Folder redirection can be seen as a subset of roaming profiles. By specifying an alternate location for these folders on a network share, the user has access to these folders no matter which computer he or she uses to log on. Of the four folders that can be redirected, setting the My Documents folder for redirection is probably the most advantageous. Not only will the user have his or her data available at any com- puter, but storing this data on the server allows the data to be easily backed up to tape or other offline storage media. As an administrator, you can also set quotas on server storage, helping to keep the size of the My Documents folder in check.You can also take advantage of the offline folders feature of Windows 2000 and Windows XP to keep the data available to users when they are not on the network. When setting up folder redirection, you should allow the system to create the folders in the location where the data will be directed. A number of permissions must be set correctly to maintain security on the redirected folders.Your best bet is to let the system handle this part of the process. Folder redirection settings are located in the User Configuration area of the GPO under Windows Settings.To enable redirection of one of the four folders, follow these steps: 1. Right-click the folder name and select Properties. 2. In the Target tab of the window, you can select the setting to use for redirection, as shown in Figure 17.18.You can select between two options for the location of the redi- rected folder.The basic option redirects the folder to the same folder path for all users. For the Application Data and Desktop folders, there are three options for the folder location: ■ Creating a directory for each user in the path specified ■ Redirecting all users to the same location ■ Pointing the folder to the local user profile location 586 Chapter 17 • Working with Group Policy in an Active Directory Environment Figure 17.18 Selecting Options for Redirecting My Documents 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 586 If you choose to point the folder to the path in the user profile, the folder will point to the default location as if no redirection had been applied. Redirecting the folder to a specific location will create that location either on the network or on a local path, and all users who have this policy applied will point to the same folder. For the Start Menu and Desktop folders, this might be a bene- ficial setting, as you can centrally control the appearance and contents of those folders in one loca- tion, but you need to be aware of the security settings on the folder. The primary choice for this setting will probably be to create a folder for each user in a loca- tion specified, as shown in Figure 17.19.As you can see, when the root path is specified, the dialog box gives you an example of what the folder path will be. The Start Menu and My Documents folders have slightly different options for redirection. When redirecting the Start Menu, you do not have the option of specifying a unique path for each individual user. Whether setting up basic or advanced redirection of the Start Menu, you can only specify one common location for all users or redirect the folder back to the local user profile. The Start Menu options are simpler than the Application Data and Desktop folder settings, but the My Documents options are more complex. When redirecting the My Documents folder, there are four location options for storing the folder.As with the Application Data and Desktop folders, you can store the My Documents folder in the local user profile, a common directory for all users, or have the system create a folder for each user in a common location.There is a fourth option, however, for My Documents.That option allows you to redirect the My Documents folder to the user’s home folder on the network.This option will not create a My Documents folder in the user’s home folder. It will simply point the My Documents folder to the user’s home directory on the network. There are a few items you should pay attention to if you consider implementing this option. First, you must have implemented the home folder settings for all users, and you must have created those folders prior to implementing this option. Second, the security settings on the home folder are not changed by the folder redirection policy, so you need to be aware of the settings applied to the user home folder on the network. Finally, you have the choice of including the My Pictures folder Working with Group Policy in an Active Directory Environment • Chapter 17 587 Figure 17.19 Setting the Folder Location for Redirection 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 587 with the redirected My Documents folder, or having the My Pictures folder stored in a different location.This might be advisable if server disk storage is a concern. If you choose this option, the My Pictures item in the My Documents folder will be a shortcut pointing to the correct location for the actual folder. The advanced option allows you to select the folder location based on security group.This is one way to specify a different target location for the folder for different groups of users.You can set multiple security groups to have different target locations within a single GPO in the domain. Another way to accomplish this, especially if you only have a small set of users whose folders should be redirected, is to set folder redirection GPOs at other locations within the directory and filter access to those GPOs based on security. When selecting the advanced redirection option, you can add the individual security groups for redirection, and have the same choices for folder location as with the basic option. Setting advanced folder redirection is functionally equivalent to setting up multiple GPOs with basic redirection settings and security filtering.The difference is that there is only one GPO to manage instead of several. Configuring User and Computer Security Settings When browsing through the Group Policy Object Editor, you might have noticed that there are security settings for both the user configuration and computer configuration. Some of these settings are the same for both configurations, such as the Autoenrollment Settings for certificates discussed earlier.There are many differences between the two options, however, and we cover some of those differences in this section. Computer Configuration With these security settings, you can provide additional control and management over objects in the directory.The settings contained in this area can govern how users authenticate to computers and other resources on the network, can provide additional permissions or restrictions for resources in the directory, can control audit settings, and can alter group membership.The settings in this area of group policy are primarily used to specify alternate settings for specific computers on the network. Table 17.2 lists the main option groups under Security Settings in the Computer Configuration in the Group Policy Object Editor, along with a description of the security setting. Table 17.2 Security Settings for Computer Configuration Security Setting Collection Description Account Policies Contains setting groups for password policy settings, account lockout settings, and Kerberos policy settings. Local Policies Contains setting groups for auditing policy settings, user rights assignment settings, and security options settings. Event Log Contains settings for application, system, and security event logs. Restricted Groups Contains groups for specific security restrictions. 588 Chapter 17 • Working with Group Policy in an Active Directory Environment Continued 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 588 Table 17.2 Security Settings for Computer Configuration Security Setting Collection Description System Services Contains settings for controlling startup and permissions for system services. Registry Keys Contains Registry keys and permissions to add. File System Contains files or folders and permissions to add. Wireless Network Contains policies governing specific wireless network connections. Policies Public Key Policies Contains setting groups for Encrypted File System policy settings, Automatic Certificate Request settings, Trusted Root Certification Authorities settings, and Enterprise Trust settings. Software Restriction Contains settings, when enabled, for restricting access to certain Policies software, such as 16-bit applications. User Configuration There are fewer options for configuring security settings in the User Configuration area of group policy.The two groups of policies in this area are listed in Table 17.3. Table 17.3 Security Settings for User Configuration Security Setting Collection Description Public Key Policies Contains settings for certificate autoenrollment and Enterprise Trust. Software Restriction Contains settings that identify, through various means, Policies applications that are authorized to run on a system. Redirect the My Documents Folder In this example, we walk through the process of redirecting the My Documents folder for a specific group of users in the directory. We will take the Information Technology group and redirect their folders to a shared location on the network, and use advanced redirection to limit folder redirection only to members of that group. We will point the My Documents directory to a common location and use the network’s home directory path as the root folder for the redirected folder. 1. Open Active Directory Users and Computers. 2. Right-click the domain container and select Properties. 3. Click the Group Policy tab and click New. 4. Name the policy Folder Redirection Policy and click Edit. Working with Group Policy in an Active Directory Environment • Chapter 17 589 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 589 5. Under User Configuration, expand Windows Settings. 6. Expand Folder Redirection. 7. Right-click My Documents and select Properties. 8. In the Setting drop-down menu, select Advanced – Specify locations for various user groups. 9. In the Security Group Membership pane, click Add. 10. In the Security Group Membership pane, enter the name of the security group, or click Browse and find the group in the directory.This example uses the Information Technology group. 11. In the Target Folder Location pane, select Create a folder for each user under the root path from the drop-down menu. 12. Enter the UNC path to the desired folder in the Root Path field, or click Browse to find the desired path.This example uses the path \\CORPADFP1\Home for the root path. 13. Click OK. 14. The My Documents Properties window should now appear as shown in Figure 17.20. Click the Settings tab. 15. Make sure the check boxes for Grant the user exclusive rights to My Documents and Move the contents of My Documents to the new location are enabled. 16. Click the Redirect the folder back to the local user profile location when policy is removed option button. 17. The Settings tab should appear as shown in Figure 17.21. Click OK. 590 Chapter 17 • Working with Group Policy in an Active Directory Environment Figure 17.20 Viewing the Redirection Settings for My Documents 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 590 Now when members of the Information Technology group log on, their My Documents folders will be created in the network share, and the data from their existing folders will be moved into the new folders. Using Software Restriction Policies One of the relatively new challenges facing system administrators today is the significant increase of malicious code. Not only are more and more individuals writing malicious code, such as viruses, but with the ever-increasing use of e-mail and the Internet, these programs are being spread faster and faster. Some organizations are struggling with the proliferation of other programs, not specifically mali- cious in nature, but productivity killers nonetheless. Or users might download and install programs that cause conflicts with existing programs, generating additional support calls to your help desk. Making use of software restriction policies will allow you to place controls on “untrusted” code within your organization.Through a combination of rules, you can identify specific applications or types of applications that are either allowed to run or prevented from running.These rules are pow- erful and complex, but by themselves cannot provide full protection against malicious code. Use of software restriction policies will augment the protections you might already have in place, but you should not plan to rely solely on these policies to completely protect your environment. Setting Up Software Restriction Policies The settings for Software Restriction are located in the Security Settings area of Group Policy.You might have to enable software restriction policies before you can make changes, as most systems do not have these policies enabled by default. When software restriction policies are enabled, you will find a number of settings in the area.The Enforcement policy determines if the software policies will apply to all files or exclude library (.dll) files.This policy also identifies whether the policies apply to all users of the system or just to non-administrators. If you want to exclude administrators from soft- ware restriction policies, this is where you would set that option. Working with Group Policy in an Active Directory Environment • Chapter 17 591 Figure 17.21 Configuring the Settings for My Documents Folder Redirection 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 591 Another policy you will find here is the Designated file types policy.You can specify which file types, based on file extension, to which software restriction policies should apply.You can add addi- tional file types by adding the file extension to the list in this policy window. The third policy you will find here is the Trusted Publishers policy. In this policy setting, you can specify what user level is allowed to enable trust for software publishers, and how to check for expired certificates for those publishers. The other area located here is the Additional Rules folder, where the specific rules you will create for your system will be located. Software Policy Rules There are four types of rules that you can use to identify applications to which policy should apply: the hash rule, certificate rule, path rule, and Internet zone rule. Each rule identifies a different way to identify files that should have rules applied. Within the rule, you can set the security setting for the resulting file or files to either Disallowed or Unrestricted. A Disallowed setting in a rule will prevent the user from accessing the file or files. An Unrestricted setting will allow the user to access the file or files. Hash Rule When you create a hash rule, you identify a specific file to which you want the rule to apply, and the system generates a hash on the file, including attributes such as date and time of creation and file size. After the policy is in place, the system performs a hash on each file accessed, and if the hash matches the hash in the rule, the rule is applied. Certificate Rule When you create a certificate rule, you identify a set of files that are signed by a specific certificate. In creating the rule, you select the specific certificate for the rule. When the system processes a file request, it will check the certificate settings on the file to check for a match against the certificate in the rule, and will process the rule if there is a match. Certificate rules to not apply to .exe and .dll files, but will apply to all other file types listed in the Designated File Types policy. Path Rule When you create a path rule, you identify a file or set of files based on their location on disk.The path can identify the path to a folder, a specific file, or a set of files based on a wildcard. When the system processes a file request when path rules are in place, it will compare the file requested to the path rules, and process the rule if there is a match. Internet Zone Rule When you create an Internet zone rule, you specify settings based on the Internet zones identified in Internet Explorer: Internet, Local Computer, Local Intranet, Restricted Sites, and Trusted Sites. Internet zone rules only apply to Windows installer packages. If a user downloads an installer package from a site in one of the zones, the zone settings will determine if the user will be able to execute the installer. 592 Chapter 17 • Working with Group Policy in an Active Directory Environment 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 592 Precedence of Policies Since several rules can be applied to the same program, there is an established order of precedence that is applied. A rule based on a higher precedence will override a conflicting rule applied with a lower precedence. 1. Hash rule 2. Certificate rule 3. Path rule 4. Internet zone rule Based on this order, if a program is unrestricted based on a hash rule but disallowed based on a path rule, the program will run, as the hash rule has precedence over the path rule. For path rules, there is an additional order of precedence based on the path specified. If there are conflicting path rules, the more restrictive path rule will apply.The following list identifies the precedence of paths from most restrictive to least restrictive. 1. Drive:\Folder1\Folder2\filename.extension 2. Drive:\Folder1\Folder2\*.extension 3. *.extension 4. Drive:\Folder1\Folder2\ 5. Drive:\Folder1\ When similar rules are applied, such as multiple path rules, the more restrictive rule applies. For example, if a program is set to Disallow in one path rule and set to Unrestricted in another, access to the program will be denied, as Disallow is the more restrictive setting. Best Practices The following items include some of the recommendations for implementing software restriction policies. ■ Test, test, test Never implement software restrictions without testing, especially when applying a Disallow setting. Placing restrictions on certain types of files can negatively impact the operation of your computer and/or the network environment. ■ Couple software restriction policies with access control restrictions Using access control in conjunction with software restriction makes a more complete restriction solu- tion. ■ Use anti-virus software Software restriction policies are not a sufficient substitute for a solid anti-virus package.The tools used in conjunction can increase the security of the system, but do not plan on using software restriction in place of anti-virus tools. ■ Use Disallow as default with great caution If you take the approach of using Disallow as the default and identifying specific applications to allow, be sure you test the Working with Group Policy in an Active Directory Environment • Chapter 17 593 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 593 system thoroughly. Some applications can launch other applications in normal course of operation. As stated in the first item, test your implementation thoroughly before unleashing it on an unsuspecting audience. Applying Group Policy Best Practices If you have been reading straight through this chapter, you’ve seen that there are a vast number of ways that group policy can be implemented in an Active Directory environment. How should you approach a group policy implementation in your environment? This section covers some of the best practices related to implementing group policy. ■ The fewer, the better Keep the number of policies defined as small as possible. Since each user policy the user encounters must be processed at logon, you can keep user logon delays to a minimum by reducing the number of user policies. In addition, a smaller number of policy objects means fewer places for you to look for problems or conflicts when troubleshooting group policy issues. Computer policies are processed at boot time, so reducing the number of these will speed the boot process of the computer. ■ Avoid conflicting policies whenever possible Although you can set up a lower-level policy to override a higher-level one, you should avoid doing this unless necessary. Again, simplicity should be the rule. ■ Filter out unnecessary settings If you set up a policy object that only contains user policy settings, set the properties on the object so that only the user configuration portion is processed.This will help cut down on unnecessary processing time. ■ Avoid nonstandard group policy processing whenever possible Even though you can use Block Policy Inheritance, No Override, and loopback processing options, you should only do so for special cases. Because each of these options alters the standard way in which policy is applied, they can cause confusion when attempting to troubleshoot policy problems. ■ Keep policy objects contained within the domain It is possible to link a container to a GPO that resides in another domain, but it is unwise to do so. Pulling a GPO from a different domain slows the processing of policy settings at logon time. ■ Use WMI filters sparingly This suggestion relates to processing time.The more WMI filters there are to process, the longer it takes to apply policy at logon. ■ Keep policy object names unique If you name each policy object to describe its function, this should not be a difficult practice to adopt. Even though the directory can support multiple GPOs with the same name, it could get very, very confusing for you when trying to troubleshoot a policy problem. ■ Link policies to a container only once You can link the same GPO to a container more than once, but you shouldn’t.The system will attempt to process each policy linked to a container, and even if there are different options set on each instance of the policy link, it can still yield unexpected results. 594 Chapter 17 • Working with Group Policy in an Active Directory Environment 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 594 Troubleshooting Group Policy Even the most experienced system administrator is going to encounter times when he or she has misapplied policy or inadvertently created a policy conflict where it was not expected. Fear not, however, because our good friend Resultant Set of Policy and its sidekick, gpresult.exe, can help us out of these jams. Along with a few guidelines, these tools can help you resolve even the stickiest policy problems. The first step in troubleshooting policy problems is mapping. Ideally, when you first start devel- oping a plan for group policy, you will map out policy settings as they apply to your Active Directory environment. Not only will a policy map help you to understand how policy settings will impact the network during planning, but an up-to-date map can help you know where to go looking for problems when they occur. If you do not have a policy map, you should draw one up before you get too far into your troubleshooting process. It might take some extra time up front, but it can save you time and headaches later. Figure 17.22 shows a sample policy map drawn up based on information used in the examples in this chapter.The diagram was created in Visio, but you can use any diagramming tool (including a pencil and paper) that will help you understand the layout of your policy settings. In the diagram, solid lines indicate a logical connection of Active Directory containers, specifically a domain and its associated OUs.The dashed lines indicate links between containers and GPOs.The policy object is located on the level where it is defined. In Figure 17.22, the Manager Tools policy was created at the domain level, but because the policy was disabled at that level, it is not linked in the diagram. Let’s walk through a couple of quick scenarios. A user whose user object is in the Marketing container will have group policy applied in the following order upon logon: Local Computer policy, Default Domain policy, Folder Redirection policy, and Marketing policy. Working with Group Policy in an Active Directory Environment • Chapter 17 595 Figure 17.22 Viewing a Sample Policy Map Corporate Default Domain Policy Folder Redirection Policy Accounting IT Marketing Sales Marketing Policy Accounting Managers IT Managers Marketing Managers Sales Managers Manager Tools Policy IT Manager Policy 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 595 . quotas on server storage, helping to keep the size of the My Documents folder in check.You can also take advantage of the offline folders feature of Windows 2000 and Windows XP to keep the data. maintain security on the redirected folders.Your best bet is to let the system handle this part of the process. Folder redirection settings are located in the User Configuration area of the GPO under Windows. two options for the location of the redi- rected folder .The basic option redirects the folder to the same folder path for all users. For the Application Data and Desktop folders, there are three