Introduction xxv Chapter 1 Group Policy Essentials 1 Getting Ready to Use This Book 2 Getting Started with Group Policy 7 Group Policy Entities and Policy Settings 7 Active Directory and Local Group Policy 9 Understanding Local Group Policy 10 Group Policy and Active Directory 13 Linking Group Policy Objects 15 Final Thoughts on Local GPOs 20 An Example of Group Policy Application 21 Examining the Resultant Set of Policy 23 At the Site Level 23 At the Domain Level 24 At the OU Level 24 Bringing It All Together 25 Group Policy, Active Directory, and the GPMC 26 Implementing the GPMC on Your Management Station 27 Creating a One-Stop-Shop MMC 30 Group Policy 101 and Active Directory 32 Active Directory Users and Computers vs. GPMC 32 Adjusting the View within the GPMC 33 The GPMC-centric View 35 Our Own Group Policy Examples 37 More about Linking and the Group Policy Objects Container 38 Applying a Group Policy Object to the Site Level 41 Applying Group Policy Objects to the Domain Level 44 Applying Group Policy Objects to the OU Level 47 Testing Your Delegation of Group Policy Management 52 Understanding Group Policy Object Linking Delegation 54 Granting OU Admins Access to Create New Group Policy Objects 55 Creating and Linking Group Policy Objects at the OU Level 56 Creating a New Group Policy Object Affecting Computers in an OU 59 Moving Computers into the Human Resources Computers OU 61 Verifying Your Cumulative Changes 62 Final Thoughts 64 Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67 Common Procedures with the GPMC and PowerShell 69 Raising or Lowering the Precedence of Multiple Group Policy Objects 75 Understanding GPMC's Link Warning 76 Stopping Group Policy Objects from Applying 78 Block Inheritance 85 The Enforced Function 87 Security Filtering and Delegation with the GPMC 90 Filtering the Scope of Group Policy Objects with Security 91 User Permissions on Group Policy Objects 102 Granting Group Policy Object Creation Rights in the Domain 104 Special Group Policy Operation Delegations 105 Who Can Create and Use WMI Filters? 107 Performing RSoP Calculations with the GPMC 109 What's-Going-On Calculations with Group Policy Results 110 What-If Calculations with Group Policy Modeling 116 Searching and Commenting Group Policy Objects and Policy Settings 118 Searching for GPO Characteristics 119 Filtering Inside a GPO for Policy Settings 121 Comments for GPOs and Policy Settings 132 Starter GPOs 137 Creating a Starter GPO 139 Editing a Starter GPO 139 Leveraging a Starter GPO 141 Delegating Control of Starter GPOs 142 Wrapping Up and Sending Starter GPOs 143 Should You Use Microsoft's Pre-created Starter GPOs? 144 Back Up and Restore for Group Policy 145 Backing Up Group Policy Objects 146 Restoring Group Policy Objects 148 Backing Up and Restoring Starter GPOs 152 Backing Up and Restoring WMI Filters 153 Backing Up and Restoring IPsec Filters 153 Migrating Group Policy Objects between Domains 154 Basic Interdomain Copy and Import 154 Copy and Import with Migration Tables 162 GPMC At-a-Glance Icon View 166 Final Thoughts 167 Chapter 3 Group Policy Processing Behavior Essentials 169 Group Policy Processing Principles 170 Don't Get Lost 172 Initial Policy Processing 172 Background Refresh Policy Processing 174 Security Background Refresh Processing 187 Special Case: Moving a User or a Computer Object 193 Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194 Policy Application via Remote Access, Slow Links, and after Hibernation 200 When and How Does Windows Check for Slow Links? 200 What Is Processed over a Slow Network Connection? 201 Always Get Group Policy (Even on the Road, through the Internet) 202 Using Group Policy to Affect Group Policy 205 Affecting the User Settings of Group Policy 205 Affecting the Computer Settings of Group Policy 207 The Missing Group Policy Preferences Policy Settings 219 Final Thoughts 221 Chapter 4 Advanced Group Policy Processing 223 Fine-Tuning When and Where Group Policy Applies 223 Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224 Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object's Contents 230 Group Policy Loopback Processing 231 Reviewing Normal Group Policy Processing 232 Group Policy Loopback Merge Mode 233 Group Policy Loopback Replace Mode 233 Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239 Group Policy with Cross-Forest Trusts 242 What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243 Disabling Loopback Processing When Using Cross-Forest Trusts 245 Understanding Cross-Forest Trust Permissions 245 Final Thoughts 247 Chapter 5 Group Policy Preferences 249 Powers of the Group Policy Preferences 252 Computer Configuration ? Preferences 258 User Configuration ? Preferences 269 Group Policy Preferences Concepts 278 Preference vs. Policy 279 The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281 The Lines and Circles and the CRUD Action Modes 293 Common Tab 301 Group Policy Preferences Tips, Tricks, and Troubleshooting 313 Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313 Multiple Preference Items at a Level 315 Temporarily Disabling a Single Preference Item or Extension Root 317 Environment Variables 318 Managing Group Policy Preferences: Hiding Extensions from within the Editor 320 Troubleshooting: Reporting, Logging, and Tracing 321 Giving Group Policy Preferences a "Boost" (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329 Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330 Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using "Not Group Policy" 330 Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non-Domain-Joined Machines) 331 Final Thoughts 332 Chapter 6 Managing Applications and Settings Using Group Policy 335 Understanding Administrative Templates 336 Administrative Templates: Then and Now 336 Policy vs. Preference 337 Exploring ADM vs. ADMX and ADML Files 342 Looking Back at ADM Files 342 Understanding the Updated GPMC's ADMX and ADML Files 342 Comparing ADM vs. ADMX Files 344 ADMX and ADML Files: What They Do and the Problems They Solve 345 Problem and Solution 1: Tackling SYSVOL Bloat 345 Problem 2: How Do We Deal with Multiple Languages? 346 Problem 3: How Do We Deal with "Write Overlaps"? 347 Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349 The Central Store 349 The Windows ADMX/ADML Central Store 351 Creating and Editing GPOs in a Mixed Environment 355 Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355 Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356 Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358 Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358 Using ADM and ADMX Templates from Other Sources 359 Using ADM Templates with the Updated GPMC 359 Using ADMX Templates from Other Sources 361 ADMX Migrator and ADMX Editor Tools 362 ADMX Migrator 363 ADMX Creation and Editor Tools 365 PolicyPak Application Manager 365 PolicyPak Concepts and Installation 367 Top PolicyPak Application Manager Pak Examples 369 Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373 Final Thoughts 376 Chapter 7 Troubleshooting Group Policy 379 Under the Hood of Group Policy 381 Inside Local Group Policy 381 Inside Active Directory Group Policy Objects 383 The Birth, Life, and Death of a GPO 385 How Group Policy Objects Are "Born" 386 How a GPO "Lives" 387 Death of a GPO 415 How Client Systems Get Group Policy Objects 416 The Steps to Group Policy Processing 416 Client-Side Extensions 419 Where Are Administrative Templates Registry Settings Stored? 427 Why Isn't Group Policy Applying? 429 Reviewing the Basics 429 Advanced Inspection 432 Client-Side Troubleshooting 441 RSoP for Windows Clients 442 Advanced Group Policy Troubleshooting with the Event Viewer Logs 450 Group Policy Processing Performance 462 Final Thoughts 463 Chapter 8 Implementing Security with Group Policy 465 The Two Default Group Policy Objects 466 GPOs Linked at the Domain Level 467 Group Policy Objects Linked to the Domain Controllers OU 471 Oops, the "Default Domain Policy" GPO and/or "Default Domain Controllers Policy" GPO Got Screwed Up! 473 The Strange Life of Password Policy 475 What Happens When You Set Password Settings at an OU Level 475 Fine-Grained Password Policy 477 Inside Basic and Advanced Auditing 482 Basic Auditable Events Using Group Policy 482 Auditing File Access 487 Auditing Group Policy Object Changes 489 Advanced Audit Policy Configuration 491 Restricted Groups 495 Strictly Controlling Active Directory Groups 497 Strictly Applying Group Nesting 499 Which Groups Can Go into Which Other Groups via Restricted Groups? 500 Restrict Software Using AppLocker 500 Inside Software Restriction Policies 501 Software Restriction Policies' "Philosophies" 502 Software Restriction Policies' Rules 503 Restricting Software Using AppLocker 510 Controlling User Account Control with Group Policy 531 Just Who Will See the UAC Prompts, Anyway? 534 Understanding the Group Policy Controls for UAC 539 UAC Policy Setting Suggestions 548 Wireless (802.3) and Wired Network (802.11) Policies 551 802.11 Wireless Policy for Windows XP 552 802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553 Configuring Windows Firewall with Group Policy 554 Manipulating the Windows Firewall (the Old Way) 557 Windows Firewall with Advanced Security WFAS 558 IPsec (Now in Windows Firewall with Advanced Security) 567 How Windows Firewall Rules Are Ultimately Calculated 572 Final Thoughts 576 Chapter 9 Profiles: Local, Roaming, and Mandatory 579 Setting the Stage for Multiple Clients 579 What Is a User Profile? 583 The NTUSER.DAT File 583 Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584 Profile Folders for Type 2-5 Computers (Windows Vista and Later) 586 The Default Local User Profile 591 The Default Network User Profile 594 Roaming Profiles 599 Are Roaming Profiles "Evil"? And What Are the Alternatives? 601 Setting Up Roaming Profiles 604 Testing Roaming Profiles 608 Roaming and Nonroaming Folders 610 Managing Roaming Profiles 614 Manipulating Roaming Profiles with Computer Group Policy Settings 617 Manipulating Roaming Profiles with User Group Policy Settings 630 Mandatory Profiles 635 Establishing Mandatory Profiles for Windows XP 636 Establishing Mandatory Profiles for Modern Windows 638 Mandatory Profiles Finishing Touches 639 Forced Mandatory Profiles (Super-Mandatory) 640 Final Thoughts 642 Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643 Redirected Folders 644 Available Folders to Redirect 644 Redirected Documents/My Documents 645 Redirecting the Start Menu and the Desktop 665 Redirecting the Application Data Folder 666 Group Policy Setting for Folder Redirection 667 Troubleshooting Redirected Folders 669 Offline Files and Synchronization 672 Making Offline Files Available 673 Inside Windows 10 File Synchronization 676 Handling Conflicts 684 Client Configuration of Offline Files 686 Using Folder Redirection and Offline Files over Slow Links 694 Synchronizing over Slow Links with Redirected My Documents 695 Synchronizing over Slow Links with Regular Shares 697 Teaching Windows 10 How to React to Slow Links 698 Using Group Policy to Configure Offline Files (User and Computer Node) 702 Troubleshooting Sync Center 710 Turning Off Folder Redirection's Automatic Offline Caching for Desktops 712 Final Thoughts 720 Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723 Group Policy Software Installation (GPSI) Overview 724 The Windows Installer Service 726 Understanding .MSI Packages 726 Utilizing an Existing .MSI Package 727 Assigning and Publishing Applications 732 Assigning Applications 732 Publishing Applications 733 Rules of Deployment 734 Package-Targeting Strategy 734 Advanced Published or Assigned 745 The General Tab 746 The Deployment Tab 746 The Upgrades Tab 750 The Categories Tab 752 The Modifications Tab 752 The Security Tab 754 Default Group Policy Software Installation Properties 755 The General Tab 755 The Advanced Tab 756 The File Extensions Tab 757 The Categories Tab 757 Removing Applications 757 Users Can Manually Change or Remove Applications 758 Automatically Removing Assigned or Published .MSI Applications 758 Forcibly Removing Assigned or Published .MSI Applications 759 Using Group Policy Software Installation over Slow Links 761 MSI, the Windows Installer, and Group Policy 764 Inside the MSIEXEC Tool 764 Patching a Distribution Point 765 Affecting Windows Installer with Group Policy 767 Deploying Office 2010 and Later Using Group Policy (MSI Version) 771 Steps to Office 2013 and 2016 Deployment Using Group Policy 772 Result of Your Office Deployment Using Group Policy 782 Installing Office Using Click-to-Run 783 Getting Office Click-to-Run 784 Installing Office Click-to-Run by Hand 784 Deploying Office Click-to-Run via Group Policy 786 System Center Configuration Manager vs. Group Policy (and Alternatives) 793 Final Thoughts 796 Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797 Scripts: Logon, Logoff, Startup, and Shutdown 798 Non-PowerShell-Based Scripts 798 Deploying PowerShell Scripts to Windows 7 and Later Clients 801 Managing Internet Explorer with Group Policy 802 Managing Internet Explorer with Group Policy Preferences 803 Internet Explorer's Group Policy Settings 805 Understanding Internet Explorer 11's Enterprise Mode 806 Managing Internet Explorer 11 Using PolicyPak Application Manager 808 Restricting Access to Hardware via Group Policy 808 Group Policy Preferences Devices Extension 809 Restricting Driver Access with Policy Settings 814 Getting a Handle on Classes and IDs 815 Restricting or Allowing Your Hardware via Group Policy 817 Understanding the Remaining Policy Settings for Hardware Restrictions 819 Assigning Printers via Group Policy 821 Zapping Down Printers to Users and Computers (a Refresher) 821 Implementing Rotating Local Passwords with LAPS 830 What to Install from LAPS 831 Extending the Schema and Setting LAPS Permissions 832 Using a Group Policy Object to Manage LAPS 835 Using LAPS Management's Tools: Fat Client and PowerShell 836 Final Thoughts for This Chapter and for the Book 838 Appendix A Scripting Group Policy Operations with Windows PowerShell 839 Using PowerShell to Do More with Group Policy 840 Preparing for Your PowerShell Experience 841 Getting Started with PowerShell 842 Documenting Your Group Policy World with PowerShell 846 Setting GPO Permissions 867 Manipulating GPOs with PowerShell 870 Performing a Remote GPupdate (Invoking GPupdate) 880 Replacing Microsoft's GPMC Scripts with PowerShell Equivalents 881 Final Thoughts 883 Appendix B Group Policy and VDI 885 Why Is VDI Different? 886 Tuning Your Images for VDI 887 Specific Functions to Turn Off for VDI Machines 888 Group Policy Settings to Set and Avoid for Maximum VDI Performance 889 Group Policy Tweaks for Fast VDI Video 891 Tweaking RDP Using Group Policy for VDI 891 Tweaking RemoteFX using Group Policy for VDI 892 Managing and Locking Down Desktop UI Tweaks 893 Final Thoughts for VDI and Group Policy 894 Appendix C Advanced Group Policy Management 897 The Challenge of Group Policy Change Management 898 Architecture and Installation of AGPM 899 AGPM Architecture 899 Installing AGPM 900 What Happens after AGPM Is Installed? 906 GPMC Differences with AGPM Client 906 What's With All the Access Denied Errors? 908 Does the World Change Right Away? 908 Understanding the AGPM Delegation Model 908 AGPM Delegation Roles 909 AGPM Common Tasks 912 Understanding and Working with AGPM's Flow 914 Controlling Your Currently Uncontrolled GPOs 915 Creating a GPO and Immediately Controlling It 918 Check Out a GPO 919 Viewing Reports about a Controlled GPO 921 Editing a Checked-Out Offline Copy of a GPO 921 Performing a Check In of a Changed GPO 923 Deploying a GPO into Production 924 Making Additional Changes to a GPO and Labeling a GPO 926 Using History and Differences to Roll Back a GPO 927 Using "Import from Production" to Catch Up a GPO 931 Uncontrolling, Restoring, and Destroying a GPO 932 Searching for GPOs Using the Search Box 934 AGPM Tasks with Multiple Admins 935 E?mail Preparations and Configurations for AGPM Requests 936 Adding Someone to the AGPM System 939 Requesting the Creation of New Controlled GPO 943 Approving or Rejecting a Pending Request 944 Editing the GPO Offline via Check Out/Check In 946 Requesting Deployment of the GPO 946 Analyzing a GPO (as a Reviewer) 948 Advanced Configuration and Troubleshooting of AGPM 950 Production Delegation 950 Auto-Deleting Old GPO Versions 951 Export and Import of Controlled GPOs between Forests and/or Domains 951 Troubleshooting AGPM Permissions 953 Leveraging AGPM Templates 955 Changing Permissions on GPO Archives 958 Backing Up, Restoring, and Moving the AGPM Server 959 Changing the Port That AGPM Uses 962 Events from AGPM 963 Leveraging the Built-in AGPM ADMX Template 963 Final Thoughts 968 Appendix D Security Compliance Manager 969 SCM: Installation 970 SCM: Getting Around 972 SCM: Usual Use Case 974 Importing Existing GPOs 980 Comparing and Merging Baselines 980 LocalGPO Tool 983 Installing SCM's LocalGPO Tool 984 Using SCM's LocalGPO 985 Final Thoughts on LocalGPO and SCM 989 Appendix E Microsoft Intune and PolicyPak Cloud 991 Microsoft Intune 991 Getting Started with Microsoft Intune 992 Using Microsoft Intune 995 Setting Up Microsoft Intune Groups 995 Setting Up Policies Using Microsoft Intune 996 Microsoft Intune and Group Policy Conflicts 997 Final Thoughts on Microsoft Intune 998 PolicyPak Cloud 998 PolicyPak Cloud 101 999 Understanding PolicyPak Cloud Policies 999 Creating and Using PolicyPak Cloud Groups 1001 Joining PolicyPak Cloud 1001 Final Thoughts on PolicyPak Cloud 1003 Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003 Index 1005
Jeremy Moskowitz is a Group Policy MVP and a nationally recognized authority on Windows Server, Active Directory, Group Policy, and other Windows management topics. One of less than a dozen Group Policy MVPs, Jeremy runs GPanswers.com, ranked by ComputerWorld as a "Top 20 Resource for Microsoft IT Professionals." Jeremy is the founder of PolicyPak Software, which enables administrators to manage applications, stay compliant, and deliver settings over the Internet. He is a sought-after speaker at many industry conferences.