Group policy : fundamentals, security, and the managed ... · CreatingaStarter GPO 129 Editing a...
Transcript of Group policy : fundamentals, security, and the managed ... · CreatingaStarter GPO 129 Editing a...
-
Group PolicyFundamentals,Security, and the
Managed Desktop
-
Contents
Introduction
Chapter 1
xxvii
Group Policy Essentials 1
Getting Ready to Use This Book 1
Getting Started with Group Policy 4
Group Policy Entities and Policy Settings 4The 18 (Original) Categories of Group Policy 6
Understanding Local Group Policy 11Local Group Policy on Pre-Vista Computers 11
Local Group Policy on Vista and Later 13Active Directory-Based Group Policy 17
Group Policy and Active Directory 18
Linking Group Policy Objects 20An Example of Group Policy Application 21
Examining the Resultant Set of Policy 23At the Site Level 23
At the Domain Level 24
At the OU Level 24
Group Policy, Active Directory, and the GPMC 26GPMC Overview 28
Implementing the GPMC on Your Management Station 29
Creating a One-Stop-Shop MMC 33
Group Policy 101 and Active Directory 34Active Directory Users and Computers vs. GPMC 35
Adjusting the View within the GPMC 36The GPMC-centric View 38
Our Own Group Policy Examples 39More about Linking and the Group Policy
Objects Container 41
Applying a Group Policy Object to the Site Level 45
Applying Group Policy Objects to the Domain Level 48
Applying Group Policy Objects to the OU Level 50
Testing Your Delegation of Group Policy Management 55
Understanding Group Policy Object Linking Delegation 57
Granting OU Admins Access to Create New
Group Policy Objects 57
Creating and Linking Group Policy Objects atthe OU Level 59
-
Creating a New Group Policy Object AffectingComputers in an OU 62
Moving Computers into the Human Resources
Computers OU 64
Verifying Your Cumulative Changes 65Final Thoughts 67
Chapter 2 Managing Group Policy with the GPMC 69
Common Procedures with the GPMC 70
Raising or Lowering the Precedence of Multiple
Group Policy Objects 73
Understanding GPMC's Link Warning 74
Stopping Group Policy Objects from Applying 75Block Inheritance 81
The Enforced Function 82
Security Filtering and Delegation with the GPMC 84
Filtering the Scope of Group Policy Objects with Security 85User Permissions upon Group Policy Objects 94
Granting Group Policy Object Creation Rights inthe Domain 96
Special Group Policy Operation Delegations 97Who Can Create and Use WMI Filters? 98
Performing RSoP Calculations with the GPMC 100What's-Going-On Calculations with
Group Policy Results 101What-If Calculations with Group Policy Modeling 107
Searching and Commenting Group Policy Objectsand Policy Settings 110
Searching for GPO Characteristics 110Filtering Inside a GPO for Policy Settings 111Comments for GPOs and Policy Settings 121
Starter GPOs 127
Creating a Starter GPO 129
Editing a Starter GPO 129
Leveraging a Starter GPO 130Delegating Control of Starter GPOs 132Wrapping Up and Sending Starter GPOs 132
Back Up and Restore for Group Policy 135Backing Up Group Policy Objects 136Restoring Group Policy Objects 138Backing Up and Restoring Starter GPOs 140
-
Backing Up and Restoring WMI Filters 141
Backing Up and Restoring IPsec Filters 141GPMC At-a- Glance Icon View 142
The GPMC At-a-Glance Compatibility Table 143Final Thoughts 144
Chapter 3 Group Policy Processing Behavior Essentials 147
Group Policy Processing Principles 147Don't Get Lost 150
Initial Policy Processing 150
Background Refresh Policy Processing 152
Security Background Refresh Processing 161
Special Case: Moving a User or a Computer Object 166
Policy Application via Remote Access, Slow Links, andafter Hibernation 167
Windows 2000 and Windows XP Group Policy overSlow Network Connections 167
Windows 7 Group Policy over SlowNetwork Connections 169
What Is Processed over a Slow Network Connection? 169
Using Group Policy to Affect Group Policy 174
Affecting the User Settings of Group Policy 174
Affecting the Computer Settings of Group Policy 176The Missing Group Policy Policy Settings 184
Final Thoughts 186
Chapter 4 Advanced Group Policy Processing 189
WMI Filters: Fine-Tuning When and Where Group
Policy Applies 189Tools (and References) of the WMI Trade 191WMI Filter Syntax 192
Creating and Using a WMI Filter 193
Final WMI Filter Thoughts 194
Group Policy Loopback Processing 196
Reviewing Normal Group Policy Processing 196
Group Policy Loopback—Merge Mode 197
Group Policy Loopback—Replace Mode 197
Group Policy with Cross-Forest Trusts 204What Happens When Logging onto Different
Clients across a Cross-Forest Trust? 205
-
Disabling Loopback Processing When UsingCross-Forest Trusts 207
Older Machine Types and Cross-Forest Trusts 208
Understanding Cross-Forest Trust Permissions 208
Final Thoughts 209
Chapter 5 Group Policy Preferences 211
Powers of the Group Policy Preferences 213
Computer Configuration > Preferences 214
User Configuration > Preferences 226
Group Policy Preferences Architecture and
Installation Instructions 233
Installing the Client-Side Extensions on Your
Client Machines 234
Group Policy Preferences Concepts 237Preference vs. Policy 238The Overlap of Group Policy vs. Group Policy
Preferences and Associated Issues 240
The Lines and Circles and the CRUD Action Modes 255
Common Tab 262
Group Policy Preferences Tips, Tricks, and Troubleshooting 273
Quick Copy, Drag and Drop, Cut and Paste, and
Sharing of Settings 273
Multiple Preference Items at a Level 276
Temporarily Disabling a Single Preference Item orExtension Root 277
Environment Variables 278
Managing Group Policy Preferences: HidingExtensions from Use 279
Troubleshooting: Reporting, Logging, and Tracing 282Final Thoughts 288
Chapter 6 Managing Applications and SettingsUsing Group Policy 291
Administrative Templates: A History and
Policy vs. Preferences 292
Administrative Templates: Then and Now 292
Policy vs. Preference 293ADM vs. ADMX and ADML Files 298
ADM File Introduction 298
Updated GPMC's ADMX and ADML Files 300ADM vs. ADMX Files—At a Glance 301
-
ADMX and ADML Files: What They Do and theProblems They Solve 302Problem and Solution 1: Tackling SYSVOL Bloat 302Problem 2: How Do We Deal with Multiple Languages? 304Problem 3: How Do We Deal with "Write Overlaps"? 305Problem 4: How Do We Distribute Updated
Definitions to All Our Administrators? 305The Central Store 307
The Windows ADMX/ADML Central Store 308
Creating and Editing GPOs in a Mixed Environment 312Scenario 1: Start Out by Creating and Editing a GPO
Using the Older GPMC. Edit Using Another OlderGPMC Management Station. 313
Scenario 2: Start Out by Creating and Editing a GPOwith the Older GPMC. Edit Using the Updated GPMC. 314
Scenario 3: Start Out by Creating and Editing aGPO Using the Updated GPMC. Edit Using Another
Updated GPMC Management Station. 316Scenario 4: Start Out by Creating and Editing a GPO
Using an Updated GPMC Management Station.Edit Using an Older GPMC Management Station. 316
ADM and ADMX Templates from Other Sources 316
Leveraging ADM Templates from Your Windows
Management Station 317Microsoft Office ADM Templates 319
Using ADMX Templates from Other Sources 323ADMX Migrator and ADMX Editor Tools 324
ADMX Migrator 325ADMX Editor 326
PolicyPak Community Edition 328
PolicyPak Concepts and Installation 330
Creating Your First PolicyPak 331Final Thoughts 339
Chapter 7 Troubleshooting Group Policy 341
Under the Hood of Group Policy 343Inside Local Group Policy 343Inside Active Directory Group Policy Objects 346
The Birth, Life, and Death of a GPO 349How Group Policy Objects Are "Born" 349How a GPO "Lives" 351
Death of a GPO 377
-
How Client Systems Get Group Policy Objects 378The Steps to Group Policy Processing 379Client-Side Extensions 381
Where Are Administrative Templates RegistrySettings Stored? 389
Why Isn't Group Policy Applying? 391
Reviewing the Basics 391Advanced Inspection 394
Client-Side Troubleshooting 405RSoP for Windows Clients 406
Advanced Group Policy Troubleshooting with Log Files 418
Using the Event Viewer 418
Turning On Verbose Logging 420
Group Policy Processing Performance 432Final Thoughts 434
Chapter 8 Implementing Security with Group Policy 437
The Two Default Group Policy Objects 438GPOs Linked at the Domain Level 439
Group Policy Objects Linked to the DomainControllers OU 443
Oops, the "Default Domain Policy" GPO and/or"Default Domain Controllers Policy" GPO GotScrewed Up! 445
The Strange Life of Password Policy 446What Happens When You Set Password Settings at
an OU Level 446
Fine-Grained Password Policy with Windows Server 2008 448Inside Auditing With and Without Group Policy 458
Anditable Events using Group Policy 459Auditing File Access 464
Auditing Group Policy Object Changes 465Advanced Audit Policy Configuration 470
Restricted Groups 475
Strictly Controlling Active Directory Groups 476
Strictly Applying Group Nesting 478Which Groups Can Go into Which Other Groups
via Restricted Groups? 479Restrict Software: Software Restriction Policyand AppLocker 480
Inside Software Restriction Policies 480
Software Restriction Policies' "Philosophies" 482
-
Software Restriction Policies' Rules 483
Restricting Software Using AppLocker 489
Controlling User Account Control (UAC) with
Group Policy 506
Just Who Will See the UAC Prompts, Anyway? 510
Understanding the Group Policy Controls for UAC 513UAC Policy Setting Suggestions 522
Wireless (802.3) and Wired Network (802.11) Policies 525802.11 Wireless Policy for Windows XP 527802.11 Wireless Policy and 802.3 Wired Policy forWindows Vista and Later 527
Configuring Windows Firewall with Group Policy 528
Manipulating the Windows XP and WindowsServer 2003 Firewall 531
Windows Firewall with Advanced Security(for Windows Vista and Windows Server
2008)—WFAS 534
IPsec (Now in Windows Firewall with
Advanced Security) 542How Windows Firewall Rules Are Ultimately
Calculated 548
Final Thoughts 551
Chapter 9 Profiles: Local, Roaming, and Mandatory 553
What Is a User Profile? 554
The NTUSER.DAT File 554
Profile Folders for Type 1 Computers (Windows 2000,Windows 2003, and Windows XP) 555
Profile Folders for Type 2 Computers (Windows 7,Windows 2008, and Windows Server 2008 R2) 557
The Default Local User Profile 563
The Default Domain User Profile 566
Roaming Profiles 570
Setting Up Roaming Profiles 572
Testing Roaming Profiles 578
Migrating Local Profiles to Roaming Profiles 581
Roaming and Nonroaming Folders 583
Managing Roaming Profiles 587
Manipulating Roaming Profiles with ComputerGroup Policy Settings 590
Manipulating Roaming Profiles with User GroupPolicy Settings 601
-
Mandatory Profiles 606Establishing Mandatory Profiles from a Local Profile 606Mandatory Profiles from an Established
Roaming Profile 609Forced Mandatory Profiles (Super-Mandatory) 611
Final Thoughts 612
Chapter 10 Implementing a Managed Desktop, Part 1:Redirected Folders, Offline Files, and the
Synchronization Manager 615
Overview of Change and Configuration Management 616Redirected Folders 617
Available Folders to Redirect 618Red irected Documents/My Documents 619Redirecting the Start Menu and the Desktop 637Redirecting the Application Data 638Group Policy Setting for Folder Redirection 639
Troubleshooting Redirected Folders 640Offline Files and Synchronization 643
Making Offline Files Available 644Inside Windows XP Synchronization 648Inside Windows 7 File Synchronization 652Handling Conflicts 660Client Configuration of Offline Files 662
Using Folder Redirection and Offline Files over Slow Links 680Synchronizing over Slow Links with Redirected
My Documents 681
Synchronizing over Slow Links with Regular Shares 683Using Group Policy to Configure Offline Files (Userand Computer Node) 692
Using Group Policy to Configure Offline Files (Exclusiveto the Computer Node) 703
Troubleshooting Sync Center 708Turning Off Folder Redirection's Automatic Offline
Caching for Desktops 710Final Thoughts 718
Chapter 11 The Managed Desktop, Part 2: Software
Deployment via Group Policy 719
Group Policy Software Installation (GPSI) Overview 720The Windows Installer Service 721
Understanding .MSI Packages 722Utilizing an Existing .MSI Package 723
-
Assigning and Publishing Applications 728Assigning Applications 728Publishing Applications 729Rules of Deployment 730Package-Targeting Strategy 731Understanding .ZAP Files 73 8Testing Publishing Applications to Users 741Application Isolation 742
Advanced Published or Assigned 744The General Tab 744
The Deployment Tab 745The Upgrades Tab 750The Categories Tab 751The Modifications Tab 751
The Security Tab 755Default Group Policy Software Installation Properties 757
The General Tab 757
The Advanced Tab 758
The File Extensions Tab 758
The Categories Tab 759
Removing Applications 759Users Can Manually Change or Remove Applications 759
Automatically Removing Assigned or PublishedMSI Applications 760
Forcibly Removing Assigned or PublishedMSI Applications 761
Removing Published .ZAP Applications 762
Troubleshooting the Removal of Applications 763
Using Group Policy Software Installation overSlow Links 764
Managing .MSI Packages and the Windows Installer 766Inside the MSIEXEC Tool 766
Affecting Windows Installer with Group Policy 769Deploying Office 2007 and Office 2010 Using
Group Policy 778Office 2007 and Group Policy 779The "Right" Answer for Office 2007 and Office 2010
Deployment (Using Group Policy) 784Do You Need a "Big" Management Tool forYour Environment? 785
SMS vs. GPOs: A Comparison Rundown 786GPSI and SMS Coexistence 789
Final Thoughts 790
-
Chapter 12 Finishing Touches with Group Policy: Scripts,Internet Explorer, Hardware Control, DeployingPrinters, and Shadow Copies 791
Scripts: Logon, Logoff, Startup, and Shutdown 792Non-PowerShell-Based Scripts 792Deploying PowerShell Scripts to Windows 7 Clients 798
Managing Internet Explorer with Group Policy 799Internet Explorer Maintenance (IEM) and Group
Policy Preferences Settings 799Internet Explorer's Group Policy Settings 804
Restricting Access to Hardware via Group Policy 807Devices Extension 808
Restricting Driver Access with Policy Settings forWindows 7 812
Getting a Handle on Classes and IDs 813
Restricting or Allowing Your Hardware via
Group Policy 815
Understanding the Remaining Policy Settingsfor Hardware Restrictions 816
Assigning Printers via Group Policy 818Zapping Down Printers to Users and Computers
(a Refresher) 819Shadow Copies (aka Previous Versions) 827
Setting Up and Using Shadow Copies for LocalWindows 7 Machines 827
Setting Up Shadow Copies on the Server 827Restoring Files with the Shadow Copies Client 830Group Policy Settings for Shadow Copies 833
Final Thoughts for This Chapter and for the Book 834
Appendix A Group Policy Tools 837
Securing Workstations with Templates 837Incremental Security Templates 838Other Security Template Sources 839Applying Security Templates with Group Policy 840
The Security Configuration Wizard 841Security Configuration Wizard Primer
and Installation 842A Practical SCW Example 843Converting Your SCW Policy to a GPO 849SCW Caveats 851
-
Migrating Group Policy Objects between Domains 851Basic Interdomain Copy and Import 851
Copy and Import with Migration Tables 855Microsoft Tools Roundup 859
Group Policy Tools from Microsoft 859Profile Tools from Microsoft 862
Utilities and Add-Ons 862
Third-Party Vendors List 863
Index ^67