desktop 639Redirecting the Application Data Folder 641Group Policy Setting for Folder Redirection 641Troubleshooting Redirected Folders 644

xxii Contents

Offline Files and Synchronization 646Making Offline Files Available 647Inside Windows 8 File Synchronization 650Handling Conflicts 658Client Configuration of Offline Files 659

Using Folder Redirection and Offline Files over Slow Links 668Synchronizing over Slow Links with Redirected

My Documents 669Synchronizing over Slow Links with Regular Shares 670Teaching Windows 7 and Windows 8 How to React to

Slow Links 671Using Group Policy to Configure Offline Files

(User and Computer Node) 675Troubleshooting Sync Center 683Turning Off Folder Redirection’s Automatic Offline

Caching for Desktops 685Final Thoughts 695

Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 697

Group Policy Software Installation (GPSI) Overview 697The Windows Installer Service 699Understanding .MSI Packages 700Utilizing an Existing .MSI Package 700

Assigning and Publishing Applications 705Assigning Applications 705Publishing Applications 706Rules of Deployment 707Package-Targeting Strategy 708

Advanced Published or Assigned 717The General Tab 717The Deployment Tab 718The Upgrades Tab 722The Categories Tab 724The Modifications Tab 724The Security Tab 725

Default Group Policy Software Installation Properties 726The General Tab 726The Advanced Tab 727The File Extensions Tab 728The Categories Tab 728

Contents xxiii

Removing Applications 729Users Can Manually Change or Remove Applications 729Automatically Removing Assigned or Published

.MSI Applications 729Forcibly Removing Assigned or Published

.MSI Applications 730Using Group Policy Software Installation over Slow Links 732MSI, the Windows Installer and Group Policy 735

Inside the MSIEXEC Tool 735Patching a Distribution Point 736Affecting Windows Installer with Group Policy 738

Deploying Office 2010 and Office 2013 Using Group Policy 741Steps to Office 2010/2013 Deployment Using Group Policy 742Result of Your Office Deploying Using Group Policy 751

Systems Center Configuration Manager vs. Group Policy 753GPSI and Configuration Manager Coexistence 755

Final Thoughts 756

Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, and Printer Deployment 757

Scripts: Logon, Logoff, Startup, and Shutdown 757Non-PowerShell-Based Scripts 758Deploying PowerShell Scripts to Windows 7 and

Later Clients 761Managing Internet Explorer with Group Policy 762

Internet Explorer Maintenance—Where Is It? 763Managing Internet Explorer with Group Policy Preferences 765Internet Explorer’s Group Policy Settings 765Managing Internet Explorer using the IEAK 766

Restricting Access to Hardware via Group Policy 768Group Policy Preferences Devices Extension 769Restricting Driver Access with Policy Settings for 

Windows Vista and Later 773Getting a Handle on Classes and IDs 774Restricting or Allowing Your Hardware via Group Policy 777Understanding the Remaining Policy Settings for 

Hardware Restrictions 778Assigning Printers via Group Policy 780

Zapping Down Printers to Users and Computers (a Refresher) 780

Final Thoughts for This Chapter and for the Book 789

xxiv Contents

Appendix A Group Policy and VDI 791

Why Is VDI Different? 792Tuning Your Images for VDI 793

Specific Functions to Turn Off for VDI Machines 794Group Policy Settings to Set and Avoid for Maximum 

VDI Performance 795Group Policy Tweaks for Fast VDI Video 796

Tweaking RDP Using Group Policy for VDI 797Tweaking RemoteFX using Group Policy for VDI 798Managing and Locking Down Desktop UI Tweaks 799

Final Thoughts for VDI and Group Policy 801

Appendix B Security Configuration Manager 803

SCM: Installation 805SCM: Getting Around 806SCM: Usual Use Case 807Importing Existing GPOs 814Comparing and Merging Baselines 814

LocalGPO Tool 816Installing SCM’s LocalGPO Tool 817Using SCM’s LocalGPO 817

Final Thoughts on LocalGPO and SCM 823

Appendix C Windows Intune (And What It Means to Group Policy Admins) 825

Getting Started with Windows Intune 826Using Windows Intune 829Setting Up Windows Intune Groups 829Setting Up Policies Using Windows Intune 830

Windows Intune and Group Policy Conflicts 831Final Thoughts on Windows Intune 832

Index 835

IntroductionThe era of Windows 8 is here. And, here’s the good and bad news (which is the same news): Besides that whole Start Screen/Start Menu business, Windows 8 is not radically different from its Windows 7 sibling.

This awareness is a dual-edged sword. On the one hand, you could say to yourself, “Awesome! If I’m already an expert at Windows 7 and Group Policy, there’s not a huge hill to climb!” And that would be true. On the other hand, it’s also true that because Windows 8 didn’t shake things up too much, there’s no “super killer must-haves” about Windows 8 with regard to Group Policy “guts.”

In a way, I really like the dual-edged sword. I like that there is a variety of new goodies for Windows 8, some interesting updates, but not a radical head-spinning change. I like the fact that what is already working in practice doesn’t change that much. I like knowing that the time already invested in getting smarter in Group Policy isn’t for nothing, and you and I won’t have to re-learn everything we ever knew all over again.

In short, I’m happy with Windows 8’s updates with regard to Group Policy. Group Policy has been around since Windows 2000 and continues on through Windows XP, Windows Vista, all the Windows Server operating systems and now on to Windows 8 Client and Windows Server 2012.

That’s an amazing run for one technology. What other technology has been around for almost 12 years and is still gaining in popularity? Its increased popularity and widespread use has grown, year after year. And the underlying technology—both at its core and what it controls—has received an infusion of new technologies to keep it not only still relevant, but indeed, central to any Active Directory administrator’s tool belt of required knowledge.

Group Policy and Active Directory go hand in hand. If you have Active Directory, you get Group Policy.

If you’re new to Group Policy, here’s the inside scoop. Group Policy has one goal: to make your administrative life easier. Instead of running around from machine to machine, tweaking a setting here or installing some software there, you’ll have ultimate control from on high.

Like Zeus himself, controlling the many aspects of the mortal world below, you will have the ability, via Group Policy, to dictate specific settings pertaining to how you want your users and computers to operate. You’ll be able to shape your network’s destiny. You’ll have the power. But you need to know how to tap into this power and what can be powered.

In this introduction and throughout the first several chapters, I’ll describe just what Group Policy is all about and give you an idea of its tremendous power. Then, as your skills grow, chapter by chapter, we’ll build on what you’ve already learned and help you do more with Group Policy, troubleshoot it, and implement some of its most powerful features.

xxvi Introduction

Group Policy DefinedIf we take a step back and try to analyze the term Group Policy, it’s easy to become confused. When I first heard the term, I didn’t know what to make of it.

I asked myself, “Are we applying ‘policy’ to ‘groups’? Is this some sort of old-school NT 4 System Policy applied to Active Directory groups?”

Turns out, “Group Policy” as a name isn’t, well, excellent. That’s because, at cocktail parties, I have a hard time telling the person next to me what I teach and write about.

If I said something like “I teach databases,” he would cheerfully go back to his scotch and soda and leave me alone. But because I say, “I teach Group Policy to smart people looking to get smarter,” he (unfortunately) wants to know more. He’ll say something like “What does that mean? I’ve never heard of Group Policy before.” And while I love talking about Group Policy with you, my friendly IT geeks, at a cocktail party full of stuffed shirts, I just want to get another canapé.

So, the name “Group Policy” can be kind of confusing, but it’s also intriguing. Microsoft’s perspective is that the name “Group Policy” is derived from the fact that you are “grouping together policy settings.” I don’t really love the name Group Policy—but it’s the name we have, so that’s what it’s called. As Juliet might say, “What’s in a name? That which we call a rose by any other name would smell as sweet,” (Romeo and Juliet, II, ii, 43–44).

Group Policy is, in essence, rules that are applied and enforced at multiple levels of Active Directory. Policy settings you dictate must be adhered to by your users and computers. This provides great power and efficiency when manipulating client systems.

Instead of running around from machine to machine, you’re in charge (not your users).When going through the examples in this book, you will play the various parts of the

end user, the OU administrator, the domain administrator, and the enterprise administra-tor. Your mission is to create and define Group Policy using Active Directory and witness it being automatically enforced. What you say goes! With Group Policy, you can set policies that dictate that users quit messing with their machines. You can dictate what software will be deployed. You can determine how much disk space users can use. You can do pretty much whatever you want—it is up to you. With Group Policy, you hold all the power. That’s the good news.

And this magical power only works on Windows 2000 or later machines. That includes Windows 2000, Windows XP, Windows Server 2003 (as a client), Windows Vista, Windows Server 2008 and 2008 R2 (as a client), Windows 7, and of course, Windows 8 and Windows Server 2012.

This shouldn’t be a problem, since you’ve expunged all the Windows 95, Windows 98, or Windows NT workstations or servers. Hey, it is 2013 (or maybe later!), after all!

I’ll likely say this again in multiple places, but I want to get one “big ol’ misconcep-tion” out of the way right here, right in the introduction. The Group Policy infrastruc-ture does not care what mode your domain is in. If you have only one type of Domain Controller, or a mixture of Domain Controllers, 100 percent of everything we cover in this book is valid.

Introduction xxvii

Said another way, even if your domain level is the oldest-of-the-old Windows 2000 mixed mode, you’re still 100 percent covered here. Group Policy is all about the client (the target) operating system, and not the Domain Controllers or domain modes.

If the range of control scares you, don’t be afraid! It just means more power to hold over your environment. You’ll quickly learn how to wisely use this newfound power to reign over your subjects, er, users.

Group Policy vs. Group Policy Objects vs. Group Policy PreferencesBefore we go headlong into Group Policy theory, let’s get some terminology and vocabulary out of the way:

NN Group Policy is the concept that, from on high, you can do all this “stuff” to your client machines.

NN A policy setting is just one individual setting that you can use to perform some spe-cific action.

NN Group Policy Objects (GPOs) are the “nuts and bolts” contained within Active Direc-tory Domain Controllers, and each can contain anywhere from one to a zillion individual policy settings.

NN The Group Policy Preferences is a newer add-on to the existing set of the “original” Group Policy many have come to know and love. Group Policy Preferences (sometimes shortened to GPPrefs, or GPP) don’t act quite the same as their original cousins. We’ll cover the Group Policy Preferences in detail in Chapter 5.

NN Preference item is a way to describe one “Group Policy Preferences directive.” It’s like a “policy setting,” but for the Group Policy Preferences.

It’s my goal that after you work through this book, you’ll be able to jump up on your desk one day and use all the vocabulary at once. Like this: “Hey! Group Policy isn’t applying to our client machines! Perhaps a policy setting is misconfigured. Or, maybe one of our Group Policy Objects has gone belly up! Heck, maybe one of the preference items is misconfigured. I’d better read about what’s going on in Chapter 7, ‘Troubleshooting Group Policy.’”

This terminology can be a little confusing—considering that each term includes the word policy. In this text, however, I’ve tried especially hard to use the correct nomencla-ture for what I’m describing. If you get confused, just come back here to refresh your brain about the definitions.

Note that there is never a time to use the phrase “Group Policies.” Those two words together shouldn’t exist. If you’re talking about “multiple GPOs” or “multiple policy settings” or “policy settings vs. preference items,” these are the preferred phrases to use, and never “Group Policies.”

xxviii Introduction

Where Group Policy AppliesGroup Policy can be applied to many machines at once using Active Directory, or it can be applied when you walk up to a specific machine. For the most part, in this book I’ll focus on using Group Policy within an Active Directory environment, where it affects the most machines.

A percentage of the settings explored and discussed in this book are available to member or stand-alone Windows machines—which can either participate or not participate in an Active Directory environment.

However, the Folder Redirection settings (discussed in Chapter 10) and the Software Distribution settings (discussed in Chapter 11) are not available to stand-alone machines (that is, computers that are not participating in an Active Directory domain). In some cases, I will pay particular attention to non–Active Directory environments. However, most of the book deals with the more common case; that is, we’ll explore the implications of deploying Group Policy in an Active Directory environment.

The “Too Many Operating Systems” ProblemIf we line up all the operating systems that you (a savvy IT person) might have in your corporate world, we would likely find one or more of the following (presented here in date-release order):

NN Windows 2000 (Workstation and Server), RTM through SP4

NN Windows 2003 Server, RTM through SP2

NN Windows XP, RTM through SP3

NN Windows Vista, RTM through SP2

NN Windows Server 2008, RTM (known as SP1, actually) through SP2

NN Windows 7 RTM, through SP1Windows Server 2008 R2, through SP1

NN Windows 8 client, RTM

NN Windows Server 2012, RTM

For the love of Pete (whoever Pete is), that’s a lot of potential operating systems. Okay, okay—perhaps you don’t have all of them. You likely don’t have any more Windows 2000 (or maybe you do, tucked in a back room somewhere, quietly processing something or other).

The point, however, is that Group Policy can apply to all of these systems. Under most circumstances, “old stuff” will work correctly on newer machines. That is, generally, some-thing that can affect, say, an XP machine will also (generally) continue to affect a Windows 8 machine.

With that in mind, here’s an example of what I’m not going to do. I’m not going to show you an example of something in the book, then say something like “… and this example is valid for Windows XP, Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8, and Windows Server 2012.”