You are previewing Windows® Group Policy Resource Kit: Windows Server® 2008 and Windows Vista®.
O'Reilly logo
Windows® Group Policy Resource Kit: Windows Server® 2008 and Windows Vista®

Book Description

Get the in-depth information you need to use Group Policy to administer Windows Server 2008 and Windows Vista—direct from a leading Group Policy MVP and the Microsoft Group Policy team. With Group Policy and Active Directory directory service, administrators can take advantage of policy-based management to streamline the administration of users and computers throughout the enterprise—from servers running Windows Server 2008, Windows Server 2003 or Windows 2000 Server, to workstations running Windows Vista, Windows XP Professional, or Windows 2000 Professional. This essential resource provides in-depth technical information and expert insights for simplifying and automating administrative tasks, including policy enforcement, system updates, and software installations, as well as how to centralize the management of network resources. The CD provides essential utilities, job aids, and more. It’s everything you need to help increase your efficiency while bolstering user productivity, security services, and system reliability.

For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook.

Table of Contents

  1. Windows® Group Policy Resource Kit: Windows Server® 2008 and Windows Vista®
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. A Note Regarding Supplemental Files
    3. Acknowledgments
      1. List of Reviewers from the Group Policy Team
    4. Introduction
      1. Overview of the Book
        1. Part I: Introducing Group Policy
        2. Part II: Group Policy Structure
        3. Part III: Administering Group Policy
        4. Part IV: Implementing Security
        5. Part V: Using Registry-Based Policy Settings
        6. Part VI: Group Policy Settings
        7. Part VII: Advanced Topics
        8. Part VIII: Appendices
      2. Document Conventions
        1. Reader Aids
        2. Sidebars
        3. Command-Line Examples
      3. Companion CD
        1. Elevation Tools
        2. Management scripts
        3. eBook
        4. Chapter-Related Materials
      4. Resource Kit Support Policy
    5. I. Introducing Group Policy
      1. 1. Why Group Policy?
        1. The Past, Present, and Future of Group Policy
          1. Group Policy’s Past
          2. Group Policy’s Present
            1. Group Policy Requires Active Directory
            2. Group Policy Includes Security Settings
            3. Group Policy Includes Software Distribution
            4. Group Policy Helps Eliminate Tattooing
            5. Group Policy Can Modify System Settings
            6. Group Policy Is Extensible
            7. Group Policy Is Dynamic
            8. Much, Much More
          3. Group Policy’s Future
            1. Troubleshooting Tools
            2. Enterprise Administration
            3. Disaster Recovery
            4. Reporting
            5. Instant Configuration
            6. Is the Future Already Here?
        2. Benefits of Group Policy
          1. More Efficient Management
          2. More Powerful Management
          3. Reliability
          4. Extensibility
          5. Security
          6. Diversity
          7. Consistency
          8. Stability
          9. Group Policy Negatives
            1. Limited Troubleshooting Tools
            2. Limited Testing Environment and Tools
            3. Limited Inter-Domain and Inter-Forest Support
        3. Summary
        4. Additional Resources
      2. 2. What’s New in Windows Vista and Windows Server 2008
        1. Remember When
        2. New and Now
          1. New Group Policy Features in Windows Vista
            1. Multiple Local GPOs
              1. Local Computer Policy Object
              2. Administrators and Non-Administrators Local GPOs
              3. User-Specific Local GPO
              4. Precedence and Application
            2. Network Location Awareness
            3. ADMX Templates
            4. ADMX Repository
            5. Improved Logging
          2. New Group Policy Features in Windows Server 2008
            1. Filters
            2. Starter GPOs
            3. Commenting
          3. So, What About Those DesktopStandard Products?
            1. Group Policy Preferences
            2. Advanced Group Policy Management (GPOVault)
        3. Summary
        4. Additional Resources
      3. 3. Group Policy Basics
        1. Group Policy Defined
        2. Structural Overview of a GPO
          1. Computer Configuration
          2. User Configuration
        3. Local GPOs
          1. Local Policy Object
          2. Administrators and Non-Administrators Local GPOs
            1. User-Specific Local GPOs
            2. Precedence
          3. Managing the Local GPOs
        4. GPOs in Active Directory
        5. Default GPOs
          1. Default Domain Policy
            1. Account Policies in the Default Domain Policy
            2. Other Policy Settings in the Default Domain Policy
          2. Default Domain Controllers Policy
        6. Creating Additional GPOs
          1. Privileges for Creating New GPOs
          2. Creating GPOs Correctly
        7. Summary
        8. Additional Resources
    6. II. Group Policy Structure
      1. 4. Architecture of Group Policy
        1. Group Policy Dependencies
          1. Active Directory and Group Policy
          2. Domain Name System
          3. Replication
          4. DFS
        2. New Group Policy Service
        3. Domain Controller Selection During GPO Management
          1. Using the PDC Emulator
          2. Selecting the Domain Controller for GPO Editing
        4. Architectural Parts of a GPO
          1. Group Policy Template
          2. Group Policy Container
        5. GPO Replication
          1. Group Policy Template and SYSVOL Replication
          2. Active Directory Replication
        6. Client-Side Extensions
        7. Summary
        8. Additional Resources
      2. 5. Group Policy Processing
        1. Scope of Management
        2. Group Policy Processing
          1. GPO Precedence for GPOs Linked to Different Nodes
          2. GPO Precedence for GPOs Linked to the Same Node
        3. Group Policy Processing Events
          1. Background GPO Policy Processing
          2. Foreground Group Policy Processing
            1. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
            2. Computer Configuration\Policies\Administrative Templates\Windows Components
            3. Computer Configuration\Policies\Administrative Templates\System
            4. User Configuration\Policies\Administrative Templates\Windows Components
            5. User Configuration\Policies\Administrative Templates\System
          3. Asynchronous vs. Synchronous Policy Processing
        4. Using GPUpdate
        5. Version Checking During Updates
          1. GPO Version Numbers on the Client
          2. GPO Version Numbers on the Domain Controller
        6. NLA Refresh in Windows Vista and Windows Server 2008
        7. Altering Default GPO Processing and Inheritance
          1. Block Policy Inheritance
          2. Enforce
          3. Security Filtering
          4. WMI Filters
          5. Group Policy Preferences
        8. Summary
        9. Additional Resources
    7. III. Administering Group Policy
      1. 6. Using the GPMC
        1. Getting Around in the GPMC
          1. Launching the GPMC from Windows Server 2008
          2. Launching the GPMC from Windows Vista
          3. Domain Views in the GPMC
          4. Forest Views in the GPMC
          5. Site Views in the GPMC
          6. GPMC Management Limitations
          7. Selecting Domain Controllers for Administration of GPOs
        2. Administering GPOs
          1. Creating GPOs
          2. Linking GPOs
          3. Managing GPO Configurations
            1. Enabling and Disabling GPOs
            2. Renaming GPOs
            3. Enabling and Disabling a GPO Link
          4. Managing GPO Backups
            1. Backing Up GPOs
            2. Restoring GPOs
              1. Restoring an Existing GPO
              2. Restoring a Deleted GPO
              3. Viewing the GPO Settings of a Backed-Up GPO
          5. Starter GPOs
            1. Creating Starter GPOs
            2. Editing Starter GPOs
            3. Backing Up Starter GPOs
            4. Working with Starter GPO Cabinet Files
        3. Summary
        4. Additional Resources
      2. 7. Advanced GPMC Management
        1. Working with GPOs
          1. Searching GPOs
          2. Filtering Administrative Templates in the GPME
            1. Filter Options
            2. Filter Option Operators
          3. Reporting on GPOs
          4. Group Policy Results
            1. Results Pane for Group Policy Results
              1. Summary
              2. Settings
              3. Policy Events
            2. Controlling Results of Group Policy Reports
              1. Advanced View
              2. Rerun Query
              3. Save Report
          5. Group Policy Modeling
            1. Results Pane for Group Policy Modeling
              1. Summary
              2. Settings
              3. Query
            2. Controlling Results of Group Policy Modeling Post Query
              1. Advanced View
              2. Rerun Query
              3. Create New Query From This One
              4. Save Report
            3. Resultant Set of Policy Provider
          6. Comments
            1. Starter GPO Comments
            2. Production GPO Comments
            3. Comments for Administrative Template Settings
        2. Migrating GPOs
          1. Reasons for Migrating GPOs
          2. Requirements for Migrating GPOs Between Domains
          3. Settings in a GPO That Require Translation
          4. Migrating GPOs Across Domains
            1. Migrating a GPO Using Copy and Paste
            2. Migrating a GPO Using Backup and Import
        3. Migration Tables
        4. Summary
        5. Additional Resources
      3. 8. Controlling GPOs with Scripts and Automation
        1. GPMC Scripts
          1. Backing Up and Restoring GPOs
            1. BackupGPO.wsf
              1. Syntax
              2. Example & Output
            2. BackupAllGPOs.wsf
              1. Syntax
              2. Example & Output
            3. RestoreGPO.wsf
              1. Syntax
              2. Example & Output
            4. RestoreAllGPOs.wsf
              1. Syntax
              2. Example & Output
            5. QueryBackupLocation.wsf
              1. Syntax
              2. Example #1 & Output
              3. Example #2 & Output
          2. Copying and Importing GPOs
            1. CopyGPO.wsf
              1. Syntax
              2. Example
            2. ImportGPO.wsf
              1. Syntax
              2. Example
            3. ImportAllGPO.wsf
              1. Syntax
              2. Example
          3. Creating GPOs and Other GPMC Objects
            1. CreateGPO.wsf
              1. Syntax
              2. Example & Output
            2. CreateXMLFromEnvironment.wsf
              1. Syntax
              2. Example & Output
            3. CreateEnvironmentFromXML.wsf
              1. Syntax
              2. Example & Output
            4. CreateMigrationTable.wsf
              1. Syntax
              2. Example & Output
          4. Deleting GPOs
            1. DeleteGPO.wsf
              1. Syntax
              2. Example & Output
          5. GPO Reporting
            1. DumpGPOInfo.wsf
              1. Syntax
              2. Example & Output
            2. DumpSOMInfo.wsf
              1. Syntax
              2. Example & Output
            3. GetReportsForAllGPOs.wsf
              1. Syntax
              2. Example & Output
            4. GetReportsForGPO.wsf
              1. Syntax
              2. Example & Output
            5. ListAllGPOs.wsf
              1. Syntax
              2. Example & Output
              3. Example #2 & Output
            6. ListSOMPolicyTree.wsf
              1. Syntax
              2. Example & Output
          6. Finding GPOs Based on Parameters
            1. FindDisabledGPOs.wsf
              1. Syntax
              2. Example & Output
            2. FindDuplicateNamedGPOs.wsf
              1. Syntax
              2. Example & Output
            3. FindGPOsByPolicyExtension.wsf
              1. Syntax
              2. Example & Output
            4. FindGPOsBySecurityGroup.wsf
              1. Syntax
              2. Example & Output
            5. FindGPOsWithNoSecurityFiltering.wsf
              1. Syntax
              2. Example & Output
            6. FindOrphanedGPOsInSysvol.wsf
              1. Syntax
              2. Example
            7. FindSOMsWithExternalGPOLinks.wsf
              1. Syntax
            8. FindUnlinkedGPOs.wsf
              1. Syntax
              2. Example & Output
          7. GPO Security
            1. GrantPermissionOnAllGPOs.wsf
              1. Syntax
              2. Example & Output
            2. SetGPOCreationPermissions.wsf
              1. Syntax
              2. Example & Output
            3. SetGPOPermissions.wsf
              1. Syntax
              2. Example & Output
            4. SetGPOPermissionsBySOM.wsf
              1. Syntax
              2. Example & Output
            5. SetSOMPermissions.wsf
              1. Syntax
              2. Example #1 & Output
              3. Example #2 & Output
        2. VBScript Scripting
        3. Windows PowerShell
        4. Summary
        5. Additional Resources
    8. IV. Implementing Security
      1. 9. Security Delegation for Administration of GPOs
        1. Default Security Environment
          1. Default Security of the GPMC
          2. Default Security of AGPM
        2. Group Policy Management Console Delegation
          1. Creating GPOs
          2. Linking GPOs
          3. Managing GPOs
          4. Editing GPOs
          5. Modeling GPOs
          6. RSoP of GPOs
        3. Advanced Group Policy Management Delegation
          1. Full Control
          2. Editing
          3. Approving
          4. Reviewing
        4. Best Practices
          1. Creating GPOs
            1. Creating GPOs without AGPM
            2. Creating GPOs with AGPM
            3. Segregation of Group Policy Creation from Other Duties without AGPM
          2. Editing GPOs
            1. Editing GPOs without AGPM
            2. Editing GPOs with AGPM
          3. Linking GPOs
          4. Testing GPOs
            1. Testing GPOs without AGPM with a Production Organizational Unit
            2. Testing GPOs without AGPM with a Test Domain
            3. Testing GPOs with AGPM with a Production Organizational Unit
        5. Summary
        6. Additional Resources
    9. V. Using Registry-Based Policy Settings
      1. 10. ADM Templates, ADMX Files, and the ADMX Central Store
        1. Administrative (.adm) Templates
          1. Default .adm Templates
          2. Working with .adm Templates
          3. Default Installed .adm Templates
          4. Importing .adm Templates
          5. Adding .adm Templates
          6. Removing .adm Templates
          7. Managing .adm Templates
            1. Controlling Updated Versions of .adm Templates
              1. Turn Off Automatic Updates Of ADM Files
              2. Always Use Local ADM Files For Group Policy Editor
            2. Tips for Working with .adm Templates
            3. Operating System and Service Pack Release Issues
          8. Policies vs. Preferences
        2. ADMX Files
        3. Default ADMX Files
        4. Using Both .adm Templates and ADMX Files
          1. Scenario 1: Administration of GPO with Windows Vista
          2. Scenario 2: Administration of GPO with a Windows Server 2008 Domain Controller
          3. Scenario 3: Administration of GPO from a Windows XP Workstation
        5. Migrating .adm Templates to ADMX Files
          1. File Syntax Conversion for .adm Template to ADMX Files
          2. ADMX Migrator
        6. Creating and Using the ADMX Central Store
          1. Creating the Central Store
          2. Copying ADMX and ADML Files to the Central Store
        7. Summary
        8. Additional Resources
      2. 11. Customizing ADM Templates and ADMX Files
        1. Creating Custom .adm Templates
          1. A Simple .adm Template
        2. Using .adm Template Language
          1. Structure of an .adm Template
          2. #if version
          3. Syntax for Updating the Registry
            1. CLASS
            2. KEYNAME
            3. VALUENAME
            4. VALUEOFF/VALUEON
          4. Syntax for Updating the GPME Interface
            1. STRINGS
            2. CATEGORY
            3. POLICY
            4. PART
              1. CHECKBOX
              2. CLIENTTEXT
              3. COMBOBOX
              4. DROPDOWNLIST
              5. EDITTEXT
              6. LISTBOX
              7. NUMERIC
              8. TEXT
            5. ACTIONLIST
          5. Additional Statements in the .adm Template
            1. Comments
            2. REQUIRED
            3. MAXLEN
            4. EXPLAIN
            5. SUPPORTED
          6. String and Tab Limits for .adm Templates
        3. Best Practices for .adm Templates
        4. Creating Custom ADMX and ADML Files
          1. ADMX Schema
          2. ADMX File Structure
          3. ADML File Structure
          4. Core ADMX File Concepts
            1. Referencing the Windows Base ADMX File
            2. Referencing Category Elements from the Windows Base ADMX File
            3. Referencing Category Elements from the Windows Base ADMX File
          5. Tying the ADMX and ADML Files Together
          6. Using ADMX File Language
        5. Summary
        6. Additional Resources
    10. VI. Group Policy Settings
      1. 12. Group Policy Preferences
        1. Benefits of Group Policy Preferences
          1. User-Friendly Interface
          2. Thousands More Settings
          3. Practical and Valuable Settings
          4. Reduced Desktop Images
          5. Reduced Need for Log-on Scripts
          6. Working with Any Organizational Unit Design
        2. Preferences vs. Policies
        3. Management and Support of Group Policy Preferences
          1. Managing Group Policy Preferences Using the GPME
            1. Windows Server 2008
            2. Windows Vista
          2. Deploying the Group Policy Preferences CSEs
            1. Windows Server 2008
            2. Windows Vista, Windows Server 2003 SP1, and Windows XP SP2
        4. Group Policy Preferences Settings
          1. Group Policy Preferences: Windows Settings
            1. Applications
            2. Drive Maps
            3. Environment
            4. Files
            5. Folders
            6. Ini Files
            7. Network Shares
            8. Registry
            9. Shortcuts
          2. Group Policy Preferences: Control Panel Settings
            1. Data Sources
            2. Devices
            3. Folder Options
            4. Internet Settings
            5. Local Users and Groups
            6. Network Options
            7. Power Options
            8. Printers
            9. Regional Options
            10. Scheduled Tasks
            11. Services
            12. Start Menu
        5. Advanced Group Policy Preferences Settings
          1. Action Modes
          2. Common Tab
          3. Item-Level Targeting
            1. Item-Level Targeting Items
              1. Battery Present
              2. Computer Name
              3. CPU Speed
              4. Date Match
              5. Dial-Up Connection
              6. Disk Space
              7. Domain
              8. Environment Variable
              9. File Match
              10. IP Address Range
              11. Language
              12. LDAP Query
              13. MAC Address Range
              14. MSI Query
              15. Operating System
              16. Organizational Unit
              17. PCMCIA Present
              18. Portable Computer
              19. Processing Mode
              20. RAM
              21. Registry Match
              22. Security Group
              23. Site
              24. Terminal Session
              25. Time Range
              26. User
              27. WMI Query
            2. Item-Level Targeting Controls
            3. Common Item-Level Targeting Scenarios
              1. Desktop vs. Laptop
              2. Computer Performance
              3. Operating System Targeting
              4. Drive Mapping Security
        6. Process Variables
        7. Group Policy Preferences in Settings Reports
        8. Software Development Kit for Group Policy Preferences
        9. Summary
        10. Additional Resources
      2. 13. Settings Breakdown for Windows Server 2008 and Windows Vista
        1. Overall GPO Structure
        2. Policies
          1. Software Settings
          2. Windows Settings
            1. Remote Installation Services (User Configuration Only)
            2. Scripts
            3. Security Settings
              1. Account Policies (Computer Configuration Only)
              2. Local Policies (Computer Configuration Only)
              3. Restricted Groups (Computer Configuration Only)
              4. System Services (Computer Configuration Only)
              5. Registry (Computer Configuration Only)
              6. File System (Computer Configuration Only)
              7. Wired Network (IEEE 802.3) Policies (Computer Configuration Only)
              8. Windows Firewall with Advanced Security (Computer Configuration Only)
              9. Wireless Network (IEEE 802.11) Policies (Computer Configuration Only)
              10. Public Key Policies
              11. Software Restriction Policies
              12. Network Access Protection (Computer Configuration Only)
              13. IP Security Policies on Active Directory (Computer Configuration Only)
              14. Folder Redirection (User Configuration Only)
              15. Policy-Based QoS
              16. Internet Explorer Maintenance (User Configuration Only)
          3. Administrative Templates
        3. Preferences
          1. Terminal Services
          2. User Account Control
          3. Log-on Scripts
          4. Servers
          5. Hardware Components
          6. Network Security
        4. Summary
        5. Additional Resources
    11. VII. Advanced Topics
      1. 14. Advanced Group Policy Management
        1. Architecture of AGPM
          1. Operating System Support
          2. GPMC Requirements
          3. Server Installation
          4. Client Installation
        2. Offline Editing of GPOs
        3. Change Management
          1. When the Changes Were Made
          2. Who Made the Changes
          3. What Changes Were Made
        4. Workflow
          1. E-Mail Configuration
          2. Pending Tab
          3. Creating GPOs
            1. Creating a GPO (with Create Permissions)
            2. Creating a GPO (without Create Permissions)
            3. Withdrawing a GPO That Is Pending Creation
            4. Approving or Rejecting a Pending GPO
          4. Deploying GPOs
            1. Deploying a GPO That Was Created Offline (with Deploy Permissions)
            2. Deploying a GPO That Was Created Offline (without Deploy Permissions)
            3. Deploying a GPO from the Archive (with Deploy Permissions)
            4. Deploying a GPO from the Archive (without Deploy Permissions)
        5. Rolling Back and Rolling Forward
        6. Reporting
          1. Settings Reports
          2. Difference Reports
            1. Difference Report between Two Versions of the Same GPO
            2. Difference Report between Two GPOs
            3. Difference Report between a GPO and an AGPM Template
        7. Using Templates
        8. Recycle Bin
        9. Restoring GPOs and GPO Links
        10. Summary
        11. Additional Resources
      2. 15. Troubleshooting GPOs
        1. Group Policy Troubleshooting Essentials
          1. Common Problems with GPOs
            1. DNS-Related Problems
            2. Asynchronous Group Policy Processing
          2. Foreground-Only GPO Settings
          3. Network Connection
          4. GPO Function after WMI Filter Deletion
          5. Time Synchronization
          6. Unavailable PDC Emulator
        2. Using Event Logging for Troubleshooting
          1. Group Policy Operational Log
          2. Event Viewer Troubleshooting Procedure
            1. Evaluate the System Event Log
            2. Evaluate the Group Policy Operational Log: Determine the ActivityID of Group Policy Processing
            3. Evaluate the Group Policy Operational Log: Create a Custom View of a Group Policy Instance
            4. Divide the Custom View of the Log into Three Phases: Preprocessing
              1. Start Policy Processing
              2. Retrieve Account Information
              3. Domain Controller Discovery
              4. Computer Role Discovery
              5. Security Principal Discovery
              6. Loopback Processing Mode Discovery
              7. GPO Discovery
              8. Slow Link Detection
              9. Nonsystem GP Extension Discovery
            5. Divide the Custom View of the Log into Three Phases: Processing
            6. Divide the Custom View of the Log into Three Phases: Postprocessing
            7. Associate All Starting Events with the Correct Ending Event
            8. Investigate All Errors, Warnings, and Failures
            9. Isolate the Event Causing the Problem
            10. Run GPUpdate on the Computer with the Group Policy Problem
          3. Summary of Group Policy Event IDs
        3. Common GPO Troubleshooting Tools
          1. GPLogView
            1. Export All Group Policy Events
            2. Export Group Policy Events with a Specific ActivityID
            3. Run in Monitor Mode
            4. Use an External Event Log for Input
          2. GPMC
          3. Dcgpofix.exe
          4. GPMonitor.exe
          5. GPResult
          6. GPUpdate
          7. GPOTool
        4. Summary
        5. Additional Resources
    12. VIII. Appendices
      1. A. Third-Party Group Policy Tools
        1. BeyondTrust: Privilege Manager
        2. FullArmor: Workflow Studio
        3. Moskowitz, Inc.
          1. PolicyPak for Applications
          2. PolicyPak Group Policy Design Studio
        4. NetIQ
          1. Group Policy Administrator
          2. Change Guardian
        5. Quest Software: Group Policy Manager
        6. SDM Software
          1. GPExpert Troubleshooting Pak
          2. GPExpert™ Scripting Toolkit for PowerShell
          3. GPExpert™ Backup Manager for Group Policy
          4. GPMC PowerShell Cmdlets
        7. Special Operations Software
          1. Specops Deploy
          2. Specops Inventory
          3. Specops Command
          4. Specops Password Policy
          5. Specops Gpupdate
        8. Sysprosoft
          1. PolMan
          2. ADM Template Editor
          3. Policy Reporter
        9. TeamGPExpert
        10. Summary
        11. Additional Resources
      2. B. Additional Resources
        1. Group Policy Wiki
        2. Microsoft Group Policy Web Site
        3. Windows Server 2003 Web Site
        4. Microsoft Group Policy Team Blog
        5. Group Policy Webcast Web Site
        6. Group Policy Script Repository
        7. Microsoft TechNet
        8. TeamGPExpert.com
        9. BrainCore.net
        10. GPOGuy.com
        11. GPAnswers.com
        12. Summary
    13. C. About the Author
    14. D. System Requirements
    15. E. Windows Server 2008—Resources for Administrators
      1. Additional Resources for IT Professionals
    16. F. Windows Server 2008 Resource Kit—Your Definitive Resource!
      1. Also available as single volumes
    17. Index
    18. SPECIAL OFFER: Upgrade this ebook with O’Reilly