Sybex

Home Certification IT Administration Architecture & Design
3D Animation & CGI Internet Marketing
Print this page Share

Group Policy: Fundamentals, Security, and the Managed Desktop, 2nd Edition

ISBN: 978-1-118-28940-2
912 pages
January 2013
Group Policy: Fundamentals, Security, and the Managed Desktop, 2nd Edition (1118289404) cover image

The Ultimate Book on Group Policy

Freshly updated to include Windows 7, Windows 8 and Windows Server 2012, Group Policy: Fundamentals, Security, and the Managed Desktop, Second Edition is the book for learning everything you need to know about Group Policy, no matter which version of Windows you use. Microsoft Group Policy MVP Jeremy Moskowitz covers it all—major Group Policy categories, what Windows 8 and Windows Server 2012 bring to the table, and smart ways to tackle tough desktop management problems. Topics include troubleshooting, security, scripting, using Windows PowerShell when necessary, and much more.

Inside this book, you'll learn to:

  • Master all Group Policy functions of Windows, including Windows XP through Windows 8 and Windows Server 2003 through Windows Server 2012
  • Enhance your Group Policy reach with the Group Policy Preferences, ADMX files, and additional add-ons
  • Use every feature of the GPMC and become a top-notch administrator
  • Troubleshoot Group Policy using tools, logs, Resource Kit utilities, Registry hacks, and third-party tools
  • Manage printers, restrict hardware, and configure Internet Explorer
  • Deploy software to your desktops, set up roaming profiles, and configure Offline Files for all your Windows clients—and manage it all with Group Policy settings
  • Secure your desktops and servers with AppLocker, Windows Firewall with Advanced Security, and the Security Configuration Manager

Download bonus chapters and:

  • Script complex GPMC operations with PowerShell, including linking, backup, restore, permissions changes, and more
  • Create a "change management" system with Advanced Group Policy Management (AGPM v4)
  • Understand Windows Intune service and its relationship to Group Policy

Coverage Includes:
Updated GPMC
New Windows 8 GPMC Features
ADMX/ADML Files
Group Policy Preferences
Item-Level Targeting
The Central Store
AppLocker
Fine-Grained Password Policy
Offline Files Updates
Inheritance Blocking
Prioritization
Linking
Loopback Policy Processing
Security Policy Processing
Enforcing
WMI Filters
Third-Party Tools
Cross-Forest Trusts
Filters
Commenting
Searching
Advanced Logging and Troubleshooting
Advanced Auditing Controls
Group Policy and VDI
Security Configuration Manager
Windows Intune

See More
Introduction xxv

Chapter 1 Group Policy Essentials 1

Getting Ready to Use This Book 2

Getting Started with Group Policy 7

Group Policy Entities and Policy Settings 7

The Categories of Group Policy 9

Active Directory and Local Group Policy 13

Understanding Local Group Policy 14

Group Policy and Active Directory 17

Linking Group Policy Objects 20

Final Thoughts on Local GPOs 25

An Example of Group Policy Application 26

Examining the Resultant Set of Policy 27

At the Site Level 28

At the Domain Level 29

At the OU Level 29

Bringing It All Together 29

Group Policy, Active Directory, and the GPMC 31

Implementing the GPMC on Your Management Station 32

Creating a One-Stop-Shop MMC 36

Group Policy 101 and Active Directory 38

Active Directory Users and Computers vs. GPMC 38

Adjusting the View within the GPMC 39

The GPMC-centric View 41

Our Own Group Policy Examples 43

More about Linking and the Group Policy Objects Container 44

Applying a Group Policy Object to the Site Level 47

Applying Group Policy Objects to the Domain Level 50

Applying Group Policy Objects to the OU Level 52

Testing Your Delegation of Group Policy Management 58

Understanding Group Policy Object Linking Delegation 59

Granting OU Admins Access to Create New Group Policy Objects 61

Creating and Linking Group Policy Objects at the OU Level 61

Creating a New Group Policy Object Affecting Computers in an OU 66

Moving Computers into the Human Resources Computers OU 67

Verifying Your Cumulative Changes 69

Final Thoughts 71

Chapter 2 Managing Group Policy with the GPMC 73

Common Procedures with the GPMC 74

Raising or Lowering the Precedence of Multiple Group Policy Objects 78

Understanding GPMC’s Link Warning 79

Stopping Group Policy Objects from Applying 80

Block Inheritance 87

The Enforced Function 88

Security Filtering and Delegation with the GPMC 90

Filtering the Scope of Group Policy Objects with Security 91

User Permissions on Group Policy Objects 100

Granting Group Policy Object Creation Rights in the Domain 102

Special Group Policy Operation Delegations 103

Who Can Create and Use WMI Filters? 104

Performing RSoP Calculations with the GPMC 106

What’s-Going-On Calculations with Group Policy Results 107

What-If Calculations with Group Policy Modeling 113

Searching and Commenting Group Policy Objects and Policy Settings 116

Searching for GPO Characteristics 116

Filtering Inside a GPO for Policy Settings 118

Comments for GPOs and Policy Settings 129

Starter GPOs 135

Creating a Starter GPO 136

Editing a Starter GPO 136

Leveraging a Starter GPO 137

Delegating Control of Starter GPOs 139

Wrapping Up and Sending Starter GPOs 140

Should You Use Microsoft’s Pre-created Starter GPOs? 141

Back Up and Restore for Group Policy 142

Backing Up Group Policy Objects 143

Restoring Group Policy Objects 146

Backing Up and Restoring Starter GPOs 148

Backing Up and Restoring WMI Filters 148

Backing Up and Restoring IPsec Filters 149

Migrating Group Policy Objects between Domains 150

Basic Interdomain Copy and Import 150

Copy and Import with Migration Tables 157

GPMC At-a-Glance Icon View 160

Final Thoughts 160

Chapter 3 Group Policy Processing Behavior Essentials 163

Group Policy Processing Principles 164

Don’t Get Lost 165

Initial Policy Processing 166

Background Refresh Policy Processing 168

Security Background Refresh Processing 182

Special Case: Moving a User or a Computer Object 187

Windows 8 and Group Policy: Subtle Differences 188

Policy Application via Remote Access, Slow Links, and after Hibernation 189

Windows XP Group Policy over Slow Network Connections 190

Windows 8 Group Policy over Slow Network Connections 190

What Is Processed over a Slow Network Connection? 192

Using Group Policy to Affect Group Policy 197

Affecting the User Settings of Group Policy 197

Affecting the Computer Settings of Group Policy 199

The Missing Group Policy Preferences’ Policy Settings 211

Final Thoughts 212

Chapter 4 Advanced Group Policy Processing 215

WMI Filters: Fine-Tuning When and Where Group Policy Applies 215

Tools (and References) of the WMI Trade 217

WMI Filter Syntax 218

Creating and Using a WMI Filter 219

WMI Performance Impact 220

Group Policy Loopback Processing 221

Reviewing Normal Group Policy Processing 222

Group Policy Loopback—Merge Mode 223

Group Policy Loopback—Replace Mode 223

Group Policy with Cross-Forest Trusts 229

What Happens When Logging onto Different Clients across a Cross-Forest Trust? 229

Disabling Loopback Processing When Using Cross-Forest Trusts 232

Understanding Cross-Forest Trust Permissions 232

Final Thoughts 234

Chapter 5 Group Policy Preferences 235

Powers of the Group Policy Preferences 237

Computer Configuration a Preferences 238

User Configuration a Preferences 249

Group Policy Preferences Concepts 258

Preference vs. Policy 259

The Overlap of Group Policy vs. Group Policy

Preferences and Associated Issues 261

The Lines and Circles and the CRUD Action Modes 275

Common Tab 282

Group Policy Preferences Tips, Tricks, and Troubleshooting 294

Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 294

Multiple Preference Items at a Level 296

Temporarily Disabling a Single Preference Item or Extension Root 298

Environment Variables 298

Managing Group Policy Preferences: Hiding Extensions from Use 301

Troubleshooting: Reporting, Logging, and Tracing 302

Final Thoughts 310

Chapter 6 Managing Applications and Settings Using Group Policy 311

Administrative Templates: A History and Policy vs. Preferences 312

Administrative Templates: Then and Now 312

Policy vs. Preference 313

ADM vs. ADMX and ADML Files 318

ADM File Introduction 318

Updated GPMC’s ADMX and ADML Files 318

ADM vs. ADMX Files—At a Glance 320

ADMX and ADML Files: What They Do and the Problems They Solve 321

Problem and Solution 1: Tackling SYSVOL Bloat 321

Problem 2: How Do We Deal with Multiple Languages? 321

Problem 3: How Do We Deal with “Write Overlaps”? 323

Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 324

The Central Store 325

The Windows ADMX/ADML Central Store 327

Creating and Editing GPOs in a Mixed Environment 331

Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC. Edit Using Another Older GPMC

Management Station. 331

Scenario 2: Start by Creating and Editing a GPO with the Older GPMC. Edit Using the Updated GPMC. 332

Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC. Edit Using Another Updated GPMC Management Station. 334

Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station. Edit

Using an Older GPMC Management Station. 334

ADM and ADMX Templates from Other Sources 334

Using ADM Templates with the Updated GPMC 335

Using ADMX Templates from Other Sources 337

ADMX Migrator and ADMX Editor Tools 338

ADMX Migrator 339

ADMX Creation and Editor Tools 341

PolicyPak Community Edition and PolicyPak Professional 341

PolicyPak Concepts and Installation 344

PolicyPak Pregame Setup 344

PolicyPak Quick Installation 345

Getting Started Immediately with PolicyPak’s Preconfigured Paks 346

PolicyPak Final Thoughts and Wrap-Up 352

Final Thoughts 353

Chapter 7 Troubleshooting Group Policy 355

Under the Hood of Group Policy 357

Inside Local Group Policy 357

Inside Active Directory Group Policy Objects 360

The Birth, Life, and Death of a GPO 362

How Group Policy Objects Are “Born” 362

How a GPO “Lives” 364

Death of a GPO 391

How Client Systems Get Group Policy Objects 392

The Steps to Group Policy Processing 392

Client-Side Extensions 395

Where Are Administrative Templates Registry Settings Stored? 403

Why Isn’t Group Policy Applying? 405

Reviewing the Basics 406

Advanced Inspection 408

Client-Side Troubleshooting 418

RSoP for Windows Clients 419

Advanced Group Policy Troubleshooting with Log Files 428

Using the Event Viewer 428

Turning On Verbose Logging 429

Group Policy Processing Performance 443

Final Thoughts 444

Chapter 8 Implementing Security with Group Policy 447

The Two Default Group Policy Objects 448

GPOs Linked at the Domain Level 449

Group Policy Objects Linked to the Domain Controllers OU 453

Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 455

The Strange Life of Password Policy 456

What Happens When You Set Password Settings at an OU Level 457

Fine-Grained Password Policy 458

Inside Auditing with and without Group Policy 463

Auditable Events Using Group Policy 464

Auditing File Access 470

Auditing Group Policy Object Changes 470

Advanced Audit Policy Configuration 475

Restricted Groups 480

Strictly Controlling Active Directory Groups 481

Strictly Applying Group Nesting 484

Which Groups Can Go into Which Other Groups via Restricted Groups? 484

Restrict Software: Software Restriction Policy and AppLocker 485

Inside Software Restriction Policies 486

Software Restriction Policies’ “Philosophies” 487

Software Restriction Policies’ Rules 488

Restricting Software Using AppLocker 495

Controlling User Account Control with Group Policy 514

Just Who Will See the UAC Prompts, Anyway? 517

Understanding the Group Policy Controls for UAC 521

UAC Policy Setting Suggestions 530

Wireless (802.3) and Wired Network (802.11) Policies 534

802.11 Wireless Policy for Windows XP 534

802.11 Wireless Policy and 802.3 Wired Policy for Windows 8 536

Configuring Windows Firewall with Group Policy 537

Manipulating the Windows XP Firewall 539

Windows Firewall with Advanced Security (for Windows 8)—WFAS 542

IPsec (Now in Windows Firewall with Advanced Security) 551

How Windows Firewall Rules Are Ultimately Calculated 556

Final Thoughts 560

Chapter 9 Profiles: Local, Roaming, and Mandatory 561

What Is a User Profile? 562

The NTUSER.DAT File 562

Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 563

Profile Folders for Type 2 Computers (Windows Vista and Later) 565

The Default Local User Profile 570

The Default Network User Profile 573

Roaming Profiles 578

Setting Up Roaming Profiles 579

Testing Roaming Profiles 583

Roaming and Nonroaming Folders 586

Managing Roaming Profiles 590

Manipulating Roaming Profiles with Computer Group Policy Settings 592

Manipulating Roaming Profiles with User Group Policy Settings 604

Mandatory Profiles 609

Establishing Mandatory Profiles for Windows XP 610

Establishing Mandatory Profiles for Windows 8 612

Mandatory Profiles—Finishing Touches 612

Forced Mandatory Profiles (Super-Mandatory) 613

Final Thoughts 615

Chapter 10 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 617

Overview of Change and Configuration Management 618

Redirected Folders 620

Available Folders to Redirect 620

Redirected Documents/My Documents 621

Redirecting the Start Menu and the Desktop 639

Redirecting the Application Data Folder 641

Group Policy Setting for Folder Redirection 641

Troubleshooting Redirected Folders 644

Offline Files and Synchronization 646

Making Offline Files Available 647

Inside Windows 8 File Synchronization 650

Handling Conflicts 658

Client Configuration of Offline Files 659

Using Folder Redirection and Offline Files over Slow Links 668

Synchronizing over Slow Links with Redirected My Documents 669

Synchronizing over Slow Links with Regular Shares 670

Teaching Windows 7 and Windows 8 How to React to Slow Links 671

Using Group Policy to Configure Offline Files (User and Computer Node) 675

Troubleshooting Sync Center 683

Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 685

Final Thoughts 695

Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 697

Group Policy Software Installation (GPSI) Overview 697

The Windows Installer Service 699

Understanding .MSI Packages 700

Utilizing an Existing .MSI Package 700

Assigning and Publishing Applications 705

Assigning Applications 705

Publishing Applications 706

Rules of Deployment 707

Package-Targeting Strategy 708

Advanced Published or Assigned 717

The General Tab 717

The Deployment Tab 718

The Upgrades Tab 722

The Categories Tab 724

The Modifications Tab 724

The Security Tab 725

Default Group Policy Software Installation Properties 726

The General Tab 726

The Advanced Tab 727

The File Extensions Tab 728

The Categories Tab 728

Removing Applications 729

Users Can Manually Change or Remove Applications 729

Automatically Removing Assigned or Published .MSI Applications 729

Forcibly Removing Assigned or Published .MSI Applications 730

Using Group Policy Software Installation over Slow Links 732

MSI, the Windows Installer and Group Policy 735

Inside the MSIEXEC Tool 735

Patching a Distribution Point 736

Affecting Windows Installer with Group Policy 738

Deploying Office 2010 and Office 2013 Using Group Policy 741

Steps to Office 2010/2013 Deployment Using Group Policy 742

Result of Your Office Deploying Using Group Policy 751

Systems Center Configuration Manager vs. Group Policy 753

GPSI and Configuration Manager Coexistence 755

Final Thoughts 756

Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, and Printer Deployment 757

Scripts: Logon, Logoff, Startup, and Shutdown 757

Non-PowerShell-Based Scripts 758

Deploying PowerShell Scripts to Windows 7 and Later Clients 761

Managing Internet Explorer with Group Policy 762

Internet Explorer Maintenance—Where Is It? 763

Managing Internet Explorer with Group Policy Preferences 765

Internet Explorer’s Group Policy Settings 765

Managing Internet Explorer using the IEAK 766

Restricting Access to Hardware via Group Policy 768

Group Policy Preferences Devices Extension 769

Restricting Driver Access with Policy Settings for Windows Vista and Later 773

Getting a Handle on Classes and IDs 774

Restricting or Allowing Your Hardware via Group Policy 777

Understanding the Remaining Policy Settings for Hardware Restrictions 778

Assigning Printers via Group Policy 780

Zapping Down Printers to Users and Computers (a Refresher) 780

Final Thoughts for This Chapter and for the Book 789

Appendix A Group Policy and VDI 791

Why Is VDI Different? 792

Tuning Your Images for VDI 793

Specific Functions to Turn Off for VDI Machines 794

Group Policy Settings to Set and Avoid for Maximum VDI Performance 795

Group Policy Tweaks for Fast VDI Video 796

Tweaking RDP Using Group Policy for VDI 797

Tweaking RemoteFX using Group Policy for VDI 798

Managing and Locking Down Desktop UI Tweaks 799

Final Thoughts for VDI and Group Policy 801

Appendix B Security Configuration Manager 803

SCM: Installation 805

SCM: Getting Around 806

SCM: Usual Use Case 807

Importing Existing GPOs 814

Comparing and Merging Baselines 814

LocalGPO Tool 816

Installing SCM’s LocalGPO Tool 817

Using SCM’s LocalGPO 817

Final Thoughts on LocalGPO and SCM 823

Appendix C Windows Intune (And What It Means to

Group Policy Admins) 825

Getting Started with Windows Intune 826

Using Windows Intune 829

Setting Up Windows Intune Groups 829

Setting Up Policies Using Windows Intune 830

Windows Intune and Group Policy Conflicts 831

Final Thoughts on Windows Intune 832

Index 835

See More

Jeremy Moskowitz, Group Policy MVP, is the founder of GPanswers.com and PolicyPak Software. He is a nationally recognized authority on Windows Server, Active Directory, Group Policy, and other Windows management topics. Jeremy is one of fewer than a dozen Microsoft MVPs in Group Policy. He runs the GPanswers.com, ranked by ComputerWorld as a "Top 20 Resource for Microsoft IT Professionals." Jeremy is a sought-after speaker at many industry conferences and, in his training workshops, helps thousands of administrators every year do more with Group Policy. Contact Jeremy by visiting GPanswers.com.

See More
Download TitleSizeDownload
Bonus Chapter 1 3.46 MB Click to Download
Bonus Chapter 2 10.43 MB Click to Download
See More