Group Policy: Fundamentals, Security, and the Managed Desktop

Book description

The ultimate Group Policy guide-now updated for Windows 7 and Server 2008 R2!

IT and network administrators can streamline their Windows Server management tasks by using Group Policy tools to automate or implement rules, processes, or new security across the enterprise. In this comprehensive guide, Microsoft Group Policy MVP Jeremy Moskowitz thoroughly explores Group Policy across all Windows platforms, including the latest on Windows 7 and Server 2008 R2. If you're a Windows network administrator managing scores of users and computers, you need this essential reference on your desk.

  • Covers the fundamentals and beyond of Group Policy, a collection of tools and settings that allow administrators to manage users and computers across a Windows Server enterprise

  • Reflects the very latest Windows Server technologies: Windows Server 2008 R2 and Windows 7

  • Includes essential topics such as Group Policy settings, using the management console, implementing security, maintaining settings as users move from one computer to another, using Windows Steady State, and more

  • Offers expert guidance and advice from renowned Group Policy expert and Microsoft Group Policy MVP Jeremy Moskowitz,

  • If you're a Windows Server network or IT administrator, make your life easier with Group Policy and this must-have guide.

Note: CD-ROM/DVD and other supplementary materials are not included as part of eBook file.

Table of contents

  1. Copyright
  2. Dear Reader,
  3. Acknowledgments
  4. About the Contributors
  5. Introduction
    1. Group Policy Defined
      1. Group Policy vs. Group Policy Objects vs. Group Policy Preferences
      2. Where Group Policy Applies
      3. The "Too Many Operating Systems" Problem
    2. This Book and Beyond
  6. 1. Group Policy Essentials
    1. 1.1. Getting Ready to Use This Book
    2. 1.2. Getting Started with Group Policy
      1. 1.2.1. Group Policy Entities and Policy Settings
      2. 1.2.2. The 18 (Original) Categories of Group Policy
    3. 1.3. Understanding Local Group Policy
      1. 1.3.1. Local Group Policy on Pre-Vista Computers
      2. 1.3.2. Local Group Policy on Vista and Later
        1. Understanding Multiple Local GPOs
        2. Trying Out Multiple Local GPOs on Windows Vista and Later
        3. Local GPOs Final Thoughts
    4. 1.4. Active Directory-Based Group Policy
      1. 1.4.1. Group Policy and Active Directory
      2. 1.4.2. Linking Group Policy Objects
    5. 1.5. An Example of Group Policy Application
    6. 1.6. Examining the Resultant Set of Policy
      1. 1.6.1. At the Site Level
      2. 1.6.2. At the Domain Level
      3. 1.6.3. At the OU Level
        1. Bringing It All Together
    7. 1.7. Group Policy, Active Directory, and the GPMC
      1. 1.7.1. GPMC Overview
        1. About the GPMC
      2. 1.7.2. Implementing the GPMC on Your Management Station
        1. Using a Windows 7 or Windows Server 2008 R2 Management Station
        2. Using a Windows Server 2008 R2 Machine as Your Management Station
        3. Using Windows 7 as Your Management Machine
      3. 1.7.3. Creating a One-Stop-Shop MMC
    8. 1.8. Group Policy 101 and Active Directory
      1. 1.8.1. Active Directory Users and Computers vs. GPMC
      2. 1.8.2. Adjusting the View within the GPMC
      3. 1.8.3. The GPMC-centric View
    9. 1.9. Our Own Group Policy Examples
      1. 1.9.1. More about Linking and the Group Policy Objects Container
        1. Understanding Our Actions
      2. 1.9.2. Applying a Group Policy Object to the Site Level
        1. Verifying Your Changes at the Site Level
      3. 1.9.3. Applying Group Policy Objects to the Domain Level
        1. Verifying Your Changes at the Domain Level
      4. 1.9.4. Applying Group Policy Objects to the OU Level
        1. Preparing to Delegate Control
        2. Delegating Control for Group Policy Management
          1. Performing Your First Delegation
          2. Adding a User to the Server Operators Group (Just for This Book)
      5. 1.9.5. Testing Your Delegation of Group Policy Management
      6. 1.9.6. Understanding Group Policy Object Linking Delegation
      7. 1.9.7. Granting OU Admins Access to Create New Group Policy Objects
      8. 1.9.8. Creating and Linking Group Policy Objects at the OU Level
        1. Verifying Your Changes at the OU Level
      9. 1.9.9. Creating a New Group Policy Object Affecting Computers in an OU
      10. 1.9.10. Moving Computers into the Human Resources Computers OU
      11. 1.9.11. Verifying Your Cumulative Changes
    10. 1.10. Final Thoughts
  7. 2. Managing Group Policy with the GPMC
    1. 2.1. Common Procedures with the GPMC
      1. 2.1.1. Raising or Lowering the Precedence of Multiple Group Policy Objects
      2. 2.1.2. Understanding GPMC's Link Warning
      3. 2.1.3. Stopping Group Policy Objects from Applying
        1. Preventing Local GPOs from Applying
        2. Disabling the Link Enabled Status
        3. Disabling "Half" (or Both Halves) of the Group Policy Object
        4. Deleting and Unlinking Group Policy Objects
        5. Deleting the Link to the Group Policy Object
        6. Truly Deleting the Group Policy Object Itself
      4. 2.1.4. Block Inheritance
      5. 2.1.5. The Enforced Function
    2. 2.2. Security Filtering and Delegation with the GPMC
      1. 2.2.1. Filtering the Scope of Group Policy Objects with Security
        1. Group Policy Object Filtering Approach #1: Leverage the Security Filtering Section of the Scope Tab in GPMC
        2. Testing Your First Filters
        3. What's Going on under the Hood for Filtering
        4. Filtering Approach #2: Identify Those You Do Not Want to Get the Policy
      2. 2.2.2. User Permissions upon Group Policy Objects
      3. 2.2.3. Granting Group Policy Object Creation Rights in the Domain
      4. 2.2.4. Special Group Policy Operation Delegations
      5. 2.2.5. Who Can Create and Use WMI Filters?
        1. Delegating Who Can Create WMI Filters
        2. Delegating Who Can use WMI Filters
    3. 2.3. Performing RSoP Calculations with the GPMC
      1. 2.3.1. What's-Going-On Calculations with Group Policy Results
      2. 2.3.2. What-If Calculations with Group Policy Modeling
    4. 2.4. Searching and Commenting Group Policy Objects and Policy Settings
      1. 2.4.1. Searching for GPO Characteristics
      2. 2.4.2. Filtering Inside a GPO for Policy Settings
        1. Where Did Filtering Come From?
        2. What's Available to Filter
        3. Keyword Filters
        4. Type of Settings to Display
        5. Requirements Filters
        6. Results of Your Filter
        7. Browsing the Results
        8. Filter Options On/Off
        9. The All Settings Node
        10. Using the All Settings Node in Conjunction with Filtering
        11. Using the All Settings Node without the Use of Filtering
      3. 2.4.3. Comments for GPOs and Policy Settings
        1. Comments about a Specific GPO
        2. Leaving a Comment inside a GPO
        3. Reading a Comment about a GPO
        4. Comments about Specific GPO Settings
        5. Leaving a Comment inside a Specific GPO Setting
        6. Reading a Comment inside a Specific GPO Setting
        7. Looking at Comments While Editing the GPO
        8. Looking at All Comments While inside the GPMC
    5. 2.5. Starter GPOs
      1. 2.5.1. Creating a Starter GPO
      2. 2.5.2. Editing a Starter GPO
      3. 2.5.3. Leveraging a Starter GPO
        1. Using the Starter GPOs Node
        2. Creating a New GPO and Selecting a Starter GPO
      4. 2.5.4. Delegating Control of Starter GPOs
      5. 2.5.5. Wrapping Up and Sending Starter GPOs
    6. 2.6. Back Up and Restore for Group Policy
      1. 2.6.1. Backing Up Group Policy Objects
      2. 2.6.2. Restoring Group Policy Objects
      3. 2.6.3. Backing Up and Restoring Starter GPOs
      4. 2.6.4. Backing Up and Restoring WMI Filters
      5. 2.6.5. Backing Up and Restoring IPsec Filters
    7. 2.7. GPMC At-a-Glance Icon View
    8. 2.8. The GPMC At-a-Glance Compatibility Table
    9. 2.9. Final Thoughts
  8. 3. Group Policy Processing Behavior Essentials
    1. 3.1. Group Policy Processing Principles
      1. 3.1.1. Don't Get Lost
      2. 3.1.2. Initial Policy Processing
        1. Windows 2000 (and Windows Server 2003 and Windows Server 2008) Initial Policy Processing
        2. Windows XP and Later Initial Policy Processing
      3. 3.1.3. Background Refresh Policy Processing
        1. Background Refresh Intervals for Windows 2000/2003/2008 Member Servers
        2. Background Refresh Intervals for Windows 2000/2003/2008 Domain Controllers
        3. Background Refresh Exemptions
        4. Windows XP and Later and Background Processing
          1. Windows XP and Later Fast-Boot Results
          2. Windows XP and Later Fast Boot Group Policy Processing Details
          3. Automatically Killing Fast Boot with Special User Account Attributes
          4. Manually Turning Off Windows XP and Later Fast Boot
        5. Forcing Background Policy Processing
      4. 3.1.4. Security Background Refresh Processing
        1. Background Security Refresh Processing
        2. Mandatory Reapplication for Nonsecurity Policy
        3. Manually Forcing Clients to Process GPOs (Revisited)
      5. 3.1.5. Special Case: Moving a User or a Computer Object
    2. 3.2. Policy Application via Remote Access, Slow Links, and after Hibernation
      1. 3.2.1. Windows 2000 and Windows XP Group Policy over Slow Network Connections
      2. 3.2.2. Windows 7 Group Policy over Slow Network Connections
      3. 3.2.3. What Is Processed over a Slow Network Connection?
    3. 3.3. Using Group Policy to Affect Group Policy
      1. 3.3.1. Affecting the User Settings of Group Policy
        1. Group Policy Refresh Interval for Users
        2. Group Policy Slow Link Detection
        3. Group Policy Domain Controller Selection
        4. Create New Group Policy Object Links Disabled by Default
        5. Default Name for Group Policy Objects
        6. Enforce Show Policies Only
        7. Turn Off Automatic Update of ADM Files
        8. Disallow Interactive Users from Generating Resultant Set of Policy Data
      2. 3.3.2. Affecting the Computer Settings of Group Policy
        1. Turn Off Background Refresh of Group Policy
        2. Group Policy Refresh Interval for Computers
        3. Group Policy Refresh Interval for Domain Controllers
        4. User Group Policy Loopback Processing Mode
        5. Allow Cross-Forest User Policy and Roaming User Profiles
        6. Group Policy Slow Link Detection
        7. Turn Off Resultant Set of Policy Logging
        8. Remove Users' Ability to Invoke Machine Policy Refresh
        9. Disallow Interactive Users from Generating Resultant Set of Policy Data
        10. Registry policy Processing (where p in policy is lowercase)
        11. Internet Explorer Maintenance Policy Processing
        12. Software Installation Policy Processing
        13. Folder Redirection Policy Processing
        14. Scripts Policy Processing
        15. Security Policy Processing
        16. IP Security Policy Processing
        17. EFS Recovery Policy Processing
        18. Wireless Policy Processing
        19. Wired Policy Processing
        20. Disk Quota Policy Processing
        21. Always Use Local ADM Files for Group Policy Object Editor
        22. Turn Off Local Group Policy Objects Processing
        23. Startup Policy Processing Wait Time
      3. 3.3.3. The Missing Group Policy Policy Settings
    4. 3.4. Final Thoughts
  9. 4. Advanced Group Policy Processing
    1. 4.1. WMI Filters: Fine-Tuning When and Where Group Policy Applies
      1. 4.1.1. Tools (and References) of the WMI Trade
      2. 4.1.2. WMI Filter Syntax
      3. 4.1.3. Creating and Using a WMI Filter
        1. WMI Filter Creation
        2. WMI Filter Usage
      4. 4.1.4. Final WMI Filter Thoughts
    2. 4.2. Group Policy Loopback Processing
      1. 4.2.1. Reviewing Normal Group Policy Processing
      2. 4.2.2. Group Policy Loopback—Merge Mode
      3. 4.2.3. Group Policy Loopback—Replace Mode
        1. Creating a New OU
        2. Moving a Client into the Public Kiosk OU
        3. Creating a Group Policy Object with Group Policy Loopback—Replace Mode
        4. Verifying That Group Policy Loopback—Replace Mode Is Working
        5. Group Policy Loopback—Replace Mode for Terminal Services
        6. Additional Terminal Services Tips
    3. 4.3. Group Policy with Cross-Forest Trusts
      1. 4.3.1. What Happens When Logging onto Different Clients across a Cross-Forest Trust?
      2. 4.3.2. Disabling Loopback Processing When Using Cross-Forest Trusts
      3. 4.3.3. Older Machine Types and Cross-Forest Trusts
      4. 4.3.4. Understanding Cross-Forest Trust Permissions
    4. 4.4. Final Thoughts
  10. 5. Group Policy Preferences
    1. 5.1. Powers of the Group Policy Preferences
      1. 5.1.1. Computer Configuration Preferences
        1. Computer Configuration Preferences Windows Settings
          1. Environment Extension
          2. Files Extension
          3. Folders Extension
          4. .INI Files Extension
          5. Registry Extension
          6. Network Shares Extension
          7. Shortcuts Extension
        2. Computer Configuration Preferences Control Panel Settings
          1. Data Sources Extension
          2. Devices Extension
          3. Folder Options Extension
          4. Local Users and Groups Extension
          5. Network Options Extension
          6. Power Options Extension
          7. Printers Extension
          8. Scheduled Tasks Extension
          9. Services Extension
      2. 5.1.2. User Configuration Preferences
        1. User Configuration Preferences Windows Settings
          1. Applications Extension
          2. Drive Maps Extension
        2. User Configuration Preferences Control Panel
          1. Folder Options Extension
          2. Internet Settings Extension
          3. Printers Extension
          4. Regional Options Extension
          5. Start Menu Extension
    2. 5.2. Group Policy Preferences Architecture and Installation Instructions
      1. 5.2.1. Installing the Client-Side Extensions on Your Client Machines
        1. The CSEs for Windows 7, Windows Server 2008, Windows Server 2008 R2
        2. The CSEs for Windows Server 2003, Windows XP, and Windows Vista
          1. Installing the Prerequisites and CSEs for Windows Server 2003 and Windows XP by Hand
          2. Installing the CSEs for Windows Vista by Hand
          3. Installing the Prerequisites and CSEs for All Operating Systems Automatically
    3. 5.3. Group Policy Preferences Concepts
      1. 5.3.1. Preference vs. Policy
        1. Why Group Policy Works—a Review
        2. Why ADM/ADMX Files Are and Aren't So Awesome
        3. Group Policy Preferences Are Like ADM/ADMX Files (Mostly)
        4. Group Policy Preferences Advantages over ADM/ADMX Files
      2. 5.3.2. The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues
        1. Classic vs. Group Policy Preferences Overlap Areas
          1. Group Policy Deployed Printers vs. GPPrefs Printers Extension
          2. Group Policy Internet Explorer and Group Policy IE Maintenance Configuration vs. the GPPrefs Internet Settings Extension
          3. Group Policy Power Management vs. GPPrefs Power Options Preference Extension
          4. Group Policy File Security vs. GPPrefs Files Preference Extension
          5. Group Policy System Services vs. GPPrefs Services Preference Extension
          6. Group Policy Device Installation Restrictions vs. GPPrefs Devices Preference Extension
          7. Group Policy Start Menu Policy Settings vs. GPPrefs Start Menu
          8. Group Policy Restricted Groups vs. Local Users and Groups Preference Extension
        2. How Does the Group Policy Engine Deal with Overlaps?
          1. The Short Answer: Policy Wins over Preferences
          2. The Middle-Length Answer: Sometimes Preferences Win over Policy
          3. The Longer Answer: Understanding CSE Timing and Overlap
          4. Other Items That Can Affect Group Policy and GPPrefs Processing
      3. 5.3.3. The Lines and Circles and the CRUD Action Modes
        1. The Lines and the Circles
        2. Warning: Visiting Multiple Tabs Can Be Hazardous to Your Network's Health
        3. The CRUD Method: Create, Replace, Update, or Delete
      4. 5.3.4. Common Tab
        1. "Stop Processing Items in This Extension If an Error Occurs"
        2. "Run In Logged-on User's Security Context (User Policy Option)"
        3. "Remove This Item When It Is No Longer Applied"
          1. Finding a Value to Change with the Registry Extension
          2. Using the Registry Preference Extension to Dictate the Setting to the Human Resources Users OU
          3. Testing the Delivery of Our Settings
          4. Testing the Default Group Policy Preferences Behavior
          5. Resetting for Our Next Test
          6. Turning on "Remove This Item When It Is No Longer Applied"
          7. Testing the Redelivery of Our Settings
          8. Seeing the Result of "Remove This Item When It Is No Longer Applied"
          9. Putting the World Right Again for Sol
          10. Final Thoughts about "Remove This Item When It Is No Longer Applied"
        4. "Apply Once and Do Not Reapply"
        5. Targeting Your Preference Items
          1. The Targeting Editor
          2. Adding Additional Collections
          3. Other Targeting Editor Tricks
          4. Description Field
    4. 5.4. Group Policy Preferences Tips, Tricks, and Troubleshooting
      1. 5.4.1. Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings
        1. Quick Copy/Paste
        2. Drag (or Paste) a Group Policy Preference Extension to a File
        3. Sharing Your Wisdom with Others
      2. 5.4.2. Multiple Preference Items at a Level
        1. Filtering Each Preference Item at a Level
        2. Changing the Order of Preference Items at a Level
        3. Renaming Preference Items at a Level
      3. 5.4.3. Temporarily Disabling a Single Preference Item or Extension Root
      4. 5.4.4. Environment Variables
      5. 5.4.5. Managing Group Policy Preferences: Hiding Extensions from Use
      6. 5.4.6. Troubleshooting: Reporting, Logging, and Tracing
        1. Reporting: Settings Tab, GPMC Reporting, and GPresult
          1. The Group Policy Results Reports from the GPMC
          2. Gpresult.exe
        2. Event Logs
        3. Tracing
    5. 5.5. Final Thoughts
  11. 6. Managing Applications and Settings Using Group Policy
    1. 6.1. Administrative Templates: A History and Policy vs. Preferences
      1. 6.1.1. Administrative Templates: Then and Now
      2. 6.1.2. Policy vs. Preference
    2. 6.2. ADM vs. ADMX and ADML Files
      1. 6.2.1. ADM File Introduction
      2. 6.2.2. Updated GPMC's ADMX and ADML Files
      3. 6.2.3. ADM vs. ADMX Files—At a Glance
    3. 6.3. ADMX and ADML Files: What They Do and the Problems They Solve
      1. 6.3.1. Problem and Solution 1: Tackling SYSVOL Bloat
      2. 6.3.2. Problem 2: How Do We Deal with Multiple Languages?
      3. 6.3.3. Problem 3: How Do We Deal with "Write Overlaps"?
      4. 6.3.4. Problem 4: How Do We Distribute Updated Definitions to All Our Administrators?
    4. 6.4. The Central Store
      1. 6.4.1. The Windows ADMX/ADML Central Store
        1. Creating the Central Store
        2. Populating the Central Store
        3. Verifying That You're Using the Central Store
        4. Updating the Central Store
    5. 6.5. Creating and Editing GPOs in a Mixed Environment
      1. 6.5.1. Scenario 1: Start Out by Creating and Editing a GPO Using the Older GPMC. Edit Using Another Older GPMC Management Station.
      2. 6.5.2. Scenario 2: Start Out by Creating and Editing a GPO with the Older GPMC. Edit Using the Updated GPMC.
      3. 6.5.3. Scenario 3: Start Out by Creating and Editing a GPO Using the Updated GPMC. Edit Using Another Updated GPMC Management Station.
      4. 6.5.4. Scenario 4: Start Out by Creating and Editing a GPO Using an Updated GPMC Management Station. Edit Using an Older GPMC Management Station.
    6. 6.6. ADM and ADMX Templates from Other Sources
      1. 6.6.1. Leveraging ADM Templates from Your Windows Management Station
      2. 6.6.2. Microsoft Office ADM Templates
        1. Office 2000, Office XP, Office 2003, and Office 2007 ADM Templates
          1. Implementing a Customized Office Policy
        2. Other Microsoft ADM Templates
          1. Microsoft Software Update Services (SUS) and Windows Server Update Services (WSUS)
          2. Microsoft Corporate Error Reporting
      3. 6.6.3. Using ADMX Templates from Other Sources
        1. ADMX Templates for Office 2007
        2. ADMX Templates from Other Sources
        3. Deciding How to Use ADMX Templates
    7. 6.7. ADMX Migrator and ADMX Editor Tools
      1. 6.7.1. ADMX Migrator
      2. 6.7.2. ADMX Editor
    8. 6.8. PolicyPak Community Edition
      1. 6.8.1. PolicyPak Concepts and Installation
      2. 6.8.2. Creating Your First PolicyPak
        1. The PolicyPak AutoUI Wizard
        2. The PolicyPak Design Studio
          1. Setting Registry Punches Using PolicyPak Design Studio
        3. Compiling Your PolicyPak in Group Policy
        4. Deploying Your First Compiled PolicyPak Extension
        5. Testing Your PolicyPak
    9. 6.9. Final Thoughts
  12. 7. Troubleshooting Group Policy
    1. 7.1. Under the Hood of Group Policy
      1. 7.1.1. Inside Local Group Policy
        1. Where Local Group Policy Lives
        2. Three Use-at-Your-Own-Risk Local Group Policy Tips
      2. 7.1.2. Inside Active Directory Group Policy Objects
        1. Group Policy Objects from a Domain Perspective
        2. Group Policy Objects from an OU Perspective
        3. Group Policy Objects from a Site Perspective
    2. 7.2. The Birth, Life, and Death of a GPO
      1. 7.2.1. How Group Policy Objects Are "Born"
      2. 7.2.2. How a GPO "Lives"
        1. Group Policy Containers (GPCs)
        2. Who Really Has Permissions to Do What?
          1. Who Can Create New Group Policy Objects?
          2. Who Can Manipulate and Edit Existing Group Policy Objects?
        3. Group Policy Templates
        4. Group Policy Settings Storage
        5. Verifying That GPCs and GPTs Are in Sync
          1. Using Gpotool.exe
          2. Using Replmon to See the Version Numbers
          3. Isolating Replication Problems
      3. 7.2.3. Death of a GPO
    3. 7.3. How Client Systems Get Group Policy Objects
      1. 7.3.1. The Steps to Group Policy Processing
        1. Core Processing for XP Machines
        2. Core Processing for Windows 7
          1. Windows 7's Slow Link Detection
      2. 7.3.2. Client-Side Extensions
        1. CSEs for XP Machines
        2. CSEs for Windows Vista and Windows Server 2008 Machines
        3. CSEs for Windows 7 and Windows Server 2008 R2 Machines
        4. Additional CSEs for the Group Policy Preferences
        5. Inside CSE Values
      3. 7.3.3. Where Are Administrative Templates Registry Settings Stored?
    4. 7.4. Why Isn't Group Policy Applying?
      1. 7.4.1. Reviewing the Basics
        1. Is the Group Policy Object or Link Disabled?
        2. Are You Sure about the Inheritance?
        3. Are You Trying to Apply Policy to a Group Inside an OU?
        4. Multiple Group Policy Objects at a Level
        5. Examining Your Block Inheritance Usage
        6. Examining Your "Enforced" Usage
        7. Are Your Permissions Set Correctly?
      2. 7.4.2. Advanced Inspection
        1. Is Windows XP (and Later) Fast Boot On?
        2. Is Asynchronous Processing Turned On in Windows 2000?
        3. Are Both the GPC and GPT Replicated Correctly?
        4. Did You Check the DNS Configuration of the Server and Client?
        5. Are You Really Logged On?
        6. Did Something Recently Move?
        7. Is the Machine Properly Joined to the Domain?
        8. Is Loopback Policy Enabled?
        9. How Are Slow Links Being Defined, and How Are Slow Links Handled?
        10. Troubleshooting NLA in Windows 7
        11. Are the Date and Time Correct on the Client System?
        12. Are Your Active Directory Sites Configured Correctly?
        13. Did You Check the DNS Configuration of the Client?
        14. Are You Trying to Set Password or Account Policy on an OU?
        15. Did Someone Muck with Security behind the Group Policy Engine's Back?
        16. Is the Target Computer in the Correct OU? Is the Target User in the Correct OU?
        17. Is There a Firewall on (or between) Your Domain Controllers?
        18. Did You Disable ICMP (Ping) from Your Clients to Your Domain Controllers? (For XP Machines)
        19. Did Someone Muck with the ACLs of the GPT Part of the GPO in SYSVOL?
    5. 7.5. Client-Side Troubleshooting
      1. 7.5.1. RSoP for Windows Clients
        1. GPResult for Windows 2003, Windows Vista RTM, and Windows XP
        2. GPResult for Windows 7, Windows Vista/SP1, and Windows Server 2008 and R2
        3. Remotely Calculating a Client's RSoP (Using the GPResult from Windows XP and Later)
        4. Remotely Calculating a Client's RSoP (When You've Delegated Permissions to Someone Who's Not a Local Administrator of the Target Machine)
        5. Remotely Calculating a Client's Group Policy Modeling Analysis Data (When You've Delegated Permissions to Someone Who's Not a Local Administrator of the Target Machine)
    6. 7.6. Advanced Group Policy Troubleshooting with Log Files
      1. 7.6.1. Using the Event Viewer
        1. Diagnostic Event Logging (for XP)
        2. Diagnostic Event Logging (Windows 7)
      2. 7.6.2. Turning On Verbose Logging
        1. Verbose Logging (for XP)
        2. Other Types of Verbose Logging
        3. Verbose Logging in Windows 7
        4. Leveraging Windows 7 Admin Logs for Troubleshooting
        5. Leveraging Windows 7 Operational Logs for Troubleshooting
        6. GPLogView
        7. Enabling Tracing for the Group Policy Preference Extensions
      3. 7.6.3. Group Policy Processing Performance
    7. 7.7. Final Thoughts
  13. 8. Implementing Security with Group Policy
    1. 8.1. The Two Default Group Policy Objects
      1. 8.1.1. GPOs Linked at the Domain Level
        1. Special Policy Settings for the Domain Level
        2. Modifying the "Default Domain Policy" GPO Directly
        3. Creating Your Own Group Policy Object Linked to the Domain Level and Changing the Precedence
        4. Which Approach Do You Take?
      2. 8.1.2. Group Policy Objects Linked to the Domain Controllers OU
      3. 8.1.3. Oops, the "Default Domain Policy" GPO and/or "Default Domain Controllers Policy" GPO Got Screwed Up!
        1. Repairing the Defaults for Windows 2003/2008 Domains
        2. Repairing the Defaults for Windows 2000 Domains
    2. 8.2. The Strange Life of Password Policy
      1. 8.2.1. What Happens When You Set Password Settings at an OU Level
      2. 8.2.2. Fine-Grained Password Policy with Windows Server 2008
        1. Getting Ready for Fine-Grained Password Policy
        2. Creating a Password Setting Object (PSO)
          1. Creating a Password Settings Object
        3. Resulting Set of PSOs
          1. The Active Directory Users and Computer Attribute Editor
          2. PSO Precedence
          3. Using Specops Password Policy Basic (Free Edition)
          4. Command-Line PSO Management
        4. More Information on Fine-Grained Password Policy
    3. 8.3. Inside Auditing With and Without Group Policy
      1. 8.3.1. Auditable Events using Group Policy
      2. 8.3.2. Auditing File Access
      3. 8.3.3. Auditing Group Policy Object Changes
        1. Group Policy Auditing Event IDs for Windows Server 2003
        2. Group Policy Auditing Event IDs for Windows Server 2008
      4. 8.3.4. Advanced Audit Policy Configuration
        1. Advanced Auditing Example: Auditing Directory Service Changes
        2. Enabling Advanced Auditing for Windows Server 2008 R2 and Windows 7
        3. Enabling Advanced Auditing for Windows Server 2008 and Windows Vista
        4. Auditing the Specific OU
        5. The Results
    4. 8.4. Restricted Groups
      1. 8.4.1. Strictly Controlling Active Directory Groups
        1. When Restricted Groups Settings Take Effect
        2. When Restricted Groups Settings Get Refreshed
      2. 8.4.2. Strictly Applying Group Nesting
      3. 8.4.3. Which Groups Can Go into Which Other Groups via Restricted Groups?
    5. 8.5. Restrict Software: Software Restriction Policy and AppLocker
      1. 8.5.1. Inside Software Restriction Policies
      2. 8.5.2. Software Restriction Policies' "Philosophies"
      3. 8.5.3. Software Restriction Policies' Rules
        1. Setting Up a Software Restriction Policy with a Rule
        2. Testing Your Software Restriction Policies
        3. Understanding When Software Restriction Policies Apply
        4. Troubleshooting Software Restriction Policies
          1. Inspecting the Software Restriction Policies Location in the Registry
          2. Software Restriction Policies Advanced Logging
        5. Oops, I Locked Myself Out of My Machine with Software Restriction Policies
      4. 8.5.4. Restricting Software Using AppLocker
        1. AppLocker: Rules and Rule Conditions
        2. Leveraging Law 1: Blacklisting Specific Applications with an Explicit Deny
        3. AppLocker Actions: Enforcement or Auditing
        4. AppLocker: The AppID Service
          1. Turning On the AppID Service Manually
          2. Turning On the AppID Service "En Masse" Using Group Policy Preferences
        5. AppLocker: Testing It Out
        6. AppLocker: Modifying What the Client Sees
        7. AppLocker: Wrapping Up Our Tests
        8. Leveraging Laws 2 and 3: Whitelisting Only Known Good Applications
          1. Testing AppLocker's Law #3: Default Deny
          2. Automatically Generating Rules for AppLocker Whitelisting
        9. AppLocker: Importing and Exporting Rules
        10. AppLocker Final Thoughts and Resources
    6. 8.6. Controlling User Account Control (UAC) with Group Policy
      1. 8.6.1. Just Who Will See the UAC Prompts, Anyway?
        1. Which Groups Are Affected by UAC
        2. Elevated Rights and SE Privileges
      2. 8.6.2. Understanding the Group Policy Controls for UAC
        1. User Account Control: Admin Approval Mode for the Built-in Administrator Account
        2. User Account Control: Allow UIAccess Applications to Prompt for Elevation without Using the Secure Desktop
        3. User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
        4. User Account Control: Behavior of the Elevation Prompt for Standard Users
        5. User Account Control: Detect Application Installations and Prompt for Elevation
        6. User Account Control: Only Elevate Executables That Are Signed and Validated
        7. User Account Control: Only Elevate UIAccess Applications That Are Installed in Secure Locations
        8. User Account Control: Run All Administrators in Admin Approval Mode
        9. User Account Control: Switch to the Secure Desktop When Prompting for Elevation
        10. Virtualize File and Registry Write Failures to Per-User Locations
      3. 8.6.3. UAC Policy Setting Suggestions
        1. Case 1: Enterprise Desktop: Standard User (Who Gets Help Remotely When Needed)
        2. Case 2: Enterprise Desktop: Standard User (Who Gets "Over-the-Shoulder Help" When Needed)
        3. Case 3: Enterprise Desktop: Protected Administrator
        4. Case 4: Enterprise Desktop (Running Only Windows Vista "logo'd" Software)
        5. Case 5: Enterprise Desktop: Protected Administrator (All Applications Are Signed)
        6. Case 6: Power User—Style User Who Shares Computers with Standard Users
        7. Case 7: Your Users Request Assistance with Windows Remote Assistance
        8. UAC Final Thoughts and References
    7. 8.7. Wireless (802.3) and Wired Network (802.11) Policies
      1. 8.7.1. 802.11 Wireless Policy for Windows XP
      2. 8.7.2. 802.11 Wireless Policy and 802.3 Wired Policy for Windows Vista and Later
    8. 8.8. Configuring Windows Firewall with Group Policy
      1. 8.8.1. Manipulating the Windows XP and Windows Server 2003 Firewall
        1. Domain vs. Standard Profiles for Windows XP and Windows Server 2003
        2. Killing the Firewall for Windows XP and Windows Server 2003
        3. Opening Specific Ports, Managing Exceptions, and More for Windows XP and Windows Server 2003
      2. 8.8.2. Windows Firewall with Advanced Security (for Windows Vista and Windows Server 2008)—WFAS
        1. Getting Started with WFAS "Properties"
        2. Creating New Inbound and Outbound Rules with the WFAS
        3. Inbound and Outbound Rule Types
        4. Connection Security Rules
        5. Rule Precedence
      3. 8.8.3. IPsec (Now in Windows Firewall with Advanced Security)
        1. IPsec General Resources
        2. Getting Started with IPsec with WFAS
        3. Understanding How WFAS IPsec Rules Work
      4. 8.8.4. How Windows Firewall Rules Are Ultimately Calculated
        1. Precedence Order for Properties
        2. Precedence Order for Rules
    9. 8.9. Final Thoughts
  14. 9. Profiles: Local, Roaming, and Mandatory
    1. 9.1. What Is a User Profile?
      1. 9.1.1. The NTUSER.DAT File
      2. 9.1.2. Profile Folders for Type 1 Computers (Windows 2000, Windows 2003, and Windows XP)
        1. Understanding the Contents of a User's Profile (for Type 1 Computers)
      3. 9.1.3. Profile Folders for Type 2 Computers (Windows 7, Windows 2008, and Windows Server 2008 R2)
        1. Understanding the Contents of a User's Profile (for Type 2 Computers)
        2. Adjusting for Windows XP Holdovers
        3. The Public Profile (for Type 2 Computers)
      4. 9.1.4. The Default Local User Profile
      5. 9.1.5. The Default Domain User Profile
        1. Default Domain User Profiles for Type 1 Computers
        2. Default Domain User Profiles for Type 2 Computers
    2. 9.2. Roaming Profiles
      1. 9.2.1. Setting Up Roaming Profiles
      2. 9.2.2. Testing Roaming Profiles
        1. Roaming from Windows XP to Windows XP
        2. Roaming from Windows 7 to Windows 7
        3. Back on the Server
        4. Upshot of Roaming Profiles in a Mixed Windows 7 and Windows XP World
      3. 9.2.3. Migrating Local Profiles to Roaming Profiles
        1. Automatic Upload of Existing Local Profiles
        2. Manual Upload of Existing Local Profiles
      4. 9.2.4. Roaming and Nonroaming Folders
        1. Roaming and Nonroaming Folders for Type 1 Computers
          1. Type 1 Profile Directories That Do Not Roam
          2. Type 1 Profile Directories That Do Roam
        2. Roaming and Nonroaming Folders for Type 2 Computers
          1. Type 2 Profile Directories That Do Not Roam
          2. Type 2 Profile Directories that Roam
      5. 9.2.5. Managing Roaming Profiles
        1. Merging Local Profile and Roaming Profile
        2. Guest Account Profile
        3. Cross-Forest Trusts
      6. 9.2.6. Manipulating Roaming Profiles with Computer Group Policy Settings
        1. Do Not Check for User Ownership of Roaming Profile Folders
        2. Delete Cached Copies of Roaming Profiles
        3. Delete User Profiles Older Than a Specified Number of Days
        4. Slow Network Connection Timeout for User Profiles
        5. Do Not Detect Slow Network Connections
        6. Wait for Remote User Profile
        7. Prompt User When a Slow Network Connection Is Detected
        8. Timeout for Dialog Boxes
        9. Do Not Log Users on with Temporary Profiles
        10. Maximum Retries to Unload and Update User Profile
        11. Add the Administrators Security Group to Roaming User Profiles
        12. Prevent Roaming Profile Changes from Propagating to the Server
        13. Only Allow Local User Profiles
        14. Leave Windows Installer and Group Policy Software Installation Data
        15. Do Not Forcefully Unload the Users Registry at User Logoff
        16. Set Roaming Profile Path for All Users Logging Onto This Computer
        17. Set Maximum Wait Time for the Network if a User Has a Roaming User Profile or Remote Home Directory
        18. Background Upload of a Roaming User Profile's Registry File While User Is Logged On
        19. One More Policy Setting That You Might Like
      7. 9.2.7. Manipulating Roaming Profiles with User Group Policy Settings
        1. Limit Profile Size
        2. Excluding Directories in Roaming Profile
        3. Connect Home Directory to Root of the Share
    3. 9.3. Mandatory Profiles
      1. 9.3.1. Establishing Mandatory Profiles from a Local Profile
      2. 9.3.2. Mandatory Profiles from an Established Roaming Profile
      3. 9.3.3. Forced Mandatory Profiles (Super-Mandatory)
    4. 9.4. Final Thoughts
  15. 10. Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager
    1. 10.1. Overview of Change and Configuration Management
    2. 10.2. Redirected Folders
      1. 10.2.1. Available Folders to Redirect
      2. 10.2.2. Redirected Documents/My Documents
        1. Basic Redirected Folders
        2. The Target Tab
        3. The Settings Tab
        4. Advanced Redirected Folders
        5. Testing Folder Redirection of Documents/My Documents
      3. 10.2.3. Redirecting the Start Menu and the Desktop
      4. 10.2.4. Redirecting the Application Data
      5. 10.2.5. Group Policy Setting for Folder Redirection
        1. Do Not Automatically Make Redirected Folders Available Offline (User Side Only)
        2. Use Localized Subfolder Names When Redirecting Start and My Documents (Both User and Computer)
      6. 10.2.6. Troubleshooting Redirected Folders
        1. Windows XP (and Later) Fast Boot and Folder Redirection
        2. Permissions Problems
        3. Use GPResult for Verification
        4. Enabling Advanced Folder Redirection Logging
          1. Turning on Advanced Folder Redirection Logging for Pre-Vista
          2. Turning on Advanced Folder Redirection Logging for Windows 7 Machines
    3. 10.3. Offline Files and Synchronization
      1. 10.3.1. Making Offline Files Available
        1. Only the Files and Programs that Users Specify Will Be Available Offline
        2. All Files and Programs that Users Open from the Share Will Be Automatically Available Offline
        3. Files or Programs from the Share Will Not Be Available Offline
        4. Another Option: Optimized for Performance
      2. 10.3.2. Inside Windows XP Synchronization
        1. Inside the Windows XP Offline Files and Synchronization Manager Interface
        2. Understanding Offline Files and Synchronization Manager Interaction
      3. 10.3.3. Inside Windows 7 File Synchronization
        1. Better Handling of Downed Shares
        2. Better Handling of Synchronization
        3. No More Logon/Logoff Syncing Files Dialog Boxes
        4. Better Transfer Technology
        5. Better User Interface Design and Experience
        6. Better Offline Experience (Unified "Namespace" View)
        7. Better Cache Encryption
        8. Other Random New Goodies for Windows 7
      4. 10.3.4. Handling Conflicts
      5. 10.3.5. Client Configuration of Offline Files
        1. The "Do Nothing" Approach
          1. Windows 2000 Reaction to Enabling Caching on Shares
          2. Windows XP Reaction to Enabling Caching on Shares
          3. Windows Vista and Windows 7 Reaction to Enabling Caching on Shares
        2. It's Not Offline Files—It's Explorer!
        3. Running Around to Each Client to Tweak Offline Files and the Synchronization Manager
          1. Manually Tweaking the Offline Files Interface for Pre-Vista Machines
          2. Manually Tweaking the Offline Files Interface for Windows 7 Machines
          3. More to Tweak in Windows 7: Offline Files Sync Schedule
    4. 10.4. Using Folder Redirection and Offline Files over Slow Links
      1. 10.4.1. Synchronizing over Slow Links with Redirected My Documents
      2. 10.4.2. Synchronizing over Slow Links with Regular Shares
        1. Windows 2000 Offline Files over Slow Links
        2. Windows XP Synchronization Manager over Slow Links
        3. Windows Vista's Synchronization Engine over Slow Links
        4. Windows 7's Synchronization Engine over Slow Links
        5. Teaching Windows Vista and Windows 7 How to React to Slow Links
      3. 10.4.3. Using Group Policy to Configure Offline Files (User and Computer Node)
        1. Configure Background Sync
        2. Enable Transparent Caching
        3. Prohibit User Configuration of Offline Files
        4. Synchronize All Offline Files When Logging On
        5. Synchronize All Offline Files Before Logging Off
        6. Synchronize Offline Files Before Suspend
        7. Action on Server Disconnect
        8. Non-default Server Disconnect Actions
        9. Remove 'Make Available Offline'
        10. Prevent Use of Offline Files Folder
        11. Administratively Assigned Offline Files
        12. Turn Off Reminder Balloons
        13. Reminder Balloon Frequency
        14. Initial Reminder Balloon Lifetime
        15. Reminder Balloon Lifetime
        16. Event Logging Level
        17. Prohibit 'Make Available Offline' for These File and Folders
        18. Do Not Automatically Make Redirected Folders Available Offline
      4. 10.4.4. Using Group Policy to Configure Offline Files (Exclusive to the Computer Node)
        1. Allow or Disallow Use of the Offline Files Feature
        2. Default Cache Size
        3. Files Not Cached
        4. Exclude Files from Being Cached
        5. At Logoff, Delete Local Copy of User's Offline Files
        6. Subfolders Always Available Offline
        7. Encrypt the Offline Files Cache
        8. Configure Slow Link Speed
        9. Configure Slow-Link Mode
        10. Turn On Economical Application of Administrative Assigned Offline Files
        11. Limit Disk Space Used by Offline Files
      5. 10.4.5. Troubleshooting Sync Center
        1. Enabling the Offline Files Log
        2. Enabling the Sync Log
      6. 10.4.6. Turning Off Folder Redirection's Automatic Offline Caching for Desktops
        1. Using WMI Filters to Forcibly Apply This Setting Specifically to Desktops
        2. Using Group Policy Preference Extensions to Force the Value (Just for Users on Desktops)
        3. Using PolicyPak to Apply This Setting to Specific Computers
    5. 10.5. Final Thoughts
  16. 11. The Managed Desktop, Part 2: Software Deployment via Group Policy
    1. 11.1. Group Policy Software Installation (GPSI) Overview
      1. 11.1.1. The Windows Installer Service
      2. 11.1.2. Understanding .MSI Packages
      3. 11.1.3. Utilizing an Existing .MSI Package
        1. Setting Up the Software Distribution Share
        2. Setting Up an Administrative Installation (for .MSI Files that Need Them)
    2. 11.2. Assigning and Publishing Applications
      1. 11.2.1. Assigning Applications
        1. What Happens When You Assign Applications to Users
        2. What Happens When You Assign Applications to Computers
      2. 11.2.2. Publishing Applications
      3. 11.2.3. Rules of Deployment
      4. 11.2.4. Package-Targeting Strategy
        1. Creating and Editing the GPO to Deploy Office
        2. Understanding When Applications Will Be Installed
        3. Testing Assigned Applications
      5. 11.2.5. Understanding .ZAP Files
        1. Creating Your Own .ZAP File
        2. Publishing Your Own .ZAP File
        3. Testing Your .ZAP File
      6. 11.2.6. Testing Publishing Applications to Users
      7. 11.2.7. Application Isolation
    3. 11.3. Advanced Published or Assigned
      1. 11.3.1. The General Tab
      2. 11.3.2. The Deployment Tab
        1. The Deployment Type Section
        2. The Deployment Options Section
        3. The Installation User Interface Options Section
        4. The Advanced Button
        5. The Advanced Deployment Options Section
        6. The Advanced Diagnostic Information Section
      3. 11.3.3. The Upgrades Tab
      4. 11.3.4. The Categories Tab
      5. 11.3.5. The Modifications Tab
        1. Using the Office .MST Generation Tool
        2. Applying Your .MST File to the Installation
      6. 11.3.6. The Security Tab
    4. 11.4. Default Group Policy Software Installation Properties
      1. 11.4.1. The General Tab
      2. 11.4.2. The Advanced Tab
      3. 11.4.3. The File Extensions Tab
      4. 11.4.4. The Categories Tab
    5. 11.5. Removing Applications
      1. 11.5.1. Users Can Manually Change or Remove Applications
      2. 11.5.2. Automatically Removing Assigned or Published .MSI Applications
      3. 11.5.3. Forcibly Removing Assigned or Published .MSI Applications
        1. Immediately Uninstall the Software from Users and Computers
        2. Allow Users to Continue to Use the Software, but Prevent New Installations
      4. 11.5.4. Removing Published .ZAP Applications
      5. 11.5.5. Troubleshooting the Removal of Applications
    6. 11.6. Using Group Policy Software Installation over Slow Links
    7. 11.7. Managing .MSI Packages and the Windows Installer
      1. 11.7.1. Inside the MSIEXEC Tool
        1. Using MSIEXEC to Install an Application
        2. Using MSIEXEC to Repair an Application
        3. Using MSIEXEC to Patch a Distribution Point
      2. 11.7.2. Affecting Windows Installer with Group Policy
        1. Computer-Side Policy Settings for Windows Installer
          1. Disable Windows Installer
          2. Always Install with Elevated Privileges
          3. Prohibit Rollback
          4. Remove Browse Dialog Box for New Source
          5. Prohibit Patching
          6. Prohibit Flyweight Patching
          7. Disable IE Security Prompt for Windows Installer Scripts
          8. Enable User Control over Installs
          9. Enable User to Browse for Source While Elevated
          10. Enable User to Use Media Source While Elevated
          11. Enable User to Patch Elevated Products
          12. Allow Admin to Install from Terminal Services Session
          13. Cache Transforms in Secure Location on Workstation
          14. Logging
          15. Prohibit User Installs
          16. Turn off Creation of System Restore Checkpoints
          17. Prohibit Removal of Updates
          18. Enforce Upgrade of Component Rules
          19. Prohibit Nonadministrators from Applying Vendor Signed Updates
          20. Baseline File Cache Maximum Size
          21. Prohibit Use of Restart Manager
          22. Disable Logging via Package Settings
        2. User-Side Policy Settings for Windows Installer
          1. Always Install with Elevated Privileges
          2. Prevent Removable Media Source for Any Install
          3. Prohibit Rollback
          4. Search Order
    8. 11.8. Deploying Office 2007 and Office 2010 Using Group Policy
      1. 11.8.1. Office 2007 and Group Policy
        1. What Happens When You Assign Office 2007 to Users?
        2. What Happens when you Assign Office 2007 to Computers?
        3. Using GPSI and Customizing Office 2007 Deployments
        4. Office 2007 and Office 2010 via Group Policy—Another Way?
      2. 11.8.2. The "Right" Answer for Office 2007 and Office 2010 Deployment (Using Group Policy)
    9. 11.9. Do You Need a "Big" Management Tool for Your Environment?
      1. 11.9.1. SMS vs. GPOs: A Comparison Rundown
        1. Hardware and Software Inventory
        2. Remote Control
        3. Software Metering
        4. Operating System Deployment
        5. Software Deployment
        6. Patch Management
      2. 11.9.2. GPSI and SMS Coexistence
    10. 11.10. Final Thoughts
  17. 12. Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Deploying Printers, and Shadow Copies
    1. 12.1. Scripts: Logon, Logoff, Startup, and Shutdown
      1. 12.1.1. Non-PowerShell-Based Scripts
        1. Startup and Shutdown Scripts (Non-PowerShell)
        2. Logon and Logoff Scripts (Non-PowerShell)
        3. Script Processing Defaults (and Changing Them)
        4. Don't Panic: What to Do If Login Scripts with Network Drive Mappings Aren't Working as Expected with Windows Vista
          1. Vista Logon Script Remediation 1
          2. Vista Logon Script Remediation 2
      2. 12.1.2. Deploying PowerShell Scripts to Windows 7 Clients
    2. 12.2. Managing Internet Explorer with Group Policy
      1. 12.2.1. Internet Explorer Maintenance (IEM) and Group Policy Preferences Settings
        1. Making IE Preferences Settings Reapply (or Not)
          1. Reapply/Not Reapply IEM Settings
          2. Reapply/Not Reapply IE Group Policy Preferences Settings
      2. 12.2.2. Internet Explorer's Group Policy Settings
    3. 12.3. Restricting Access to Hardware via Group Policy
      1. 12.3.1. Devices Extension
        1. Deciding to Disable the Device Class or Device Type
        2. What Happens When a Device Is Restricted?
        3. Dealing with Devices That Aren't Listed
        4. Why Is There an Option to Disable and Enable?
      2. 12.3.2. Restricting Driver Access with Policy Settings for Windows 7
      3. 12.3.3. Getting a Handle on Classes and IDs
      4. 12.3.4. Restricting or Allowing Your Hardware via Group Policy
      5. 12.3.5. Understanding the Remaining Policy Settings for Hardware Restrictions
        1. Allow Administrators to Override Device Installation Restrictions
        2. Allow Installation of Devices Using Drivers that Match These Setup Classes
        3. Prevent Installation of Devices Using Drivers that Match These Device Setup Classes
        4. Display a Custom Message When Installation Is Prevented by Policy (Balloon Text) and Display a Custom Message When Installation Is Prevented by Policy (Balloon Title)
        5. Allow Installation of Devices that Match Any of These Device IDs
        6. Prevent Installation of Devices that Match Any of These Device IDs
        7. Prevent Installation of Removable Devices
        8. Prevent Installation of Devices Not Described by Other Policy Settings
        9. Time (in Seconds) to Force Reboot When Required for Policy Changes to Take Effect
    4. 12.4. Assigning Printers via Group Policy
      1. 12.4.1. Zapping Down Printers to Users and Computers (a Refresher)
        1. Trickier: Zapping Down Specific Printers to Users on Specific Machines
        2. Deploying the Same Printer to All Computers in the Zone
        3. Deploying a Shared Printer to Only the Shared Computers in All Zones
    5. 12.5. Shadow Copies (aka Previous Versions)
      1. 12.5.1. Setting Up and Using Shadow Copies for Local Windows 7 Machines
      2. 12.5.2. Setting Up Shadow Copies on the Server
      3. 12.5.3. Restoring Files with the Shadow Copies Client
        1. Reverting to a Previous Version of a File
        2. Restoring a Previous Version of a File
      4. 12.5.4. Group Policy Settings for Shadow Copies
        1. Prevent Restoring Previous Versions from Backups
        2. Hide Previous Versions of Files on Backup Location
        3. Hide Previous Versions List for Local Files
        4. Prevent Restoring Local Previous Versions
        5. Hide Previous Versions List for Remote Files
        6. Prevent Restoring Remote Previous Versions
    6. 12.6. Final Thoughts for This Chapter and for the Book
  18. A. Group Policy Tools
    1. A.1. Securing Workstations with Templates
      1. A.1.1. Incremental Security Templates
        1. A.1.1.1. Domain Controller .INF Template Files
        2. A.1.1.2. XP Professional. INF Template Files
      2. A.1.2. Other Security Template Sources
        1. A.1.2.1. Security Templates from Uncle Bill
        2. A.1.2.2. Security Templates from Uncle Sam
      3. A.1.3. Applying Security Templates with Group Policy
    2. A.2. The Security Configuration Wizard
      1. A.2.1. Security Configuration Wizard Primer and Installation
        1. A.2.1.1. Installing the SCW for Windows Server 2003 (SP1 and later)
        2. A.2.1.2. Installing the SCW for Windows Server 2008
      2. A.2.2. A Practical SCW Example
        1. A.2.2.1. Initial SCW Kickoff
        2. A.2.2.2. Role-Based Configuration Section
        3. A.2.2.3. Network Security Section
        4. A.2.2.4. Registry Settings Section
        5. A.2.2.5. Audit Policy Section
        6. A.2.2.6. Save Security Policy Section
      3. A.2.3. Converting Your SCW Policy to a GPO
        1. A.2.3.1. Viewing and Applying Your Transformed GPO
      4. A.2.4. SCW Caveats
    3. A.3. Migrating Group Policy Objects between Domains
      1. A.3.1. Basic Interdomain Copy and Import
        1. A.3.1.1. The Copy Operation
        2. A.3.1.2. The Import Operation
      2. A.3.2. Copy and Import with Migration Tables
    4. A.4. Microsoft Tools Roundup
      1. A.4.1. Group Policy Tools from Microsoft
        1. A.4.1.1. Active Directory Monitor and GPOTOOL
        2. A.4.1.2. GPMonitor—Group Policy Monitor Tool
        3. A.4.1.3. GPInventory—Group Policy Inventory Tool
        4. A.4.1.4. ADMX Migrator
        5. A.4.1.5. Group Policy Log View (GPLogView)
      2. A.4.2. Profile Tools from Microsoft
      3. A.4.3. Utilities and Add-Ons
    5. A.5. Third-Party Vendors List
  19. 13. Scripting Group Policy Operations with Windows PowerShell
    1. BC1.1. Using PowerShell to Do More with Group Policy
      1. BC1.1.1. Preparing for Your PowerShell Experience
        1. BC1.1.1.1. Installing PowerShell
          1. BC1. Running PowerShell for the First Time
          2. BC1. Preparing to Run Our Scripts
        2. BC1.1.1.2. Optional, but Recommended: Downloading and Installing Free Helper Group Policy Cmdlets
          1. BC1. Finding and Downloading the Helper Cmdlets
          2. BC1. Installing and Verifying the Helper Cmdlets
      2. BC1.1.2. Getting Started with PowerShell in Windows 7 (or Windows Server 2008 R2)
        1. BC1.1.2.1. Windows 7 Remote Server Administration Tools
        2. BC1.1.2.2. Adding the Group Policy Module
      3. BC1.1.3. Documenting Your Group Policy World with PowerShell
        1. BC1.1.3.1. Listing GPOs
          1. BC1. Get-SDMGPO
        2. BC1.1.3.2. Creating GPO Reports
          1. BC1. Using Out-SDMgpsettingsreport
        3. BC1.1.3.3. Documenting GPO Links
          1. BC1. Using Get-SDMgplink
        4. BC1.1.3.4. Documenting WMI Filters and Links
          1. BC1. Using SDM Software Cmdlets
        5. BC1.1.3.5. Listing GPO Permissions
          1. BC1. Using Get-SDMgpoSecurity
      4. BC1.1.4. Setting GPO Permissions
      5. BC1.1.5. Manipulating GPOs with PowerShell
        1. BC1.1.5.1. Creating New GPOs
          1. BC1. Using New-SDMgpo
        2. BC1.1.5.2. Modifying GPO Settings
          1. BC1. Get-GPPrefRegistryValue
          2. BC1. Set-GPPrefRegistryValue
          3. BC1. Get-GPRegistryValue
          4. BC1. Set-GPRegistryValue
        3. BC1.1.5.3. Linking a GPO
        4. BC1.1.5.4. Removing a GPO Link
        5. BC1.1.5.5. Backing Up Group Policy Objects
          1. BC1. Backing Up One or All GPOs
          2. BC1. Using Export-SDMgpo
        6. BC1.1.5.6. Managing GPO Backups
        7. BC1.1.5.7. Restoring a GPO
        8. BC1.1.5.8. Importing GPOs
    2. BC1.2. Making PowerShell Even Easier with Commercial Tools
      1. BC1.2.1. GPExpert Scripting Toolkit for PowerShell
        1. BC1.2.1.1. Install
        2. BC1.2.1.2. Verify the Installation
        3. BC1.2.1.3. Getting Information
          1. BC1. Getting the GPO
          2. BC1. Getting the Section Path
          3. BC1. Processing the Settings
        4. BC1.2.1.4. Setting Group Policy Settings
          1. BC1. Getting the Section Path
          2. BC1. Setting the Proxy Settings
      2. BC1.2.2. Specops Software's Specops Command
    3. BC1.3. Replacing Microsoft's GPMC Scripts with PowerShell Equivalents
    4. BC1.4. Final Thoughts
  20. 14. Advanced Group Policy Management (AGPMv4)
    1. BC2.1. The Challenge of Group Policy Change Management
    2. BC2.2. Architecture and Installation of AGPM
      1. BC2.2.1. AGPM Architecture
      2. BC2.2.2. Installing AGPM
        1. BC2.2.2.1. Installing the AGPM Server Service
        2. BC2.2.2.2. Installing the AGPM Client
    3. BC2.3. What Happens after AGPM is Installed?
      1. BC2.3.1. GPMC Differences with AGPM Client
      2. BC2.3.2. What's With All the Access Denied Errors?
      3. BC2.3.3. Does the World Change Right Away?
    4. BC2.4. Understanding the AGPM Delegation Model
      1. BC2.4.1. AGPM Delegation Roles
        1. BC2.4.1.1. Deeper with AGPM Roles and Rights
    5. BC2.5. AGPM Common Tasks
      1. BC2.5.1. Understanding and Working with AGPM's Flow
      2. BC2.5.2. Controlling Your Currently Uncontrolled GPOs
      3. BC2.5.3. Creating a GPO and Immediately Controlling It
      4. BC2.5.4. Check Out a GPO
      5. BC2.5.5. Viewing Reports about a Controlled GPO
      6. BC2.5.6. Editing a Checked-Out Offline Copy of a GPO
        1. BC2.5.6.1. What's Happening Under the Hood during a Check Out
        2. BC2.5.6.2. What's Not Controlled During a Check Out
        3. BC2.5.6.3. Performing Your Offline Edit
      7. BC2.5.7. Check In of a Changed GPO
      8. BC2.5.8. Deploying a GPO into Production
      9. BC2.5.9. Making Additional Changes to a GPO and Labeling a GPO
      10. BC2.5.10. Using History and Differences to Roll Back a GPO
        1. BC2.5.10.1. Inside the History View
        2. BC2.5.10.2. Performing a Difference Report
        3. BC2.5.10.3. Performing a Rollback Based upon a Difference
      11. BC2.5.11. Using "Import from Production" to Catch Up a GPO
      12. BC2.5.12. Uncontrolling, Restoring, and Destroying a GPO
        1. BC2.5.12.1. Uncontrolling a GPO (Deleting It from the Archive)
        2. BC2.5.12.2. Restoring from the Change Control Recycle Bin
        3. BC2.5.12.3. Permanently Deleting a GPO and Its History
      13. BC2.5.13. Searching for GPOs using the Search Box
    6. BC2.6. AGPM Tasks with Multiple Admins
      1. BC2.6.1. Email Preparations and Configurations for AGPM Requests
      2. BC2.6.2. Adding Someone to the AGPM System
        1. BC2.6.2.1. Setting Permissions within the AGPM System
        2. BC2.6.2.2. Installing the AGPM Client on Management Stations
        3. BC2.6.2.3. Setting Up Mail Accounts for Each AGPM User
      3. BC2.6.3. Requesting the Creation of New Controlled GPO
      4. BC2.6.4. Approving or Rejecting a Pending Request
      5. BC2.6.5. Email Notifications from AGPM
        1. BC2.6.5.1. Tending to the Pending Request
      6. BC2.6.6. Editing the GPO Offline via Check Out/Check In
      7. BC2.6.7. Requesting Deployment of the GPO
      8. BC2.6.8. Analyzing a GPO (as a Reviewer)
      9. BC2.6.9. Deploying a GPO into Production
    7. BC2.7. Advanced Configuration and Troubleshooting of AGPM
      1. BC2.7.1. Production Delegation
      2. BC2.7.2. Auto-Deleting old GPO versions
      3. BC2.7.3. Export and Import of Controlled GPOs between Forests and/or Domains
      4. BC2.7.4. Troubleshooting AGPM Permissions
        1. BC2.7.4.1. Trouble Deploying Controlled GPOs
        2. BC2.7.4.2. Trouble Creating New Controlled GPOs
      5. BC2.7.5. Leveraging AGPM Templates
        1. BC2.7.5.1. Making a GPO into a Template
        2. BC2.7.5.2. Spawning a New Controlled GPO Based upon a Template
        3. BC2.7.5.3. Setting the Default Template
        4. BC2.7.5.4. Editing a Template
        5. BC2.7.5.5. Finding Differences between a Deployed GPO and a Template
      6. BC2.7.6. Changing Permissions on GPO Archives
      7. BC2.7.7. Backing Up, Restoring, and Moving the AGPM Server
        1. BC2.7.7.1. Backing Up the AGPM Server
        2. BC2.7.7.2. Restoring the AGPM Server
        3. BC2.7.7.3. Changing the Location of the Clients to the New Server
      8. BC2.7.8. Changing the Port that AGPM Uses
      9. BC2.7.9. Events from AGPM
      10. BC2.7.10. Leveraging the Built-in AGPM ADMX Template
      11. BC2.7.11. ADMX Template Settings That Tell Your AGPM Client which AGPM Server to Use
        1. BC2.7.11.1. Honing the AGPM Client View
        2. BC2.7.11.2. AGPM: Show Change Control Tab
        3. BC2.7.11.3. AGPM: Show History tab for linked GPOs
        4. BC2.7.11.4. AGPM: Show History Tab for GPOs
      12. BC2.7.12. AGPM Tracing Clients and Servers
    8. BC2.8. Final Thoughts
  21. 15. Full Lockdown with Windows SteadyState
    1. BC3.1. Windows SteadyState Concepts and Installation
      1. BC3.1.1. SteadyState Concepts
        1. BC3.1.1.1. General Machine Shared Computer Use
        2. BC3.1.1.2. Internal Corporate Shared Computer Use
        3. BC3.1.1.3. Why Shared Computing Is Hard
        4. BC3.1.1.4. The SteadyState Mission
      2. BC3.1.2. Preparing for Windows SteadyState
        1. BC3.1.2.1. Preparing a New Clean Machine
      3. BC3.1.3. Installing Windows SteadyState
    2. BC3.2. Configuring Windows SteadyState (for Nondomain-Joined Computers)
      1. BC3.2.1. User Settings
        1. BC3.2.1.1. Creating a Public User
        2. BC3.2.1.2. Setting the User Settings
      2. BC3.2.2. Global Computer Settings
        1. BC3.2.2.1. Set Computer Restrictions
        2. BC3.2.2.2. Schedule Software Updates
          1. BC3. The Schedule Software Updates Options
          2. BC3. The Scheduled Updates Process
          3. BC3. What if WSUS Is Used?
        3. BC3.2.2.3. Protect the Hard Disk
      3. BC3.2.3. Application Installation Strategy (for Nondomain-Joined Windows SteadyState Machines)
        1. BC3.2.3.1. Installing Packages before Turning on Windows Disk Protection
        2. BC3.2.3.2. Installing and Upgrading Packages after Turning on Windows Disk Protection
        3. BC3.2.3.3. Multitier Access Environments
        4. BC3.2.3.4. Setting User Profiles for Multitier Access Environments
        5. BC3.2.3.5. Persistent Storage Space for Your Users
    3. BC3.3. Configuring Windows SteadyState (for Domain-Joined Computers)
      1. BC3.3.1. Joining the Computer to the Domain and Moving It into Its OU
      2. BC3.3.2. Create GPOs That Will Affect All Users Who Use the Computer
        1. BC3.3.2.1. Creating and Linking the GPO and Setting Up Restrictions for SteadyState
        2. BC3.3.2.2. Checking Out the SCTsettings.adm Restrictions
        3. BC3.3.2.3. Creating a Loopback Group Policy Object
      3. BC3.3.3. Testing Your Group Policy
      4. BC3.3.4. Turning On Windows Disk Protection
        1. BC3.3.4.1. Manually Turning On WDP
        2. BC3.3.4.2. Remotely Turning On WDP
          1. BC3. Turn Windows Disk Protection On or Off via the Command Line
          2. BC3. Turn Windows Disk Protection On or Off via Script
      5. BC3.3.5. Deciding When to Clean Up
        1. BC3.3.5.1. Option 1: Set a Scheduled Task to Restart the Machine
        2. BC3.3.5.2. Option 2: Use a Logoff Script to Force a Reboot
        3. BC3.3.5.3. Option 3: The Best of All Worlds—Rebooting and Cleaning Up When No One Is Around
      6. BC3.3.6. Deploying Software When Using Windows SteadyState
        1. BC3.3.6.1. Deploying Software Using GPSI
        2. BC3.3.6.2. Deploying Software Using App-V (Microsoft Application Virtualization)
      7. BC3.3.7. Remotely Updating the Custom Updates Script
    4. BC3.4. Final Thoughts

Product information

  • Title: Group Policy: Fundamentals, Security, and the Managed Desktop
  • Author(s):
  • Release date: May 2010
  • Publisher(s): Sybex
  • ISBN: 9780470581858