Introduction xxv
Chapter 1 Group Policy Essentials 1
Getting Ready to Use This Book 2
Getting Started with Group Policy 7
Group Policy Entities and Policy Settings 7
The Categories of Group Policy 9
Active Directory and Local Group Policy 13
Understanding Local Group Policy 14
Group Policy and Active Directory 17
Linking Group Policy Objects 20
Final Thoughts on Local GPOs 25
An Example of Group Policy Application 26
Examining the Resultant Set of Policy 27
At the Site Level 28
At the Domain Level 29
At the OU Level 29
Bringing It All Together 29
Group Policy, Active Directory, and the GPMC 31
Implementing the GPMC on Your Management Station 32
Creating a One-Stop-Shop MMC 36
Group Policy 101 and Active Directory 38
Active Directory Users and Computers vs. GPMC 38
Adjusting the View within the GPMC 39
The GPMC-centric View 41
Our Own Group Policy Examples 43
More about Linking and the Group Policy Objects Container 44
Applying a Group Policy Object to the Site Level 47
Applying Group Policy Objects to the Domain Level 50
Applying Group Policy Objects to the OU Level 52
Testing Your Delegation of Group Policy Management 58
Understanding Group Policy Object Linking Delegation 59
Granting OU Admins Access to Create New Group Policy Objects 61
Creating and Linking Group Policy Objects at the OU Level 61
Creating a New Group Policy Object Affecting Computers in an OU 66
Moving Computers into the Human Resources Computers OU 67
Verifying Your Cumulative Changes 69
Final Thoughts 71
Chapter 2 Managing Group Policy with the GPMC 73
Common Procedures with the GPMC 74
Raising or Lowering the Precedence of Multiple Group Policy Objects 78
Understanding GPMC’s Link Warning 79
Stopping Group Policy Objects from Applying 80
Block Inheritance 87
The Enforced Function 88
Security Filtering and Delegation with the GPMC 90
Filtering the Scope of Group Policy Objects with Security 91
User Permissions on Group Policy Objects 100
Granting Group Policy Object Creation Rights in the Domain 102
Special Group Policy Operation Delegations 103
Who Can Create and Use WMI Filters? 104
Performing RSoP Calculations with the GPMC 106
What’s-Going-On Calculations with Group Policy Results 107
What-If Calculations with Group Policy Modeling 113
Searching and Commenting Group Policy Objects and Policy Settings 116
Searching for GPO Characteristics 116
Filtering Inside a GPO for Policy Settings 118
Comments for GPOs and Policy Settings 129
Starter GPOs 135
Creating a Starter GPO 136
Editing a Starter GPO 136
Leveraging a Starter GPO 137
Delegating Control of Starter GPOs 139
Wrapping Up and Sending Starter GPOs 140
Should You Use Microsoft’s Pre-created Starter GPOs? 141
Back Up and Restore for Group Policy 142
Backing Up Group Policy Objects 143
Restoring Group Policy Objects 146
Backing Up and Restoring Starter GPOs 148
Backing Up and Restoring WMI Filters 148
Backing Up and Restoring IPsec Filters 149
Migrating Group Policy Objects between Domains 150
Basic Interdomain Copy and Import 150
Copy and Import with Migration Tables 157
GPMC At-a-Glance Icon View 160
Final Thoughts 160
Chapter 3 Group Policy Processing Behavior Essentials 163
Group Policy Processing Principles 164
Don’t Get Lost 165
Initial Policy Processing 166
Background Refresh Policy Processing 168
Security Background Refresh Processing 182
Special Case: Moving a User or a Computer Object 187
Windows 8 and Group Policy: Subtle Differences 188
Policy Application via Remote Access, Slow Links, and after Hibernation 189
Windows XP Group Policy over Slow Network Connections 190
Windows 8 Group Policy over Slow Network Connections 190
What Is Processed over a Slow Network Connection? 192
Using Group Policy to Affect Group Policy 197
Affecting the User Settings of Group Policy 197
Affecting the Computer Settings of Group Policy 199
The Missing Group Policy Preferences’ Policy Settings 211
Final Thoughts 212
Chapter 4 Advanced Group Policy Processing 215
WMI Filters: Fine-Tuning When and Where Group Policy Applies 215
Tools (and References) of the WMI Trade 217
WMI Filter Syntax 218
Creating and Using a WMI Filter 219
WMI Performance Impact 220
Group Policy Loopback Processing 221
Reviewing Normal Group Policy Processing 222
Group Policy Loopback—Merge Mode 223
Group Policy Loopback—Replace Mode 223
Group Policy with Cross-Forest Trusts 229
What Happens When Logging onto Different Clients across a Cross-Forest Trust? 229
Disabling Loopback Processing When Using Cross-Forest Trusts 232
Understanding Cross-Forest Trust Permissions 232
Final Thoughts 234
Chapter 5 Group Policy Preferences 235
Powers of the Group Policy Preferences 237
Computer Configuration a Preferences 238
User Configuration a Preferences 249
Group Policy Preferences Concepts 258
Preference vs. Policy 259
The Overlap of Group Policy vs. Group Policy
Preferences and Associated Issues 261
The Lines and Circles and the CRUD Action Modes 275
Common Tab 282
Group Policy Preferences Tips, Tricks, and Troubleshooting 294
Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 294
Multiple Preference Items at a Level 296
Temporarily Disabling a Single Preference Item or Extension Root 298
Environment Variables 298
Managing Group Policy Preferences: Hiding Extensions from Use 301
Troubleshooting: Reporting, Logging, and Tracing 302
Final Thoughts 310
Chapter 6 Managing Applications and Settings Using Group Policy 311
Administrative Templates: A History and Policy vs. Preferences 312
Administrative Templates: Then and Now 312
Policy vs. Preference 313
ADM vs. ADMX and ADML Files 318
ADM File Introduction 318
Updated GPMC’s ADMX and ADML Files 318
ADM vs. ADMX Files—At a Glance 320
ADMX and ADML Files: What They Do and the Problems They Solve 321
Problem and Solution 1: Tackling SYSVOL Bloat 321
Problem 2: How Do We Deal with Multiple Languages? 321
Problem 3: How Do We Deal with “Write Overlaps”? 323
Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 324
The Central Store 325
The Windows ADMX/ADML Central Store 327
Creating and Editing GPOs in a Mixed Environment 331
Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC. Edit Using Another Older GPMC
Management Station. 331
Scenario 2: Start by Creating and Editing a GPO with the Older GPMC. Edit Using the Updated GPMC. 332
Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC. Edit Using Another Updated GPMC Management Station. 334
Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station. Edit
Using an Older GPMC Management Station. 334
ADM and ADMX Templates from Other Sources 334
Using ADM Templates with the Updated GPMC 335
Using ADMX Templates from Other Sources 337
ADMX Migrator and ADMX Editor Tools 338
ADMX Migrator 339
ADMX Creation and Editor Tools 341
PolicyPak Community Edition and PolicyPak Professional 341
PolicyPak Concepts and Installation 344
PolicyPak Pregame Setup 344
PolicyPak Quick Installation 345
Getting Started Immediately with PolicyPak’s Preconfigured Paks 346
PolicyPak Final Thoughts and Wrap-Up 352
Final Thoughts 353
Chapter 7 Troubleshooting Group Policy 355
Under the Hood of Group Policy 357
Inside Local Group Policy 357
Inside Active Directory Group Policy Objects 360
The Birth, Life, and Death of a GPO 362
How Group Policy Objects Are “Born” 362
How a GPO “Lives” 364
Death of a GPO 391
How Client Systems Get Group Policy Objects 392
The Steps to Group Policy Processing 392
Client-Side Extensions 395
Where Are Administrative Templates Registry Settings Stored? 403
Why Isn’t Group Policy Applying? 405
Reviewing the Basics 406
Advanced Inspection 408
Client-Side Troubleshooting 418
RSoP for Windows Clients 419
Advanced Group Policy Troubleshooting with Log Files 428
Using the Event Viewer 428
Turning On Verbose Logging 429
Group Policy Processing Performance 443
Final Thoughts 444
Chapter 8 Implementing Security with Group Policy 447
The Two Default Group Policy Objects 448
GPOs Linked at the Domain Level 449
Group Policy Objects Linked to the Domain Controllers OU 453
Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 455
The Strange Life of Password Policy 456
What Happens When You Set Password Settings at an OU Level 457
Fine-Grained Password Policy 458
Inside Auditing with and without Group Policy 463
Auditable Events Using Group Policy 464
Auditing File Access 470
Auditing Group Policy Object Changes 470
Advanced Audit Policy Configuration 475
Restricted Groups 480
Strictly Controlling Active Directory Groups 481
Strictly Applying Group Nesting 484
Which Groups Can Go into Which Other Groups via Restricted Groups? 484
Restrict Software: Software Restriction Policy and AppLocker 485
Inside Software Restriction Policies 486
Software Restriction Policies’ “Philosophies” 487
Software Restriction Policies’ Rules 488
Restricting Software Using AppLocker 495
Controlling User Account Control with Group Policy 514
Just Who Will See the UAC Prompts, Anyway? 517
Understanding the Group Policy Controls for UAC 521
UAC Policy Setting Suggestions 530
Wireless (802.3) and Wired Network (802.11) Policies 534
802.11 Wireless Policy for Windows XP 534
802.11 Wireless Policy and 802.3 Wired Policy for Windows 8 536
Configuring Windows Firewall with Group Policy 537
Manipulating the Windows XP Firewall 539
Windows Firewall with Advanced Security (for Windows 8)—WFAS 542
IPsec (Now in Windows Firewall with Advanced Security) 551
How Windows Firewall Rules Are Ultimately Calculated 556
Final Thoughts 560
Chapter 9 Profiles: Local, Roaming, and Mandatory 561
What Is a User Profile? 562
The NTUSER.DAT File 562
Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 563
Profile Folders for Type 2 Computers (Windows Vista and Later) 565
The Default Local User Profile 570
The Default Network User Profile 573
Roaming Profiles 578
Setting Up Roaming Profiles 579
Testing Roaming Profiles 583
Roaming and Nonroaming Folders 586
Managing Roaming Profiles 590
Manipulating Roaming Profiles with Computer Group Policy Settings 592
Manipulating Roaming Profiles with User Group Policy Settings 604
Mandatory Profiles 609
Establishing Mandatory Profiles for Windows XP 610
Establishing Mandatory Profiles for Windows 8 612
Mandatory Profiles—Finishing Touches 612
Forced Mandatory Profiles (Super-Mandatory) 613
Final Thoughts 615
Chapter 10 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 617
Overview of Change and Configuration Management 618
Redirected Folders 620
Available Folders to Redirect 620
Redirected Documents/My Documents 621
Redirecting the Start Menu and the Desktop 639
Redirecting the Application Data Folder 641
Group Policy Setting for Folder Redirection 641
Troubleshooting Redirected Folders 644
Offline Files and Synchronization 646
Making Offline Files Available 647
Inside Windows 8 File Synchronization 650
Handling Conflicts 658
Client Configuration of Offline Files 659
Using Folder Redirection and Offline Files over Slow Links 668
Synchronizing over Slow Links with Redirected My Documents 669
Synchronizing over Slow Links with Regular Shares 670
Teaching Windows 7 and Windows 8 How to React to Slow Links 671
Using Group Policy to Configure Offline Files (User and Computer Node) 675
Troubleshooting Sync Center 683
Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 685
Final Thoughts 695
Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 697
Group Policy Software Installation (GPSI) Overview 697
The Windows Installer Service 699
Understanding .MSI Packages 700
Utilizing an Existing .MSI Package 700
Assigning and Publishing Applications 705
Assigning Applications 705
Publishing Applications 706
Rules of Deployment 707
Package-Targeting Strategy 708
Advanced Published or Assigned 717
The General Tab 717
The Deployment Tab 718
The Upgrades Tab 722
The Categories Tab 724
The Modifications Tab 724
The Security Tab 725
Default Group Policy Software Installation Properties 726
The General Tab 726
The Advanced Tab 727
The File Extensions Tab 728
The Categories Tab 728
Removing Applications 729
Users Can Manually Change or Remove Applications 729
Automatically Removing Assigned or Published .MSI Applications 729
Forcibly Removing Assigned or Published .MSI Applications 730
Using Group Policy Software Installation over Slow Links 732
MSI, the Windows Installer and Group Policy 735
Inside the MSIEXEC Tool 735
Patching a Distribution Point 736
Affecting Windows Installer with Group Policy 738
Deploying Office 2010 and Office 2013 Using Group Policy 741
Steps to Office 2010/2013 Deployment Using Group Policy 742
Result of Your Office Deploying Using Group Policy 751
Systems Center Configuration Manager vs. Group Policy 753
GPSI and Configuration Manager Coexistence 755
Final Thoughts 756
Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, and Printer Deployment 757
Scripts: Logon, Logoff, Startup, and Shutdown 757
Non-PowerShell-Based Scripts 758
Deploying PowerShell Scripts to Windows 7 and Later Clients 761
Managing Internet Explorer with Group Policy 762
Internet Explorer Maintenance—Where Is It? 763
Managing Internet Explorer with Group Policy Preferences 765
Internet Explorer’s Group Policy Settings 765
Managing Internet Explorer using the IEAK 766
Restricting Access to Hardware via Group Policy 768
Group Policy Preferences Devices Extension 769
Restricting Driver Access with Policy Settings for Windows Vista and Later 773
Getting a Handle on Classes and IDs 774
Restricting or Allowing Your Hardware via Group Policy 777
Understanding the Remaining Policy Settings for Hardware Restrictions 778
Assigning Printers via Group Policy 780
Zapping Down Printers to Users and Computers (a Refresher) 780
Final Thoughts for This Chapter and for the Book 789
Appendix A Group Policy and VDI 791
Why Is VDI Different? 792
Tuning Your Images for VDI 793
Specific Functions to Turn Off for VDI Machines 794
Group Policy Settings to Set and Avoid for Maximum VDI Performance 795
Group Policy Tweaks for Fast VDI Video 796
Tweaking RDP Using Group Policy for VDI 797
Tweaking RemoteFX using Group Policy for VDI 798
Managing and Locking Down Desktop UI Tweaks 799
Final Thoughts for VDI and Group Policy 801
Appendix B Security Configuration Manager 803
SCM: Installation 805
SCM: Getting Around 806
SCM: Usual Use Case 807
Importing Existing GPOs 814
Comparing and Merging Baselines 814
LocalGPO Tool 816
Installing SCM’s LocalGPO Tool 817
Using SCM’s LocalGPO 817
Final Thoughts on LocalGPO and SCM 823
Appendix C Windows Intune (And What It Means to
Group Policy Admins) 825
Getting Started with Windows Intune 826
Using Windows Intune 829
Setting Up Windows Intune Groups 829
Setting Up Policies Using Windows Intune 830
Windows Intune and Group Policy Conflicts 831
Final Thoughts on Windows Intune 832
Index 835