Group Policy

Jeremy Moskowitz is a Group Policy MVP and a nationally recognized authority on Windows Server, Active Directory, Group Policy, and other Windows management topics. One of less than a dozen Group Policy MVPs, Jeremy runs GPanswers.com, ranked by ComputerWorld as a "Top 20 Resource for Microsoft IT Professionals." Jeremy is the founder of PolicyPak Software, which enables administrators to manage applications, stay compliant, and deliver settings over the Internet. He is a sought-after speaker at many industry conferences.

• Introduction xxvChapter 1 Group Policy Essentials 1Getting Ready to Use This Book 2Getting Started with Group Policy 7Group Policy Entities and Policy Settings 7Active Directory and Local Group Policy 9Understanding Local Group Policy 10Group Policy and Active Directory 13Linking Group Policy Objects 15Final Thoughts on Local GPOs 20An Example of Group Policy Application 21Examining the Resultant Set of Policy 23At the Site Level 23At the Domain Level 24At the OU Level 24Bringing It All Together 25Group Policy, Active Directory, and the GPMC 26Implementing the GPMC on Your Management Station 27Creating a One-Stop-Shop MMC 30Group Policy 101 and Active Directory 32Active Directory Users and Computers vs. GPMC 32Adjusting the View within the GPMC 33The GPMC-centric View 35Our Own Group Policy Examples 37More about Linking and the Group Policy Objects Container 38Applying a Group Policy Object to the Site Level 41Applying Group Policy Objects to the Domain Level 44Applying Group Policy Objects to the OU Level 47Testing Your Delegation of Group Policy Management 52Understanding Group Policy Object Linking Delegation 54Granting OU Admins Access to Create New Group Policy Objects 55Creating and Linking Group Policy Objects at the OU Level 56Creating a New Group Policy Object Affecting Computers in an OU 59Moving Computers into the Human ResourcesComputers OU 61Verifying Your Cumulative Changes 62Final Thoughts 64Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67Common Procedures with the GPMC and PowerShell 69Raising or Lowering the Precedence of Multiple Group Policy Objects 75Understanding GPMC’s Link Warning 76Stopping Group Policy Objects from Applying 78Block Inheritance 85The Enforced Function 87Security Filtering and Delegation with the GPMC 90Filtering the Scope of Group Policy Objects with Security 91User Permissions on Group Policy Objects 102Granting Group Policy Object Creation Rights in the Domain 104Special Group Policy Operation Delegations 105Who Can Create and Use WMI Filters? 107Performing RSoP Calculations with the GPMC 109What’s-Going-On Calculations with Group Policy Results 110What-If Calculations with Group Policy Modeling 116Searching and Commenting Group Policy Objects and Policy Settings 118Searching for GPO Characteristics 119Filtering Inside a GPO for Policy Settings 121Comments for GPOs and Policy Settings 132Starter GPOs 137Creating a Starter GPO 139Editing a Starter GPO 139Leveraging a Starter GPO 141Delegating Control of Starter GPOs 142Wrapping Up and Sending Starter GPOs 143Should You Use Microsoft’s Pre-created Starter GPOs? 144Back Up and Restore for Group Policy 145Backing Up Group Policy Objects 146Restoring Group Policy Objects 148Backing Up and Restoring Starter GPOs 152Backing Up and Restoring WMI Filters 153Backing Up and Restoring IPsec Filters 153Migrating Group Policy Objects between Domains 154Basic Interdomain Copy and Import 154Copy and Import with Migration Tables 162GPMC At-a-Glance Icon View 166Final Thoughts 167Chapter 3 Group Policy Processing Behavior Essentials 169Group Policy Processing Principles 170Don’t Get Lost 172Initial Policy Processing 172Background Refresh Policy Processing 174Security Background Refresh Processing 187Special Case: Moving a User or a Computer Object 193Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194Policy Application via Remote Access, Slow Links, and after Hibernation 200When and How Does Windows Check for Slow Links? 200What Is Processed over a Slow Network Connection? 201Always Get Group Policy (Even on the Road, through the Internet) 202Using Group Policy to Affect Group Policy 205Affecting the User Settings of Group Policy 205Affecting the Computer Settings of Group Policy 207The Missing Group Policy Preferences Policy Settings 219Final Thoughts 221Chapter 4 Advanced Group Policy Processing 223Fine-Tuning When and Where Group Policy Applies 223Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object’s Contents 230Group Policy Loopback Processing 231Reviewing Normal Group Policy Processing 232Group Policy Loopback—Merge Mode 233Group Policy Loopback—Replace Mode 233Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239Group Policy with Cross-Forest Trusts 242What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243Disabling Loopback Processing When Using Cross-Forest Trusts 245Understanding Cross-Forest Trust Permissions 245Final Thoughts 247Chapter 5 Group Policy Preferences 249Powers of the Group Policy Preferences 252Computer Configuration ➢ Preferences 258User Configuration ➢ Preferences 269Group Policy Preferences Concepts 278Preference vs. Policy 279The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281The Lines and Circles and the CRUD Action Modes 293Common Tab 301Group Policy Preferences Tips, Tricks, and Troubleshooting 313Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313Multiple Preference Items at a Level 315Temporarily Disabling a Single Preference Item or Extension Root 317Environment Variables 318Managing Group Policy Preferences: Hiding Extensions from within the Editor 320Troubleshooting: Reporting, Logging, and Tracing 321Giving Group Policy Preferences a “Boost” (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using “Not Group Policy” 330Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non–Domain-Joined Machines) 331Final Thoughts 332Chapter 6 Managing Applications and Settings Using Group Policy 335Understanding Administrative Templates 336Administrative Templates: Then and Now 336Policy vs. Preference 337Exploring ADM vs. ADMX and ADML Files 342Looking Back at ADM Files 342Understanding the Updated GPMC’s ADMX and ADML Files 342Comparing ADM vs. ADMX Files 344ADMX and ADML Files: What They Do and the Problems They Solve 345Problem and Solution 1: Tackling SYSVOL Bloat 345Problem 2: How Do We Deal with Multiple Languages? 346Problem 3: How Do We Deal with “Write Overlaps”? 347Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349The Central Store 349The Windows ADMX/ADML Central Store 351Creating and Editing GPOs in a Mixed Environment 355Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358Using ADM and ADMX Templates from Other Sources 359Using ADM Templates with the Updated GPMC 359Using ADMX Templates from Other Sources 361ADMX Migrator and ADMX Editor Tools 362ADMX Migrator 363ADMX Creation and Editor Tools 365PolicyPak Application Manager 365PolicyPak Concepts and Installation 367Top PolicyPak Application Manager Pak Examples 369Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373Final Thoughts 376Chapter 7 Troubleshooting Group Policy 379Under the Hood of Group Policy 381Inside Local Group Policy 381Inside Active Directory Group Policy Objects 383The Birth, Life, and Death of a GPO 385How Group Policy Objects Are “Born” 386How a GPO “Lives” 387Death of a GPO 415How Client Systems Get Group Policy Objects 416The Steps to Group Policy Processing 416Client-Side Extensions 419Where Are Administrative Templates Registry Settings Stored? 427Why Isn’t Group Policy Applying? 429Reviewing the Basics 429Advanced Inspection 432Client-Side Troubleshooting 441RSoP for Windows Clients 442Advanced Group Policy Troubleshooting with the Event Viewer Logs 450Group Policy Processing Performance 462Final Thoughts 463Chapter 8 Implementing Security with Group Policy 465The Two Default Group Policy Objects 466GPOs Linked at the Domain Level 467Group Policy Objects Linked to the Domain Controllers OU 471Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 473The Strange Life of Password Policy 475What Happens When You Set Password Settings at an OU Level 475Fine-Grained Password Policy 477Inside Basic and Advanced Auditing 482Basic Auditable Events Using Group Policy 482Auditing File Access 487Auditing Group Policy Object Changes 489Advanced Audit Policy Configuration 491Restricted Groups 495Strictly Controlling Active Directory Groups 497Strictly Applying Group Nesting 499Which Groups Can Go into Which Other Groups via Restricted Groups? 500Restrict Software Using AppLocker 500Inside Software Restriction Policies 501Software Restriction Policies’ “Philosophies” 502Software Restriction Policies’ Rules 503Restricting Software Using AppLocker 510Controlling User Account Control with Group Policy 531Just Who Will See the UAC Prompts, Anyway? 534Understanding the Group Policy Controls for UAC 539UAC Policy Setting Suggestions 548Wireless (802.3) and Wired Network (802.11) Policies 551802.11 Wireless Policy for Windows XP 552802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553Configuring Windows Firewall with Group Policy 554Manipulating the Windows Firewall (the Old Way) 557Windows Firewall with Advanced Security WFAS 558IPsec (Now in Windows Firewall with Advanced Security) 567How Windows Firewall Rules Are Ultimately Calculated 572Final Thoughts 576Chapter 9 Profiles: Local, Roaming, and Mandatory 579Setting the Stage for Multiple Clients 579What Is a User Profile? 583The NTUSER.DAT File 583Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584Profile Folders for Type 2–5 Computers (Windows Vista and Later) 586The Default Local User Profile 591The Default Network User Profile 594Roaming Profiles 599Are Roaming Profiles “Evil”? And What Are the Alternatives? 601Setting Up Roaming Profiles 604Testing Roaming Profiles 608Roaming and Nonroaming Folders 610Managing Roaming Profiles 614Manipulating Roaming Profiles with Computer Group Policy Settings 617Manipulating Roaming Profiles with User Group Policy Settings 630Mandatory Profiles 635Establishing Mandatory Profiles for Windows XP 636Establishing Mandatory Profiles for Modern Windows 638Mandatory Profiles—Finishing Touches 639Forced Mandatory Profiles (Super-Mandatory) 640Final Thoughts 642Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643Redirected Folders 644Available Folders to Redirect 644Redirected Documents/My Documents 645Redirecting the Start Menu and the Desktop 665Redirecting the Application Data Folder 666Group Policy Setting for Folder Redirection 667Troubleshooting Redirected Folders 669Offline Files and Synchronization 672Making Offline Files Available 673Inside Windows 10 File Synchronization 676Handling Conflicts 684Client Configuration of Offline Files 686Using Folder Redirection and Offline Files over Slow Links 694Synchronizing over Slow Links with Redirected My Documents 695Synchronizing over Slow Links with Regular Shares 697Teaching Windows 10 How to React to Slow Links 698Using Group Policy to Configure Offline Files (User and Computer Node) 702Troubleshooting Sync Center 710Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 712Final Thoughts 720Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723Group Policy Software Installation (GPSI) Overview 724The Windows Installer Service 726Understanding .MSI Packages 726Utilizing an Existing .MSI Package 727Assigning and Publishing Applications 732Assigning Applications 732Publishing Applications 733Rules of Deployment 734Package-Targeting Strategy 734Advanced Published or Assigned 745The General Tab 746The Deployment Tab 746The Upgrades Tab 750The Categories Tab 752The Modifications Tab 752The Security Tab 754Default Group Policy Software Installation Properties 755The General Tab 755The Advanced Tab 756The File Extensions Tab 757The Categories Tab 757Removing Applications 757Users Can Manually Change or Remove Applications 758Automatically Removing Assigned or Published .MSI Applications 758Forcibly Removing Assigned or Published .MSI Applications 759Using Group Policy Software Installation over Slow Links 761MSI, the Windows Installer, and Group Policy 764Inside the MSIEXEC Tool 764Patching a Distribution Point 765Affecting Windows Installer with Group Policy 767Deploying Office 2010 and Later Using Group Policy (MSI Version) 771Steps to Office 2013 and 2016 Deployment Using Group Policy 772Result of Your Office Deployment Using Group Policy 782Installing Office Using Click-to-Run 783Getting Office Click-to-Run 784Installing Office Click-to-Run by Hand 784Deploying Office Click-to-Run via Group Policy 786System Center Configuration Manager vs. Group Policy (and Alternatives) 793Final Thoughts 796Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797Scripts: Logon, Logoff, Startup, and Shutdown 798Non-PowerShell-Based Scripts 798Deploying PowerShell Scripts to Windows 7 and Later Clients 801Managing Internet Explorer with Group Policy 802Managing Internet Explorer with Group Policy Preferences 803Internet Explorer’s Group Policy Settings 805Understanding Internet Explorer 11’s Enterprise Mode 806Managing Internet Explorer 11 Using PolicyPak Application Manager 808Restricting Access to Hardware via Group Policy 808Group Policy Preferences Devices Extension 809Restricting Driver Access with Policy Settings 814Getting a Handle on Classes and IDs 815Restricting or Allowing Your Hardware via Group Policy 817Understanding the Remaining Policy Settings for Hardware Restrictions 819Assigning Printers via Group Policy 821Zapping Down Printers to Users and Computers (a Refresher) 821Implementing Rotating Local Passwords with LAPS 830What to Install from LAPS 831Extending the Schema and Setting LAPS Permissions 832Using a Group Policy Object to Manage LAPS 835Using LAPS Management’s Tools: Fat Client and PowerShell 836Final Thoughts for This Chapter and for the Book 838Appendix A Scripting Group Policy Operations with Windows PowerShell 839Using PowerShell to Do More with Group Policy 840Preparing for Your PowerShell Experience 841Getting Started with PowerShell 842Documenting Your Group Policy World with PowerShell 846Setting GPO Permissions 867Manipulating GPOs with PowerShell 870Performing a Remote GPupdate (Invoking GPupdate) 880Replacing Microsoft’s GPMC Scripts with PowerShell Equivalents 881Final Thoughts 883Appendix B Group Policy and VDI 885Why Is VDI Different? 886Tuning Your Images for VDI 887Specific Functions to Turn Off for VDI Machines 888Group Policy Settings to Set and Avoid for Maximum VDI Performance 889Group Policy Tweaks for Fast VDI Video 891Tweaking RDP Using Group Policy for VDI 891Tweaking RemoteFX using Group Policy for VDI 892Managing and Locking Down Desktop UI Tweaks 893Final Thoughts for VDI and Group Policy 894Appendix C Advanced Group Policy Management 897The Challenge of Group Policy Change Management 898Architecture and Installation of AGPM 899AGPM Architecture 899Installing AGPM 900What Happens after AGPM Is Installed? 906GPMC Differences with AGPM Client 906What’s With All the Access Denied Errors? 908Does the World Change Right Away? 908Understanding the AGPM Delegation Model 908AGPM Delegation Roles 909AGPM Common Tasks 912Understanding and Working with AGPM’s Flow 914Controlling Your Currently Uncontrolled GPOs 915Creating a GPO and Immediately Controlling It 918Check Out a GPO 919Viewing Reports about a Controlled GPO 921Editing a Checked-Out Offline Copy of a GPO 921Performing a Check In of a Changed GPO 923Deploying a GPO into Production 924Making Additional Changes to a GPO and Labeling a GPO 926Using History and Differences to Roll Back a GPO 927Using “Import from Production” to Catch Up a GPO 931Uncontrolling, Restoring, and Destroying a GPO 932Searching for GPOs Using the Search Box 934AGPM Tasks with Multiple Admins 935E‑mail Preparations and Configurations for AGPM Requests 936Adding Someone to the AGPM System 939Requesting the Creation of New Controlled GPO 943Approving or Rejecting a Pending Request 944Editing the GPO Offline via Check Out/Check In 946Requesting Deployment of the GPO 946Analyzing a GPO (as a Reviewer) 948Advanced Configuration and Troubleshooting of AGPM 950Production Delegation 950Auto-Deleting Old GPO Versions 951Export and Import of Controlled GPOs between Forests and/or Domains 951Troubleshooting AGPM Permissions 953Leveraging AGPM Templates 955Changing Permissions on GPO Archives 958Backing Up, Restoring, and Moving the AGPM Server 959Changing the Port That AGPM Uses 962Events from AGPM 963Leveraging the Built-in AGPM ADMX Template 963Final Thoughts 968Appendix D Security Compliance Manager 969SCM: Installation 970SCM: Getting Around 972SCM: Usual Use Case 974Importing Existing GPOs 980Comparing and Merging Baselines 980LocalGPO Tool 983Installing SCM’s LocalGPO Tool 984Using SCM’s LocalGPO 985Final Thoughts on LocalGPO and SCM 989Appendix E Microsoft Intune and PolicyPak Cloud 991Microsoft Intune 991Getting Started with Microsoft Intune 992Using Microsoft Intune 995Setting Up Microsoft Intune Groups 995Setting Up Policies Using Microsoft Intune 996Microsoft Intune and Group Policy Conflicts 997Final Thoughts on Microsoft Intune 998PolicyPak Cloud 998PolicyPak Cloud 101 999Understanding PolicyPak Cloud Policies 999Creating and Using PolicyPak Cloud Groups 1001Joining PolicyPak Cloud 1001Final Thoughts on PolicyPak Cloud 1003Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003Index 1005