Sybex

Home Certification IT Administration Architecture & Design
3D Animation & CGI Internet Marketing
Print this page Share

Group Policy: Fundamentals, Security, and the Managed Desktop, 3rd Edition

ISBN: 978-1-119-03558-9
1056 pages
August 2015
Group Policy: Fundamentals, Security, and the Managed Desktop, 3rd Edition (1119035589) cover image

Description

Get up to speed on the latest Group Policy tools, features, and best practices

Group Policy, Fundamentals, Security, and the Managed Desktop, 3rd Edition helps you streamline Windows and Windows Server management using the latest Group Policy tools and techniques. This updated edition covers Windows 10 and Windows Server vNext, bringing you up to speed on all the newest settings, features, and best practices. Microsoft Group Policy MVP Jeremy Moskowitz teaches you the major categories of Group Policy, essential troubleshooting techniques, and how to manage your Windows desktops.

This is your complete guide to the latest Group Policy features and functions for all modern Windows clients and servers, helping you manage more efficiently and effectively.

  • Perform true desktop and server management with the Group Policy Preferences, ADMX files, and additional add-ons
  • Use every feature of the GPMC and become a top-notch administrator
  • Troubleshoot Group Policy using tools, enhanced logs, Resource Kit utilities, and third-party tools
  • Manage printers, drive maps, restrict hardware, and configure Internet Explorer
  • Deploy software to your desktops, set up roaming profiles, and configure Offline Files for all your Windows clients—and manage it all with Group Policy settings
  • Secure your desktops and servers with AppLocker, Windows Firewall with Advanced Security, and the Security Configuration Manager

This is your comprehensive resource to staying current, with expert tips, techniques, and insight.

See More

Table of Contents

Introduction xxv

Chapter 1 Group Policy Essentials 1

Getting Ready to Use This Book 2

Getting Started with Group Policy 7

Group Policy Entities and Policy Settings 7

Active Directory and Local Group Policy 9

Understanding Local Group Policy 10

Group Policy and Active Directory 13

Linking Group Policy Objects 15

Final Thoughts on Local GPOs 20

An Example of Group Policy Application 21

Examining the Resultant Set of Policy 23

At the Site Level 23

At the Domain Level 24

At the OU Level 24

Bringing It All Together 25

Group Policy, Active Directory, and the GPMC 26

Implementing the GPMC on Your Management Station 27

Creating a One-Stop-Shop MMC 30

Group Policy 101 and Active Directory 32

Active Directory Users and Computers vs. GPMC 32

Adjusting the View within the GPMC 33

The GPMC-centric View 35

Our Own Group Policy Examples 37

More about Linking and the Group Policy Objects Container 38

Applying a Group Policy Object to the Site Level 41

Applying Group Policy Objects to the Domain Level 44

Applying Group Policy Objects to the OU Level 47

Testing Your Delegation of Group Policy Management 52

Understanding Group Policy Object Linking Delegation 54

Granting OU Admins Access to Create New Group Policy Objects 55

Creating and Linking Group Policy Objects at the OU Level 56

Creating a New Group Policy Object Affecting Computers in an OU 59

Moving Computers into the Human Resources

Computers OU 61

Verifying Your Cumulative Changes 62

Final Thoughts 64

Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67

Common Procedures with the GPMC and PowerShell 69

Raising or Lowering the Precedence of Multiple Group Policy Objects 75

Understanding GPMC’s Link Warning 76

Stopping Group Policy Objects from Applying 78

Block Inheritance 85

The Enforced Function 87

Security Filtering and Delegation with the GPMC 90

Filtering the Scope of Group Policy Objects with Security 91

User Permissions on Group Policy Objects 102

Granting Group Policy Object Creation Rights in the Domain 104

Special Group Policy Operation Delegations 105

Who Can Create and Use WMI Filters? 107

Performing RSoP Calculations with the GPMC 109

What’s-Going-On Calculations with Group Policy Results 110

What-If Calculations with Group Policy Modeling 116

Searching and Commenting Group Policy Objects and Policy Settings 118

Searching for GPO Characteristics 119

Filtering Inside a GPO for Policy Settings 121

Comments for GPOs and Policy Settings 132

Starter GPOs 137

Creating a Starter GPO 139

Editing a Starter GPO 139

Leveraging a Starter GPO 141

Delegating Control of Starter GPOs 142

Wrapping Up and Sending Starter GPOs 143

Should You Use Microsoft’s Pre-created Starter GPOs? 144

Back Up and Restore for Group Policy 145

Backing Up Group Policy Objects 146

Restoring Group Policy Objects 148

Backing Up and Restoring Starter GPOs 152

Backing Up and Restoring WMI Filters 153

Backing Up and Restoring IPsec Filters 153

Migrating Group Policy Objects between Domains 154

Basic Interdomain Copy and Import 154

Copy and Import with Migration Tables 162

GPMC At-a-Glance Icon View 166

Final Thoughts 167

Chapter 3 Group Policy Processing Behavior Essentials 169

Group Policy Processing Principles 170

Don’t Get Lost 172

Initial Policy Processing 172

Background Refresh Policy Processing 174

Security Background Refresh Processing 187

Special Case: Moving a User or a Computer Object 193

Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194

Policy Application via Remote Access, Slow Links, and after Hibernation 200

When and How Does Windows Check for Slow Links? 200

What Is Processed over a Slow Network Connection? 201

Always Get Group Policy (Even on the Road, through the Internet) 202

Using Group Policy to Affect Group Policy 205

Affecting the User Settings of Group Policy 205

Affecting the Computer Settings of Group Policy 207

The Missing Group Policy Preferences Policy Settings 219

Final Thoughts 221

Chapter 4 Advanced Group Policy Processing 223

Fine-Tuning When and Where Group Policy Applies 223

Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224

Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object’s Contents 230

Group Policy Loopback Processing 231

Reviewing Normal Group Policy Processing 232

Group Policy Loopback—Merge Mode 233

Group Policy Loopback—Replace Mode 233

Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239

Group Policy with Cross-Forest Trusts 242

What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243

Disabling Loopback Processing When Using Cross-Forest Trusts 245

Understanding Cross-Forest Trust Permissions 245

Final Thoughts 247

Chapter 5 Group Policy Preferences 249

Powers of the Group Policy Preferences 252

Computer Configuration ➢ Preferences 258

User Configuration ➢ Preferences 269

Group Policy Preferences Concepts 278

Preference vs. Policy 279

The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281

The Lines and Circles and the CRUD Action Modes 293

Common Tab 301

Group Policy Preferences Tips, Tricks, and Troubleshooting 313

Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313

Multiple Preference Items at a Level 315

Temporarily Disabling a Single Preference Item or Extension Root 317

Environment Variables 318

Managing Group Policy Preferences: Hiding Extensions from within the Editor 320

Troubleshooting: Reporting, Logging, and Tracing 321

Giving Group Policy Preferences a “Boost” (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329

Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330

Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using “Not Group Policy” 330

Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non–Domain-Joined Machines) 331

Final Thoughts 332

Chapter 6 Managing Applications and Settings Using Group Policy 335

Understanding Administrative Templates 336

Administrative Templates: Then and Now 336

Policy vs. Preference 337

Exploring ADM vs. ADMX and ADML Files 342

Looking Back at ADM Files 342

Understanding the Updated GPMC’s ADMX and ADML Files 342

Comparing ADM vs. ADMX Files 344

ADMX and ADML Files: What They Do and the Problems They Solve 345

Problem and Solution 1: Tackling SYSVOL Bloat 345

Problem 2: How Do We Deal with Multiple Languages? 346

Problem 3: How Do We Deal with “Write Overlaps”? 347

Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349

The Central Store 349

The Windows ADMX/ADML Central Store 351

Creating and Editing GPOs in a Mixed Environment 355

Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355

Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356

Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358

Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358

Using ADM and ADMX Templates from Other Sources 359

Using ADM Templates with the Updated GPMC 359

Using ADMX Templates from Other Sources 361

ADMX Migrator and ADMX Editor Tools 362

ADMX Migrator 363

ADMX Creation and Editor Tools 365

PolicyPak Application Manager 365

PolicyPak Concepts and Installation 367

Top PolicyPak Application Manager Pak Examples 369

Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373

Final Thoughts 376

Chapter 7 Troubleshooting Group Policy 379

Under the Hood of Group Policy 381

Inside Local Group Policy 381

Inside Active Directory Group Policy Objects 383

The Birth, Life, and Death of a GPO 385

How Group Policy Objects Are “Born” 386

How a GPO “Lives” 387

Death of a GPO 415

How Client Systems Get Group Policy Objects 416

The Steps to Group Policy Processing 416

Client-Side Extensions 419

Where Are Administrative Templates Registry Settings Stored? 427

Why Isn’t Group Policy Applying? 429

Reviewing the Basics 429

Advanced Inspection 432

Client-Side Troubleshooting 441

RSoP for Windows Clients 442

Advanced Group Policy Troubleshooting with the Event Viewer Logs 450

Group Policy Processing Performance 462

Final Thoughts 463

Chapter 8 Implementing Security with Group Policy 465

The Two Default Group Policy Objects 466

GPOs Linked at the Domain Level 467

Group Policy Objects Linked to the Domain Controllers OU 471

Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 473

The Strange Life of Password Policy 475

What Happens When You Set Password Settings at an OU Level 475

Fine-Grained Password Policy 477

Inside Basic and Advanced Auditing 482

Basic Auditable Events Using Group Policy 482

Auditing File Access 487

Auditing Group Policy Object Changes 489

Advanced Audit Policy Configuration 491

Restricted Groups 495

Strictly Controlling Active Directory Groups 497

Strictly Applying Group Nesting 499

Which Groups Can Go into Which Other Groups via Restricted Groups? 500

Restrict Software Using AppLocker 500

Inside Software Restriction Policies 501

Software Restriction Policies’ “Philosophies” 502

Software Restriction Policies’ Rules 503

Restricting Software Using AppLocker 510

Controlling User Account Control with Group Policy 531

Just Who Will See the UAC Prompts, Anyway? 534

Understanding the Group Policy Controls for UAC 539

UAC Policy Setting Suggestions 548

Wireless (802.3) and Wired Network (802.11) Policies 551

802.11 Wireless Policy for Windows XP 552

802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553

Configuring Windows Firewall with Group Policy 554

Manipulating the Windows Firewall (the Old Way) 557

Windows Firewall with Advanced Security WFAS 558

IPsec (Now in Windows Firewall with Advanced Security) 567

How Windows Firewall Rules Are Ultimately Calculated 572

Final Thoughts 576

Chapter 9 Profiles: Local, Roaming, and Mandatory 579

Setting the Stage for Multiple Clients 579

What Is a User Profile? 583

The NTUSER.DAT File 583

Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584

Profile Folders for Type 2–5 Computers (Windows Vista and Later) 586

The Default Local User Profile 591

The Default Network User Profile 594

Roaming Profiles 599

Are Roaming Profiles “Evil”? And What Are the Alternatives? 601

Setting Up Roaming Profiles 604

Testing Roaming Profiles 608

Roaming and Nonroaming Folders 610

Managing Roaming Profiles 614

Manipulating Roaming Profiles with Computer Group Policy Settings 617

Manipulating Roaming Profiles with User Group Policy Settings 630

Mandatory Profiles 635

Establishing Mandatory Profiles for Windows XP 636

Establishing Mandatory Profiles for Modern Windows 638

Mandatory Profiles—Finishing Touches 639

Forced Mandatory Profiles (Super-Mandatory) 640

Final Thoughts 642

Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643

Redirected Folders 644

Available Folders to Redirect 644

Redirected Documents/My Documents 645

Redirecting the Start Menu and the Desktop 665

Redirecting the Application Data Folder 666

Group Policy Setting for Folder Redirection 667

Troubleshooting Redirected Folders 669

Offline Files and Synchronization 672

Making Offline Files Available 673

Inside Windows 10 File Synchronization 676

Handling Conflicts 684

Client Configuration of Offline Files 686

Using Folder Redirection and Offline Files over Slow Links 694

Synchronizing over Slow Links with Redirected My Documents 695

Synchronizing over Slow Links with Regular Shares 697

Teaching Windows 10 How to React to Slow Links 698

Using Group Policy to Configure Offline Files (User and Computer Node) 702

Troubleshooting Sync Center 710

Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 712

Final Thoughts 720

Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723

Group Policy Software Installation (GPSI) Overview 724

The Windows Installer Service 726

Understanding .MSI Packages 726

Utilizing an Existing .MSI Package 727

Assigning and Publishing Applications 732

Assigning Applications 732

Publishing Applications 733

Rules of Deployment 734

Package-Targeting Strategy 734

Advanced Published or Assigned 745

The General Tab 746

The Deployment Tab 746

The Upgrades Tab 750

The Categories Tab 752

The Modifications Tab 752

The Security Tab 754

Default Group Policy Software Installation Properties 755

The General Tab 755

The Advanced Tab 756

The File Extensions Tab 757

The Categories Tab 757

Removing Applications 757

Users Can Manually Change or Remove Applications 758

Automatically Removing Assigned or Published .MSI Applications 758

Forcibly Removing Assigned or Published .MSI Applications 759

Using Group Policy Software Installation over Slow Links 761

MSI, the Windows Installer, and Group Policy 764

Inside the MSIEXEC Tool 764

Patching a Distribution Point 765

Affecting Windows Installer with Group Policy 767

Deploying Office 2010 and Later Using Group Policy (MSI Version) 771

Steps to Office 2013 and 2016 Deployment Using Group Policy 772

Result of Your Office Deployment Using Group Policy 782

Installing Office Using Click-to-Run 783

Getting Office Click-to-Run 784

Installing Office Click-to-Run by Hand 784

Deploying Office Click-to-Run via Group Policy 786

System Center Configuration Manager vs. Group Policy (and Alternatives) 793

Final Thoughts 796

Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797

Scripts: Logon, Logoff, Startup, and Shutdown 798

Non-PowerShell-Based Scripts 798

Deploying PowerShell Scripts to Windows 7 and Later Clients 801

Managing Internet Explorer with Group Policy 802

Managing Internet Explorer with Group Policy Preferences 803

Internet Explorer’s Group Policy Settings 805

Understanding Internet Explorer 11’s Enterprise Mode 806

Managing Internet Explorer 11 Using PolicyPak Application Manager 808

Restricting Access to Hardware via Group Policy 808

Group Policy Preferences Devices Extension 809

Restricting Driver Access with Policy Settings 814

Getting a Handle on Classes and IDs 815

Restricting or Allowing Your Hardware via Group Policy 817

Understanding the Remaining Policy Settings for Hardware Restrictions 819

Assigning Printers via Group Policy 821

Zapping Down Printers to Users and Computers (a Refresher) 821

Implementing Rotating Local Passwords with LAPS 830

What to Install from LAPS 831

Extending the Schema and Setting LAPS Permissions 832

Using a Group Policy Object to Manage LAPS 835

Using LAPS Management’s Tools: Fat Client and PowerShell 836

Final Thoughts for This Chapter and for the Book 838

Appendix A Scripting Group Policy Operations with Windows PowerShell 839

Using PowerShell to Do More with Group Policy 840

Preparing for Your PowerShell Experience 841

Getting Started with PowerShell 842

Documenting Your Group Policy World with PowerShell 846

Setting GPO Permissions 867

Manipulating GPOs with PowerShell 870

Performing a Remote GPupdate (Invoking GPupdate) 880

Replacing Microsoft’s GPMC Scripts with PowerShell Equivalents 881

Final Thoughts 883

Appendix B Group Policy and VDI 885

Why Is VDI Different? 886

Tuning Your Images for VDI 887

Specific Functions to Turn Off for VDI Machines 888

Group Policy Settings to Set and Avoid for Maximum VDI Performance 889

Group Policy Tweaks for Fast VDI Video 891

Tweaking RDP Using Group Policy for VDI 891

Tweaking RemoteFX using Group Policy for VDI 892

Managing and Locking Down Desktop UI Tweaks 893

Final Thoughts for VDI and Group Policy 894

Appendix C Advanced Group Policy Management 897

The Challenge of Group Policy Change Management 898

Architecture and Installation of AGPM 899

AGPM Architecture 899

Installing AGPM 900

What Happens after AGPM Is Installed? 906

GPMC Differences with AGPM Client 906

What’s With All the Access Denied Errors? 908

Does the World Change Right Away? 908

Understanding the AGPM Delegation Model 908

AGPM Delegation Roles 909

AGPM Common Tasks 912

Understanding and Working with AGPM’s Flow 914

Controlling Your Currently Uncontrolled GPOs 915

Creating a GPO and Immediately Controlling It 918

Check Out a GPO 919

Viewing Reports about a Controlled GPO 921

Editing a Checked-Out Offline Copy of a GPO 921

Performing a Check In of a Changed GPO 923

Deploying a GPO into Production 924

Making Additional Changes to a GPO and Labeling a GPO 926

Using History and Differences to Roll Back a GPO 927

Using “Import from Production” to Catch Up a GPO 931

Uncontrolling, Restoring, and Destroying a GPO 932

Searching for GPOs Using the Search Box 934

AGPM Tasks with Multiple Admins 935

E‑mail Preparations and Configurations for AGPM Requests 936

Adding Someone to the AGPM System 939

Requesting the Creation of New Controlled GPO 943

Approving or Rejecting a Pending Request 944

Editing the GPO Offline via Check Out/Check In 946

Requesting Deployment of the GPO 946

Analyzing a GPO (as a Reviewer) 948

Advanced Configuration and Troubleshooting of AGPM 950

Production Delegation 950

Auto-Deleting Old GPO Versions 951

Export and Import of Controlled GPOs between Forests and/or Domains 951

Troubleshooting AGPM Permissions 953

Leveraging AGPM Templates 955

Changing Permissions on GPO Archives 958

Backing Up, Restoring, and Moving the AGPM Server 959

Changing the Port That AGPM Uses 962

Events from AGPM 963

Leveraging the Built-in AGPM ADMX Template 963

Final Thoughts 968

Appendix D Security Compliance Manager 969

SCM: Installation 970

SCM: Getting Around 972

SCM: Usual Use Case 974

Importing Existing GPOs 980

Comparing and Merging Baselines 980

LocalGPO Tool 983

Installing SCM’s LocalGPO Tool 984

Using SCM’s LocalGPO 985

Final Thoughts on LocalGPO and SCM 989

Appendix E Microsoft Intune and PolicyPak Cloud 991

Microsoft Intune 991

Getting Started with Microsoft Intune 992

Using Microsoft Intune 995

Setting Up Microsoft Intune Groups 995

Setting Up Policies Using Microsoft Intune 996

Microsoft Intune and Group Policy Conflicts 997

Final Thoughts on Microsoft Intune 998

PolicyPak Cloud 998

PolicyPak Cloud 101 999

Understanding PolicyPak Cloud Policies 999

Creating and Using PolicyPak Cloud Groups 1001

Joining PolicyPak Cloud 1001

Final Thoughts on PolicyPak Cloud 1003

Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003

Index 1005

See More

Author Information

Jeremy Moskowitz is a Group Policy MVP and a nationally recognized authority on Windows Server, Active Directory, Group Policy, and other Windows management topics. One of less than a dozen Group Policy MVPs, Jeremy runs GPanswers.com, ranked by ComputerWorld as a "Top 20 Resource for Microsoft IT Professionals." Jeremy is the founder of PolicyPak Software, which enables administrators to manage applications, stay compliant, and deliver settings over the Internet. He is a sought-after speaker at many industry conferences.

See More

Downloads

Download TitleSizeDownload
Get-MyGPLink 8.72 KB Click to Download
Get-MyGPLinkBasic 1.64 KB Click to Download
See More

Related Titles

Learn more about