Group PolicyFundamentals,Security, and the

Managed Desktop

Contents

Introduction

Chapter 1

xxvii

Group Policy Essentials 1

Getting Ready to Use This Book 1

Getting Started with Group Policy 4

Group Policy Entities and Policy Settings 4The 18 (Original) Categories of Group Policy 6

Understanding Local Group Policy 11Local Group Policy on Pre-Vista Computers 11

Local Group Policy on Vista and Later 13Active Directory-Based Group Policy 17

Group Policy and Active Directory 18

Linking Group Policy Objects 20An Example of Group Policy Application 21

Examining the Resultant Set of Policy 23At the Site Level 23

At the Domain Level 24

At the OU Level 24

Group Policy, Active Directory, and the GPMC 26GPMC Overview 28

Implementing the GPMC on Your Management Station 29

Creating a One-Stop-Shop MMC 33

Group Policy 101 and Active Directory 34Active Directory Users and Computers vs. GPMC 35

Adjusting the View within the GPMC 36The GPMC-centric View 38

Our Own Group Policy Examples 39More about Linking and the Group Policy

Objects Container 41

Applying a Group Policy Object to the Site Level 45

Applying Group Policy Objects to the Domain Level 48

Applying Group Policy Objects to the OU Level 50

Testing Your Delegation of Group Policy Management 55

Understanding Group Policy Object Linking Delegation 57

Granting OU Admins Access to Create New

Group Policy Objects 57

Creating and Linking Group Policy Objects atthe OU Level 59

Creating a New Group Policy Object AffectingComputers in an OU 62

Moving Computers into the Human Resources

Computers OU 64

Verifying Your Cumulative Changes 65Final Thoughts 67

Chapter 2 Managing Group Policy with the GPMC 69

Common Procedures with the GPMC 70

Raising or Lowering the Precedence of Multiple

Group Policy Objects 73

Understanding GPMC's Link Warning 74

Stopping Group Policy Objects from Applying 75Block Inheritance 81

The Enforced Function 82

Security Filtering and Delegation with the GPMC 84

Filtering the Scope of Group Policy Objects with Security 85User Permissions upon Group Policy Objects 94

Granting Group Policy Object Creation Rights inthe Domain 96

Special Group Policy Operation Delegations 97Who Can Create and Use WMI Filters? 98

Performing RSoP Calculations with the GPMC 100What's-Going-On Calculations with

Group Policy Results 101What-If Calculations with Group Policy Modeling 107

Searching and Commenting Group Policy Objectsand Policy Settings 110

Searching for GPO Characteristics 110Filtering Inside a GPO for Policy Settings 111Comments for GPOs and Policy Settings 121

Starter GPOs 127

Creating a Starter GPO 129

Editing a Starter GPO 129

Leveraging a Starter GPO 130Delegating Control of Starter GPOs 132Wrapping Up and Sending Starter GPOs 132

Back Up and Restore for Group Policy 135Backing Up Group Policy Objects 136Restoring Group Policy Objects 138Backing Up and Restoring Starter GPOs 140

Backing Up and Restoring WMI Filters 141

Backing Up and Restoring IPsec Filters 141GPMC At-a- Glance Icon View 142

The GPMC At-a-Glance Compatibility Table 143Final Thoughts 144

Chapter 3 Group Policy Processing Behavior Essentials 147

Group Policy Processing Principles 147Don't Get Lost 150

Initial Policy Processing 150

Background Refresh Policy Processing 152

Security Background Refresh Processing 161

Special Case: Moving a User or a Computer Object 166

Policy Application via Remote Access, Slow Links, andafter Hibernation 167

Windows 2000 and Windows XP Group Policy overSlow Network Connections 167

Windows 7 Group Policy over SlowNetwork Connections 169

What Is Processed over a Slow Network Connection? 169

Using Group Policy to Affect Group Policy 174

Affecting the User Settings of Group Policy 174

Affecting the Computer Settings of Group Policy 176The Missing Group Policy Policy Settings 184

Final Thoughts 186

Chapter 4 Advanced Group Policy Processing 189

WMI Filters: Fine-Tuning When and Where Group

Policy Applies 189Tools (and References) of the WMI Trade 191WMI Filter Syntax 192

Creating and Using a WMI Filter 193

Final WMI Filter Thoughts 194

Group Policy Loopback Processing 196

Reviewing Normal Group Policy Processing 196

Group Policy Loopback—Merge Mode 197

Group Policy Loopback—Replace Mode 197

Group Policy with Cross-Forest Trusts 204What Happens When Logging onto Different

Clients across a Cross-Forest Trust? 205

Disabling Loopback Processing When UsingCross-Forest Trusts 207

Older Machine Types and Cross-Forest Trusts 208

Understanding Cross-Forest Trust Permissions 208

Final Thoughts 209

Chapter 5 Group Policy Preferences 211

Powers of the Group Policy Preferences 213

Computer Configuration > Preferences 214

User Configuration > Preferences 226

Group Policy Preferences Architecture and

Installation Instructions 233

Installing the Client-Side Extensions on Your

Client Machines 234

Group Policy Preferences Concepts 237Preference vs. Policy 238The Overlap of Group Policy vs. Group Policy

Preferences and Associated Issues 240

The Lines and Circles and the CRUD Action Modes 255

Common Tab 262

Group Policy Preferences Tips, Tricks, and Troubleshooting 273

Quick Copy, Drag and Drop, Cut and Paste, and

Sharing of Settings 273

Multiple Preference Items at a Level 276

Temporarily Disabling a Single Preference Item orExtension Root 277

Environment Variables 278

Managing Group Policy Preferences: HidingExtensions from Use 279

Troubleshooting: Reporting, Logging, and Tracing 282Final Thoughts 288

Chapter 6 Managing Applications and SettingsUsing Group Policy 291

Administrative Templates: A History and

Policy vs. Preferences 292

Administrative Templates: Then and Now 292

Policy vs. Preference 293ADM vs. ADMX and ADML Files 298

ADM File Introduction 298

Updated GPMC's ADMX and ADML Files 300ADM vs. ADMX Files—At a Glance 301

ADMX and ADML Files: What They Do and theProblems They Solve 302Problem and Solution 1: Tackling SYSVOL Bloat 302Problem 2: How Do We Deal with Multiple Languages? 304Problem 3: How Do We Deal with "Write Overlaps"? 305Problem 4: How Do We Distribute Updated

Definitions to All Our Administrators? 305The Central Store 307

The Windows ADMX/ADML Central Store 308

Creating and Editing GPOs in a Mixed Environment 312Scenario 1: Start Out by Creating and Editing a GPO

Using the Older GPMC. Edit Using Another OlderGPMC Management Station. 313

Scenario 2: Start Out by Creating and Editing a GPOwith the Older GPMC. Edit Using the Updated GPMC. 314

Scenario 3: Start Out by Creating and Editing aGPO Using the Updated GPMC. Edit Using Another

Updated GPMC Management Station. 316Scenario 4: Start Out by Creating and Editing a GPO

Using an Updated GPMC Management Station.Edit Using an Older GPMC Management Station. 316

ADM and ADMX Templates from Other Sources 316

Leveraging ADM Templates from Your Windows

Management Station 317Microsoft Office ADM Templates 319

Using ADMX Templates from Other Sources 323ADMX Migrator and ADMX Editor Tools 324

ADMX Migrator 325ADMX Editor 326

PolicyPak Community Edition 328

PolicyPak Concepts and Installation 330

Creating Your First PolicyPak 331Final Thoughts 339

Chapter 7 Troubleshooting Group Policy 341

Under the Hood of Group Policy 343Inside Local Group Policy 343Inside Active Directory Group Policy Objects 346

The Birth, Life, and Death of a GPO 349How Group Policy Objects Are "Born" 349How a GPO "Lives" 351

Death of a GPO 377

How Client Systems Get Group Policy Objects 378The Steps to Group Policy Processing 379Client-Side Extensions 381

Where Are Administrative Templates RegistrySettings Stored? 389

Why Isn't Group Policy Applying? 391

Reviewing the Basics 391Advanced Inspection 394

Client-Side Troubleshooting 405RSoP for Windows Clients 406

Advanced Group Policy Troubleshooting with Log Files 418

Using the Event Viewer 418

Turning On Verbose Logging 420

Group Policy Processing Performance 432Final Thoughts 434

Chapter 8 Implementing Security with Group Policy 437

The Two Default Group Policy Objects 438GPOs Linked at the Domain Level 439

Group Policy Objects Linked to the DomainControllers OU 443

Oops, the "Default Domain Policy" GPO and/or"Default Domain Controllers Policy" GPO GotScrewed Up! 445

The Strange Life of Password Policy 446What Happens When You Set Password Settings at

an OU Level 446

Fine-Grained Password Policy with Windows Server 2008 448Inside Auditing With and Without Group Policy 458

Anditable Events using Group Policy 459Auditing File Access 464

Auditing Group Policy Object Changes 465Advanced Audit Policy Configuration 470

Restricted Groups 475

Strictly Controlling Active Directory Groups 476

Strictly Applying Group Nesting 478Which Groups Can Go into Which Other Groups

via Restricted Groups? 479Restrict Software: Software Restriction Policyand AppLocker 480

Inside Software Restriction Policies 480

Software Restriction Policies' "Philosophies" 482

Software Restriction Policies' Rules 483

Restricting Software Using AppLocker 489

Controlling User Account Control (UAC) with

Group Policy 506

Just Who Will See the UAC Prompts, Anyway? 510

Understanding the Group Policy Controls for UAC 513UAC Policy Setting Suggestions 522

Wireless (802.3) and Wired Network (802.11) Policies 525802.11 Wireless Policy for Windows XP 527802.11 Wireless Policy and 802.3 Wired Policy forWindows Vista and Later 527

Configuring Windows Firewall with Group Policy 528

Manipulating the Windows XP and WindowsServer 2003 Firewall 531

Windows Firewall with Advanced Security(for Windows Vista and Windows Server

2008)—WFAS 534

IPsec (Now in Windows Firewall with

Advanced Security) 542How Windows Firewall Rules Are Ultimately

Calculated 548

Final Thoughts 551

Chapter 9 Profiles: Local, Roaming, and Mandatory 553

What Is a User Profile? 554

The NTUSER.DAT File 554

Profile Folders for Type 1 Computers (Windows 2000,Windows 2003, and Windows XP) 555

Profile Folders for Type 2 Computers (Windows 7,Windows 2008, and Windows Server 2008 R2) 557

The Default Local User Profile 563

The Default Domain User Profile 566

Roaming Profiles 570

Setting Up Roaming Profiles 572

Testing Roaming Profiles 578

Migrating Local Profiles to Roaming Profiles 581

Roaming and Nonroaming Folders 583

Managing Roaming Profiles 587

Manipulating Roaming Profiles with ComputerGroup Policy Settings 590

Manipulating Roaming Profiles with User GroupPolicy Settings 601

Mandatory Profiles 606Establishing Mandatory Profiles from a Local Profile 606Mandatory Profiles from an Established

Roaming Profile 609Forced Mandatory Profiles (Super-Mandatory) 611

Final Thoughts 612

Chapter 10 Implementing a Managed Desktop, Part 1:Redirected Folders, Offline Files, and the

Synchronization Manager 615

Overview of Change and Configuration Management 616Redirected Folders 617

Available Folders to Redirect 618Red irected Documents/My Documents 619Redirecting the Start Menu and the Desktop 637Redirecting the Application Data 638Group Policy Setting for Folder Redirection 639

Troubleshooting Redirected Folders 640Offline Files and Synchronization 643

Making Offline Files Available 644Inside Windows XP Synchronization 648Inside Windows 7 File Synchronization 652Handling Conflicts 660Client Configuration of Offline Files 662

Using Folder Redirection and Offline Files over Slow Links 680Synchronizing over Slow Links with Redirected

My Documents 681

Synchronizing over Slow Links with Regular Shares 683Using Group Policy to Configure Offline Files (Userand Computer Node) 692

Using Group Policy to Configure Offline Files (Exclusiveto the Computer Node) 703

Troubleshooting Sync Center 708Turning Off Folder Redirection's Automatic Offline

Caching for Desktops 710Final Thoughts 718

Chapter 11 The Managed Desktop, Part 2: Software

Deployment via Group Policy 719

Group Policy Software Installation (GPSI) Overview 720The Windows Installer Service 721

Understanding .MSI Packages 722Utilizing an Existing .MSI Package 723

Assigning and Publishing Applications 728Assigning Applications 728Publishing Applications 729Rules of Deployment 730Package-Targeting Strategy 731Understanding .ZAP Files 73 8Testing Publishing Applications to Users 741Application Isolation 742

Advanced Published or Assigned 744The General Tab 744

The Deployment Tab 745The Upgrades Tab 750The Categories Tab 751The Modifications Tab 751

The Security Tab 755Default Group Policy Software Installation Properties 757

The General Tab 757

The Advanced Tab 758

The File Extensions Tab 758

The Categories Tab 759

Removing Applications 759Users Can Manually Change or Remove Applications 759

Automatically Removing Assigned or PublishedMSI Applications 760

Forcibly Removing Assigned or PublishedMSI Applications 761

Removing Published .ZAP Applications 762

Troubleshooting the Removal of Applications 763

Using Group Policy Software Installation overSlow Links 764

Managing .MSI Packages and the Windows Installer 766Inside the MSIEXEC Tool 766

Affecting Windows Installer with Group Policy 769Deploying Office 2007 and Office 2010 Using

Group Policy 778Office 2007 and Group Policy 779The "Right" Answer for Office 2007 and Office 2010

Deployment (Using Group Policy) 784Do You Need a "Big" Management Tool forYour Environment? 785

SMS vs. GPOs: A Comparison Rundown 786GPSI and SMS Coexistence 789

Final Thoughts 790

Chapter 12 Finishing Touches with Group Policy: Scripts,Internet Explorer, Hardware Control, DeployingPrinters, and Shadow Copies 791

Scripts: Logon, Logoff, Startup, and Shutdown 792Non-PowerShell-Based Scripts 792Deploying PowerShell Scripts to Windows 7 Clients 798

Managing Internet Explorer with Group Policy 799Internet Explorer Maintenance (IEM) and Group

Policy Preferences Settings 799Internet Explorer's Group Policy Settings 804

Restricting Access to Hardware via Group Policy 807Devices Extension 808

Restricting Driver Access with Policy Settings forWindows 7 812

Getting a Handle on Classes and IDs 813

Restricting or Allowing Your Hardware via

Group Policy 815

Understanding the Remaining Policy Settingsfor Hardware Restrictions 816

Assigning Printers via Group Policy 818Zapping Down Printers to Users and Computers

(a Refresher) 819Shadow Copies (aka Previous Versions) 827

Setting Up and Using Shadow Copies for LocalWindows 7 Machines 827

Setting Up Shadow Copies on the Server 827Restoring Files with the Shadow Copies Client 830Group Policy Settings for Shadow Copies 833

Final Thoughts for This Chapter and for the Book 834

Appendix A Group Policy Tools 837

Securing Workstations with Templates 837Incremental Security Templates 838Other Security Template Sources 839Applying Security Templates with Group Policy 840

The Security Configuration Wizard 841Security Configuration Wizard Primer

and Installation 842A Practical SCW Example 843Converting Your SCW Policy to a GPO 849SCW Caveats 851

Migrating Group Policy Objects between Domains 851Basic Interdomain Copy and Import 851

Copy and Import with Migration Tables 855Microsoft Tools Roundup 859

Group Policy Tools from Microsoft 859Profile Tools from Microsoft 862

Utilities and Add-Ons 862

Third-Party Vendors List 863

Index ^67