Free ebooks ==> www.Ebook777.com www.Ebook777.com Free ebooks ==> www.Ebook777.com www.Ebook777.com Group Policy Fundamentals, Security, and the Managed Desktop Third Edition Free ebooks ==> www.Ebook777.com Group Policy Fundamentals, Security, and the Managed Desktop Third Edition Jeremy Moskowitz www.Ebook777.com Senior Acquisitions Editor: Kenyon Brown Development Editor: Sara Barry Technical Editor: Alan Burchill Production Editor: Elizabeth Campbell Copy Editor: Judy Flynn Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Associate Publisher: Jim Minatel Book Designers: Judy Fung and Bill Gibson Compositors: Craig Woods and Kate Kaminski, Happenstance Type-O-Rama Proofreaders: Jenn Bennett, Jen Larsen Word One New York Indexer: Johnna VanHoose Dinse Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: © Mehmet Hilmi Barcin / iStockPhoto Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-03558-9 ISBN: 9781119035671 (ebk) ISBN: 9781119035688 (ebk) No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at (877) 762-2974, outside the U.S at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2015946972 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners John Wiley & Sons, Inc is not associated with any product or vendor mentioned in this book 10 For L, A, M, J, B, E, J, and E as we journey through life together —Jeremy Acknowledgments I want to thank Alan Burchill for the second time in taking on the not-so-glamorous job of technical editor I’m really glad to have you on my team, helping me clean up the little messes I made during the writing process and taking on a heavy responsibility Note: If there are still any technical problems with the book, blame me, not him Alan was awesome I want to thank Sara Barry for taking my initial chapters and kneading them from a wad of dough into tasty pizza And to Elizabeth Campbell, who has worked with me through every major project to completion for almost 15 years now We joke that she’s “been making Jeremy sound like Jeremy since 2001.” And it’s mostly true Thank you Special thanks to my Sybex and Wiley compatriots: Ken Brown, Mariann Barsolo, Jim Minitel, Mary Beth Wakefield, and everyone else on the Sybex/Wiley team Once again, your dedication to my book’s success means so much to me You take everything I create and deal with it so personally, and I really know that Thank you, very sincerely Thanks to Jeff Hicks, PowerShell MVP, who helped me write Appendix A on Group Policy and PowerShell Jeff, you did a smashing job as usual Thank you Thank you to Microsoft Group Policy team and the Group Policy MVPs who support me directly and indirectly, and help me out whenever they can Thank you, Mark Minasi, for being a trusted friend and a great inspiration to me personally and professionally A special thanks to my GPanswers.com and PolicyPak Team: You are awesome and it’s great to work with you every day Finally, I want to thank you If you’re holding this book, there’s a good chance you’ve owned a previous edition, or multiple previous editions Thank you for your trust, and for purchasing and repurchasing each edition of this book I work so hard to bring you each time When I meet you, the reader of this book, in person, it makes the hours and hours spent on a project like this vaporize away to a distant memory Thank you for buying the book, for joining me at my live events and at GPAnswers.com, and for using my PolicyPak software You all make me the best “me” I can be Thanks Free ebooks ==> www.Ebook777.com About the Author Jeremy Moskowitz Group Policy MVP, is the founder of GPanswers.com and PolicyPak Software (PolicyPak.com) He is a nationally recognized authority on Windows Server, Active Directory, Group Policy, and Windows management He is one of fewer than a dozen Microsoft MVPs in Group Policy His GPanswers.com is ranked by Computerworld as a “Top 20 Resource for Microsoft IT Professionals.” Jeremy is a sought-after speaker and trainer at many industry conferences and, in his training workshops, helps thousands of administrators every year more with Group Policy Contact Jeremy by visiting www.GPanswers.com or www.PolicyPak.com www.Ebook777.com 1008 containers – exporting containers, 49 Control Panel node (GPPrefs) Computer configuration, 263 Data Sources extension, 264 Devices extension, 264 Folder Options extension, 264–265 Local Users and Groups extension, 265–266 Network Options extension, 266 Power Options extension, 267 Printers extension, 267–268 Schedule Tasks extension, 268 Services extension, 269 User configuration Folder Options extension, 271 Internet Settings extension, 272–274 Printers extension, 274 Regional Options extension, 275 Start menu extension, 275–278 copy/paste, 314 cPassword, 254–258 creation rights, 104–105 cross-forest trusts, 242–243 loopback processing disable, 245 multiple clients, 243–244 permissions, 245–246 CRUD method, 300–301 GPPrefs, 293–294 CSEs (Client-Side Extensions), 249, 253 core processing, 419–420 preferences, 424–426 software vendors, 420 values, 426–427 Windows 7, 423 Windows 8, 424 Windows Server 2008, 422–423 Windows Server 2008 R2, 423 Windows Server 2012 and later, 424 Windows Vista, 422–423 Windows XP, 420–422 D DC (Domain Controller), Windows Server as, 4–6 DC01, Default Domain Controllers Policy, 467 Default Domain Policy GPO, 467 modifying directly, 469 default GPOs, 466–467 Default Local User Profile, 591–594 Default Network User Profile, 594–599 desktop See managed desktop redirecting, 666–667 Device Installation Restrictions, 286–288 DeviceGuard, 500–501 versus AppLocker, 511 DFS (distributed file system), DirectAccess See Unified Remote Access disk quotas, 196 DLLs (Dynamic Link Libraries), 249–250 Documents folder, Redirected Folders advanced, 657–661 Settings tab, 651–657 Target tab, 649–651 testing, 661–665 domain-based Group Policy Objects, drag and drop, migrating GPOs, 161 drive maps, 196 DSRM (Directory Services Restore Mode), E Enforced function, 87–90 troubleshooting, 431 en-US, 343 environment variables, GPPrefs, 318–320 event logging, GPPrefs and, 324–325 exporting, XML, GPPrefs, 315–316 F FGPP (Fine-Grained Password Policy), 477–478 PSO, 479–481 filtering, 121–122 Administrative Templates, 122–126 All Settings node, 130 GPPs, 315–316 filters GPOs, scope, 91–92 IPsec, backup and restore, 154 keyword filters, 123–124 options, 128–129 PolicyPak Admin Templates, 230–231 re-applying, 129 requirements, 125–126 results, 127–128 scope, WMI filters, 224–230 settings displayed, 124–125 WMI backup and restore, 153 creating, 227–228 creation rights, 107–108 delegating, 108–109 documentation, 225 performance and, 228–230 scope, 224–230 syntax, 226–227 using, 228 Filters node, 125–127 firewalls, 466 See also Windows firewall Flexera AdminStudio, 731 folders Computers, 49–50 Redirected Folders, 644–645 Documents folder, 645–665 settings, 401–406 user profiles AppData, 588 Windows 2003 Server, 584–586 Windows Vista and later, 586–588 FGPP – GPMC 1009 Windows XP, 584–586 Windows XP holdovers, 589–591 Users, 49–50 FSMO (Flexible Single Master Operations), 32 Full Control permissions, 650 full Windows, 12–13 G Get-GPOReport, 72–73 Get-GPresultantSetOfPolicy cmdlet, 110 Get-SDMgplink, 70–71 GPCs (Group Policy Containers), 387, 388–391 CN (Common Name), 390 display name, 390 DN (Distinguished Name), 390 GPT synchronization, 407–408 Gpotool.exe, 410–412 replication problems, 413–415 Windows 10 GPMC status tab, 412–413 GUID, 390 LDP and, 395–397 versions, 390 GPMC (Group Policy Management Console), 13, 26–27, 118–119 versus Active Directory Users and Compouters, 32–33 ADM templates, 359–361 AGPM client and, 906–908 All Settings node, 131 filtering and, 130 comments, 118–119 control, delegating, 50–54 Delegation Tab, 74–75 Details Tab, 71 Filter Options, 122–123 filter settings, 128–129 GPO creation, 13 1010 GPME (Group Policy Management Editor) – GPOs (Group Policy Objects) GPOs, application, 39 icons, 166 link warning, 38, 76–77 management station, deployment, 27–30 Microsoft scripts, replacing, 881–883 OUs, deleting from, 33 Preferences node, 253 RSoP calculations, 109–110 Scope Tab, 70 searches, 118–119 security filtering authenticated users, 97–101 GPO scope, 91–92 Settings Tab, 72 views, adjusting, 33–36 what’s-going-on calculations, 110–116 GPME (Group Policy Management Editor), extensions, hiding, 320–321 Filtering, 121–122 GPOs (Group Policy Objects), 1, 13 See also Local GPOs Active Directory-based, 9, 383–384 AGPM Check In, 923–924 Check Out, 919–923 Controlled, 918–919 Controlled, report, 921 creating, 918–919 deploying, 924–926 difference report, 928–931 editing, 926–927 editing checked out copy, 921–923 History view, 928 Import from Production, 931–932 labeling, 926–927 restoring, 934 rolling back, 927–931 searching for, 934–935 Uncontrolled, 915–918, 932–934 application domain level, 44–46 example, 21–22 GPMC and, 39 OU level, 47–52 preventing, 78–85 site level, 41–43 troubleshooting, 429–441 backups, 146–148 client systems, 416–429 comments, 118–119 inside, 132–134 reading, 134 settings, 134–137 computers OU, 59–61 containers and, 49 creating, 39–41, 386–387 linking, 45 mixed environment and, 355–358 number of, 58–59 default (See default GPOs) deleting, 83–85, 145–146, 415 disabling, 416 half, 79–82 troubleshooting, 379 domain-based, domains and, 384 editing, mixed environment, 355–358 Filtering, 121–122 filtering PolicyPak Admin Templates, 230–231 scope, 224–230 GPCs, 388–391 GPMC and, 13 importing, SCM and, 980 linking, 15–16, 45 delegation, 54–55 disabling, 78–79 domain level, 467–469 OU level, 56–58 PowerShell, 69–70 precedence, 75–76 removing links, 82–85 linking and, 38–41 loopback processing, Replace mode, 237 Gpotool.exe – GPPrefs (Group Policy Preferences) migrating copying, 154–158 drag and drop, 161 importing, 158–161 tables, 162–165 multiple, 431 nodes, Office deployment, 736–739 OU and, 384–385 domain controller links, 471–473 permissions, 102–104 creation rights, 104–105 object creation, 391–393 PowerShell creating, 870–871 GPupdate, remote, 880–881 linking, 69–70, 878–879 links documentation, 853–865 listing, 846–852 permissions listing, 865–867 permissions settings, 867–869 removing linking, 879–880 reports, 853 settings modification, 871–878 WMI filters, 863–865 precedence, 75–76 changing, 470 highest-link order, 75 lowest-link order, 75 troubleshooting, 379 restoring, 149–152 scope, filtering, 224–230 searches, 118–119 characteristics, 119–120 security, 465 security filters, 89 authenticated users, 97–101 scope, 91–92 Scope tab, 92–97 settings, 89 site level, 385 change verification, 43–44 1011 starters, 137–139 backing up, 143–144, 153 control delegation, 142–143 creating, 139 editing, 139–140 leveraging, 141–142 pre-created, 144–145 restoring, 153 sending, 143–144 status, 89 Gpotool.exe, 410–412 GPPrefs (Group Policy Preferences) ADM/ADMX files, 279–281 Common tab, 301–313 Computer Configuration, Control Panel node, 264–265 Computer configuration Control Panel node, 263–269 Windows node, 258, 259, 262 Windows node, Files extension, 259 Windows node, Folders extension, 260 Windows node, INI files, 260 Windows node, Registry extension, 260–262 Windows node, Shortcuts extension, 263 Copy/Paste, 314 cPassword, 254–258 CRUD method, 293–294 CSEs, 253 Devices Preference extension, 286–288 disabling items and roots, 317–318 DLLs, 249–250 drag/paste, 314 environment variables, 318–320 exporting XML, 314–315 Files Preference extension, 285 filtering, 315–316 hiding extensions, 320–321 IE (Internet Explorer), 282–283, 803–805 lines and circles, 294–297 1012 GPResult command – Hyper-V Local users and Groups preference extension, 289 ordering, 316–317 PolicyPak Preferences Manager and, 330–332 Power Options Preference extension, 283–285 Preferences node preferences versus policies, 281 overlap, 290–293 Printers extension versus Deployed Printers feature, 281–282 renaming, 317 Services Preference extension, 286 Start menu, 288–289 tabs, multiple, 297–300 troubleshooting, 321–322 event logging, 324–325 reporting, 322–324 tracing, 325–329 User configuration Control Panel, 271–278 Windows Settings, 270 Windows Server 2003, 251–252 Windows Vista, 251–252 Windows XP, 251–252 GPResult command, 110 GPSI (Group Policy Software Installation), 724–725 Advanced tab, 756 Categories tab, 757 File Extensions tab, 757 General tab, 755–756 MSI packages, 726–727 Administrative Installation, 728–731 removing applications automatically, 758–760 manually, 758 preventing new installation, 760 uninstalling, 760 slow links, 761–764 software deployment, 734 Office, 736–739 software distribution, 728 distribution point, 735–736 software packages, targeting, 734–736 Windows Installer Service, 726 GPT (Group Policy Templates), GPCs synchronization Gpotool.exe, 410–412 replication problems, 413–415 Windows 10 GPMC status tab, 412–413 gpt.ini folder, 398–399 GPTs (Group Policy Templates), 387, 398–401 GPC synchronization, 407–408 Group Policy Active Directory and, 13–15 Active Directory-based, 12 inheritance, Block Inheritance, 85–87 Inheritance tab, 109–110 operations, delegating, 105–107 what’s-going-on calculations, 110–116 WIN10, personalization, 37 Group Policy Modeling Wizard, what-if calculations, 116–118 Group Policy Preferences See GPPrefs Group Policy Results Wizard, 110–111 H hardware, access restriction, 808–809 classes, 815–817 device installation restrictions, 819–820 Devices extension, 809–814 drivers, 814–815 IDs and, 815–817 hash rule, SRPs, 504 HR-OU-Admins group, 49 Human Resources OU, 48–49 moving computers to, 61–64 Hyper-V, I icons, GPMC, 166 IE (Internet Explorer) Enterprise Mode, 806–808 GPPrefs and, 282–283, 803–805 Group Policy settings, 805 PolicyPak Application Manager, 808 pop-ups and, 73–74 inheritance Block Inheritance, 85–87 Enforced function, 87–90 troubleshooting, 379, 430 Inheritance tab, 109–110 initial policy processing, 172 Windows 2000, 173 Windows XP, 173–174 IntelliMirror, 644 Interactive Desktop, UAC, 546–547 Intune, 991–992 conflicts, 997–998 downloading, 992–995 groups policies, 996–997 setup, 995–996 IPsec filters, backup and restore, 154 K keyword filters, 123–124 L languages, ADM files, 347–349 LAPS (Local Administrator Password Solution), 830–837 LDAP, 395–397 lines and circles (GPPrefs), 294–297 Link Enabled status, 78–82 linking disabling, 78–79 icons – managed desktop 1013 GPMC, warning, 38, 76–77 GPOs, 15–16, 45 delegation, 54–55 deleting links, 82–83 domain level, 467–469 Local GPOs, multiple, 16 Local GPOs, 20–21 application, preventing, 78 file-based, 381–382 multiple, linking, 16 registry-based, 381–382 Local Group Policy, 9, 10 Local Group Policy Editor, 10, 11 Local Profiles, 579 Default Local User Profile, 591–594 logging, Windows, 196 loopback processing, 9, 231–232 cross-forest trusts and, 245 Merge mode, 232, 233 PolicyPak and, 239–241 Replace mode, 232, 233–236 GPO creation, 237 verification, 237–238 troubleshooting, 380 M \Machine folder, 399 managed desktop, 643–644 assigning applications, 732 GPSI, 724–725 MSI packages, 726–731 software deployment, 734 software distribution, 728, 735–736 software packages, 734–736 Windows Installer Service, 726 publishing applications, 733 Redirected Folders, 644–645 Application Data Folder, 666–667 automatic offline caching, 712–720 Desktop, 665–666 Documents folder, 645–665 1014 managed software – overlapping writes settings, 667–669 slow links, 694–710 Start Menu, 665–666 troubleshooting, 669–671 Synchronization, 676–684 conflicts, 684–686 managed software, 724 Mandatory Profiles, 579, 635 forced, 640–642 modern Windows, 638 Windows XP, 636–637 Mar-Elia, Darren, 70–71 MDOP (Microsft Desktop Optimization Pack), 898 MIC (Mandatory Integrity Control), 533 Microsoft Intune, 991–992 conflicts, 997–998 downloading, 992–995 groups policies, 996–997 setup, 995–996 \MicrosoftWindows NTSecedit folder, 400 migrating, GPOs copying, 154–158 drag and drop, 161 importing, 158–161 tables, 162–165 MLGPOs (Multiple Local Group Policies), 9, 381 layers, 17–18 linking, 16 Windows 10 and, 18–20 MMC, 30–32 MSI packages, 726–727 Administrative Installation, 728–731 creating, 731 MSI versions of Office, 725–726 MSIEXEC tool, 764–767 N nesting, Restricted Groups, 499–500 Network User Profile, default, 594–599 Network Zone Rule, SRPs, 505 networks, security, 466 NLA (Network Location Awareness), 200, 419 troubleshooting, 438 nodes, Computer, policy settings, 7–8 User, NTUSER.DAT file, 583–584 O Office 2010 deployment, 771–782 installation, Click-to-Run and, 783–792 Offline Files, 672 Administratively Assigned, 687 autocache, 687 availability, 673–676 configuration, clients, 686–687 nothing approach, 687 slow links, 694–702 configuring, 702–710 tweaking, 689–694 OUs (organizational units), 12 Active Directory Users and Computers, 32–33 Admins access, 55–56 clients, moving to, 236–237 GPMC, deleting, 33 GPOs and, 384–385 Human Resources Users, 48–49 password policies, 475–477 overlapping writes, ADM files, 347–349 P packages, targeting, 734–736 passwords, 465 FGPP, 477–482 policies, OU level, 475–477 rotating, LAPs and, 830–837 Path Rule, SRPs, 505 PDC emulator, 386 permissions Active Directory, 103 AGPM, 953–955 AGPM multiple admins, 939–942 creation rights, 104–105 cross-forest trusts, 245–246 Full Control, 650 GPOs, 102–104 object creation, 391–393 MSI packages, 730 troubleshooting, 380, 431–432 WMI filter creation, 107–108 policy settings, 7–8 PolicyPak GPPrefs and, 330–332 loopback processing, 239–241 PolicyPak Admin Templates, 230–231 PolicyPak Cloud, 203–204, 998–999 groups, 1001 joining, 1001–1003 policies, 999–1000 PolicyPak Manager ADM/ADMX templates, 365–376 Firefox and, 370–371 Internet Explorer, 371–373 Java and, 370 PolicyPak suite installation, 367–368 offline computers, 373–376 preconfigured paks, 368–369 pop-ups, Windows Server, 73–74 Power Management, 283–285 GPOs, listing, 846–852 packages – processing 1015 PowerShell, 67–68, 839 Block Inheritance, 85–87 cmdlets, 70–71 GPOs creating, 870–871 GPupdate, remote, 880–881 linking, 878–879 links, 69–70 links documentation, 853–862 permissions listing, 865–867 permissions settings, 867–869 removing linking, 879–880 reports, 853 settings modification, 871–878 WMI filters, 863–865 launching, 841 Microsoft GPMC script replacement, 881–883 permissions, Administrator, 69 RSAT, 842–843 Group Policy module, 843–846 preferences See also GPPrefs Registry, 339–340 Preferences node, 253 printers, assigning, 821–830 processing, 170 background refresh, 171, 174–175 exemptions, 177–178 manual forcing, 183–187 manual start, 182–183 special cases, 177–178 Windows, 178–182 Windows Domain Controllers, 176 Windows Members Servers, 175–176 behaviors, 172 caching, 197 computer objects, moving, 171, 193–194 core processing Windows, 417–418 Windows 8 and later, 419 Windows XP, 416–417 disk quotas, 196 1016 profiles – Roaming Profiles drive maps, 196 initial policy processing, 171, 172 Windows 2000, 173 Windows XP, 173–174 logging, Windows, 196 logon scripts, 198–199 loopback, 231–232 cross-forest trusts, 245 Merge mode, 232, 233 PolicyPak and, 239–241 Replace mode, 232–237 verification, 237–238 security, 171, 187–191 background security refresh, 191–192 reapplication for nonsecurity policy, 192–193 slow links, 200–202 users, moving, 171, 193–194 Windows 8.1, 197–198 Group Policy Service on/off, 194–195 Hiberboot, 195–196 logging, 196 Windows Hiberboot, 195–196 Windows RT, Active Directory-based Group Policy, 195 profiles See user profiles PSO (Password Setting Object), 479–481 Published applications, 733 testing, 743–745 R RDS (Remote Desktop Services), loopback Merge mode, 235–236 Re-Apply Filter option, 129 Redirected Folders, 644–645 Application Data Folder, 666–667 automatic offline caching, 712–720 Desktop, 665–666 Documents folder, 645–649 advanced, 657–661 Settings tab, 651–657 Target tab, 649–651 testing, 661–665 settings, 667–669 slow links, 694–702 configuring, 702–710 Start Menu, 665–666 troubleshooting, 669–671 Registry policies, location, 337–341 preferences, 339–341 settings, location, 427–429 remote access PolicyPak Cloud, 203–204 RDS (Remote Desktop Services), loopback Merge mode, 235–236 Unified Remote Access, 202–203 Remote Group Policy Update, 188 replication, troubleshooting, 380 reporting, GPPrefs, 322–234 requirements filters, 125–126 Restricted Groups, 289, 465, 495–496 Active Directory groups, 497–498 refreshing, 498–499 nesting, 499–500 Roaming Profiles, 579, 599–601 administrator’s security group, 623 advertising ID, 627 background upload, 625–626 cached copies, 618–619 change propagation prevention, 623 Cross-Forest Trusts, 617 deleting old, 619–620 directories, excluding, 634 downloading, 626–627 folders, 610–614 Guest account, 615–616 home folder, 627 merging with Local Profiles, 614–615 myths, 601–604 path, 624–625 RPC (Remote Procedure Call) – security policy settings and, 617–618 Registry unload, 624 server and, 608–609 setup, 604–608 size limits, 631–634 slow connections, 620–622 temporary, 622 testing, 608 User Group Policy settings, 630–631 user primary computer, 628–630 wait time, 625 Windows compatibilities, 580–582 RPC (Remote Procedure Call), 386 RPC (Remote Scheduled Tasks Management), 188 RPD-EPMAP (Remote Scheduled Tasks Management), 188 RSAT (Remote Server Administration Tools), Group Policy module, 843–846 RSoP (Resultant Set of Policy) calculations, 109–110 domain level, 24 OU level, 24 site level, 23–24 troubleshooting, 442–450 S SCM (Security Compliance Manager), 969–970 baselines comparing, 980–983 exporting, 978 importing from exported GPO, 979 inspecting, 975–977 merging, 980–983 modifications, 977 GPOs, importing, 980 installation, 970–971 LocalGPO, 983–989 installation, 984 navigating, 972–974 scope, filtering, WMI filters, 224–230 scripting, PowerShell, 839 Scriptomatic, 225–226 scripts non-PowerShell logon/logoff, 800 processing defaults, 800–801 shutdown, 799–800 startup, 799–800 PowerShell, Windows 7 and later, 801–802 \ScriptsShutdown folder, 400 \ScriptsStartup folder, 400 searches, 118–119 characteristics, 119–120 Secure Desktop, UAC, 546–547 security AppLocker, 465, 500–501, 510–512 AppID service, 521–523 auditing, 519–521 Enforcement, 519–521 Explicit deny, 515–519 rules and conditions, 512–515 rules import/export, 529 testing, 523–525 users’ view, 524 whitelisting, 525–529 auditing advanced policy configuration, 491–495 Audit Directory Service Changes, 493–495 auditable events, 482–487 file access, 487–489 GPO changes, 489–491 default GPOs, 465 DeviceGuard, 500–501 Domain Controllers Policy, 471–474 domain level links, 467–469 files, Files Preference extension, 285 GPPrefs, 254–258 password policy, 465 1017 1018 security background refresh processing – SRP (Software Restriction Policies) FGPP, 477–482 OU level, 475–477 restricted groups, 465, 495–496 Active Directory groups, 497–499 servers, auditing, 465 software restriction, 465 SRP (Software Restriction Policies), 500–502 philosophies, 502–503 rules, 503–506 testing, 506–507 troubleshooting, 508–510 when applicable, 507–508 UAC, 466, 531–532 Admin Approval mode, 542, 546 controls, 539–542 filtering and, 537–538 groups affected, 535–536 Interactive Desktop, 546–547 local administrator, 539–542 MIC (Mandatory Integrity Control), 533 prompts, 533, 534–535 rights, 536, 543–546 SE privileges, 536 Secure Desktop, 546–547 setting suggestions, 548–551 split token, 537–538 Standard Users, 533 UIPI (UI Process Isolation), 533 write failures, 547 Windows Firewall Advanced Security (WFAS), 558–567 IPsec, 567–572 rules calculation, 572–576 Windows firewall, 466, 554–556 disabling, 558 Domain Profile, 557–558 Standard Profile, 557–558 wired network policies, 466 802.3, modern Windows, 553 wireless policies, 466, 551–552 802.11, modern Windows, 553 802.11, Windows XP, 552–553 security background refresh processing, 187–191 background security refresh, 191–192 reapplication for nonsecurity policy, 192–193 security_mmc.exe, 74 Server Manager, Add Roles and Features Wizard, 4–5 servers, auditing, 465 slow links, 200–202 GPSI, 761–764 troubleshooting, 380 SmartPackager (Scalable Software), 731 software advertisement, 724 AppLocker, 500–501 deployment, 723 GPSI, 734 Office, 736–739 Office 2010, 771–782 DeviceGuard, 500–501 distribution, GPSI, 728 licensing, 738–739 managed software, 724 restriction, 465 SRP philosophies, 502–503 rules, 503–506 testing, 506–507 troubleshooting, 508–510 when applicable, 507–508 SRP (Software Restriction Policies), 500–502 vendors, CSEs, 420 SOM (Scope of Management), 91–92 SRP (Software Restriction Policies), 500–502 philosophies, 502–503 rules, 503–506 testing, 506–507 troubleshooting advanced logging, 508–509 lockouts, 509–510 Registry, 508 when applicable, 507–508 Start menu, 288–289 Redirecting, 666–667 Starter GPOs, 137–139 backing up, 143–144, 153 control delegation, 142–143 creating, 139 editing, 139–140 leveraging, 141–142 pre-created, 144–145 restoring, 153 sending, 143–144 Sync Center, 710–712 Synchronization, 676–684 conflicts, 684–686 syntax, WMI filters, 226–227 System Center Configuration Manager, 793–796 System Services, 286 SYSVOL (system volume), bloat, ADM files and, 345–346 T templates See also Administrative Templates; GPTs (Group Policy Templates) ADM, outside sources, 359–362 ADMX Microsoft Office, 361–362 outside sources, 359–362 Disabled, 63–64 Enabled, 63 Not Configured, 63 PolicyPak Admin Templates, 230–231 Starter GPOs, 137–138 Start menu – troubleshooting test lab, configuration for, tracing, GPPrefs and, 325–329 troubleshooting AGPM GPO auto-delete, 951 GPO import/export, 951–953 permissions, 953–955 Production Delegation, 950–951 applying Group Policy, 429–441 Block Inheritance, 431 client-side, 441–442 RSoP, Windows clients, 442–450 Enforce, 431 Event Viewer logs, 450–451 Deep Dive, 456–460 Group Policy Operational Log, 455–456 preference extensions, 460–461 Windows System Log, 451–455 GPOs disabled, 379 precedence, 379 GPPrefs, 321–322 event logging, 324–325 reporting, 322–324 tracing, 325–329 infrastructure, 380 inheritance, 379, 430 loopback processing, 380 NLA, 438 permissions, 380, 431–432 processing performance, 462–463 Redirected Folders, 669–671 replication, 380 slow links, 380 Sync Center, 710–712 WMI filters, 379 1019 1020 UAC (User Account Control) – user profiles U UAC (User Account Control), 466, 531–532 Admin Approval mode, 542 all administrators, 546 controls, 539–542 filtering and, 537–538 groups affected, 535–536 Interactive Desktop, 546–547 local administrator, 539–542 MIC (Mandatory Integrity Control), 533 prompts, 533, 534–535 rights, elevated, 536, 543–546 SE privileges, 536 Secure Desktop, 546–547 setting suggestions, 548–551 split token, 537–538 Standard Users, 533 UIPI (UI Process Isolation), 533 write failures, 547 UIPI (UI Process Isolation), 533 Unified Remote Access, 202–203 \User folder \Applications folder, 401 \Documents and Settings folder, 401 \MicrosoftIEAK folder, 401 \MicrosoftRemoteInstall folder, 401 Registry.pol file, 401 \ScriptsLogoff folder, 401 \ScriptsLogon folder, 401 User node, Computer node comparison, 8–9 GPPrefs Control Panel settings, 270 Windows settings, 270 settings, 205 ADM file updates, 206–207 disabled object links, 206 GPO default names, 206 PDC emulator, 205 refresh interval, 205 Results tasks, 207 show policies, 206 slow link detection, 205 user profiles folders AppData, 588 Windows 2003 Server, 584–586 Windows Vista and later, 586–588 Windows XP, 584–586 Windows XP holdovers, 589–591 Local, 579 Default, 591–594 Mandatory, 579, 635 forced, 640–642 modern Windows, 638 Windows XP, 636–637 Network, 594–599 NTUSER.DAT file, 583–584 Roaming, 579, 599–601 administrator’s security group, 623 advertising ID, 627 background upload, 625–626 cached copies, 618–619 change propagation prevention, 623 Cross-Forest Trusts, 617 deleting old, 619–620 directory exclusions, 634 downloading, 626–627 folders, 610–614 Guest account, 615–616 home folder, 627 merging with Local Profiles, 614–615 myths, 601–604 path, 624–625 policy settings and, 617–618 Registry unload, 624 server and, 608–609 setup, 604–608 size limits, 631–634 slow connections, 620–622 temporary, 622 Users folder – Windows settings (GPPrefs) testing, 608 User Group Policy settings, 630–631 user primary computer, 628–630 wait time, 625 Windows compatibilities, 579–582 Users folder, 49–50 V values, CSEs, 426–427 variables, environment variables, GPPrefs, 318–320 VDI (virtual desktop infrastructure), 885 images, 887–891 overview, 886–887 video, 891–894 version numbers, 406 VHD (virtual hard disk), views, GPMC and, 33–36 VMware Workstation, W what-if calculations, Group Policy Modeling Wizard, 116–118 WIN10, test lab configuration, Win10, WIN10MANAGEMENT, 2–3 Windows Central Store AMDX/ADML files, 351 creating, 351–353 updating, 353–355 verifying use, 353 full Windows, 12–13 Group Policy Service, on/off, 194–195 Hiberboot, 195–196 logging, 196 Mandatory Profiles, 636–637 1021 Windows 7, CSEs, 423 Windows 8, CSEs, 424 speed, 197–198 Windows 10, as management station, 28–30 MLGPOs, 18–20 Windows 2000, initial policy processing, 173 Windows 2003 Server, user profiles, folders, 584–586 Windows Firewall, 112–113, 466, 555–556 Advanced Security (WFAS), 558–560 rules, 562–567 WFAS properties, 560–561 disabling, 558 Domain Profile, 557–558 IPsec, 567–569 WFAS, 569–570 WFAS rules, 570–572 rules, precedence, 572–576 Standard Profile, 557–558 Windows Installer Service, 726 policy settings computer side, 767–769 user side, 769–770 Windows RT, 12–13 Active Directory-based Group Policy, 195 Windows Server as domain controller, 4–6 GPPrefs, 251–252 pop-ups, 73–74 Windows Server 2008, CSEs, 422–423 Windows Server 2008 R2, CSEs, 423 Windows Server 2012 and later, CSEs, 424 Windows Server 2016, as management station, 29 Windows settings (GPPrefs) Conputer configuration, 258 Environment extension, 259 Files extension, 259 1022 Windows Vista – XML Folders extension, 260 INI files, 260 Network Shares extension, 262 Registry extension, 260–262 Shortcuts extension, 263 User configuration Applications extension, 270 Drive Maps extension, 270 Windows Vista CSEs, 422–423 GPPrefs, 251–252 user profiles, folders, 586–588 Windows XP, CSEs, 420–422 fast boot, 432–433 GPPrefs, 251–252 initial policy processing, 173–174 Mandatory Profiles, 636–637 user profiles, folders, 584–586, 589–591 wireless networks, security, 466 WMI filters, backup and restore, 153 creating, 227–228 delegating rights, 107–108 documentation, 225 performance and, 228–230 scope, 224–230 syntax, 226–227 troubleshooting, 379 users, delegating, 108–109 using, 228 WMI CIM Studio, 225 WMI-In (Windows Management Instrumentation), 188 write overlap, ADM files, 347–349 X XML, exporting, GPPrefs, 315–316 ... www.Ebook777.com Group Policy Fundamentals, Security, and the Managed Desktop Third Edition Free ebooks ==> www.Ebook777.com Group Policy Fundamentals, Security, and the Managed Desktop Third Edition. .. on the Road, through the Internet) Using Group Policy to Affect Group Policy Affecting the User Settings of Group Policy Affecting the Computer Settings of Group Policy The Missing Group Policy. .. Linking and the Group Policy Objects Container 38 Applying a Group Policy Object to the Site Level 41 44 Applying Group Policy Objects to the Domain Level Applying Group Policy Objects to the OU