Managing Group Policy CHAPTER 14 503 FIGURE 14-2 The folder structure for the central store where ADMX template files are stored for the domain note For a list of ISO language identifiers, see http://msdn.microsoft.com/en-us /library/dd318691.aspx. After you create this folder structure for the central store on the PDC Emulator, the FRS will replicate this structure to all domain controllers in the domain. You choose the PDC Emulator as the domain controller on which to create this folder structure manually because the PDC Emulator is the default choice for the focus of the GPMC. note Creating a central store is not a requirement for using Group Policy to manage computers running Windows Vista or later. For example, in the absence of a central store, an administrator can use the GPMC on an RSAT administrative workstation running Windows 7 to create GPOs and then use the GPMC to configure these GPOs. The advan- tage of configuring a central store is that all GPOs created and edited after the store is configured have access to all of the ADMX files within the store, which makes the central store useful for deploying any custom ADMX files that you want to share with other admin- istrators in your domain. Adding ADMX Templates to the Store After you configure the central store, you must populate it using ADMX template files. You can copy these ADMX template files from a computer running Windows 7 by following these steps: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 14 Managing the Desktop Environment 504 1. Log on to an administrative workstation running Windows 7 using a user account that is a member of the Domain Admins built-in group. 2. Open a command prompt and type the following command. xcopy %SystemRoot%\PolicyDefinitions\* %LogonServer%\sysvol\%UserDNSDomain%\ policies\ PolicyDefinitions /s /y 3. Repeat this process from any administrator workstations running Windows 7 that have different languages installed. After you copy the ADMX template files to the central store, the central store will be replicated to all domain controllers in the domain as the contents of the SYSVOL share are replicated by the FRS. Whenever you want to update the files or copy a custom ADMX file, you must do this manually. diReCt FRoM tHe SoURCe Create and Populate the ADMX Central Store in a Single Step Judith Herman, Group Policy Programming Writer Windows Enterprise Management Division UA A s long as the ADMX central store directory exists, the Group Policy Management Editor will ignore the local versions of the ADMX files. It is recommended that as soon as the central store is created, the ADMX (and associated ADML files) are used to populate the central store. If there is an empty central store directory when the Group Policy Management Editor in Windows 7 is started, the ADM nodes will not display any policy settings because the Group Policy Management Editor reads ADM policy settings display information only from the empty central store. Creating and Managing GPOs After your central store is configured and you have copied ADMX template files to it, you are ready to create GPOs for managing your environment. Beginning with Windows 7, you can create and manage GPOs in two ways: n From the graphical user interface (GUI) by using the GPMC. This is the only method available for managing Group Policy on earlier versions of Windows. n From the command line or via script automation by using the new Windows PowerShell Group Policy cmdlets. This method for managing Group Policy is new in Windows 7 and Windows Server 2008 R2 and is described in the section titled “Creating and Managing GPOs Using Windows PowerShell” later in this chapter. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Managing Group Policy CHAPTER 14 505 Obtaining the GPMC The GPMC is not included in a default Windows 7 install. Instead, you must download and install the RSAT for Windows 7 to use the GPMC on a Windows 7 computer. To do this, follow these steps: 1. Obtain the appropriate RSAT package (x86 or x64) for your Windows 7 administrative workstation from the Microsoft Download Center at http://www.microsoft.com /downloads/ and install the RSAT .msu package on your computer. 2. Open Programs And Features from Control Panel and select Turn Windows Features On Or Off. 3. In the Windows Features dialog box, expand Remote Server Administration Tools, fol- lowed by Feature Administration Tools. 4. Select the check box next to Group Policy Management Tools and click OK. Alternatively, instead of managing Group Policy by installing RSAT on a computer running Windows 7, you can manage it directly from a computer running Windows Server 2008 R2 by installing the RSAT feature using the Add Features Wizard in Server Manager. Using Starter GPOs Starter GPOs, introduced in the GPMC for Windows Server 2008 and Windows Vista SP1 with RSAT, are read-only collections of configured Administrative Template (.admx) policy settings that you can use to create a live GPO. Starter GPOs provide baselines of Group Policy settings designed for specific scenarios. By using Starter GPOs as templates for creating domain-based GPOs, you can deploy Group Policy quickly in different kinds of environments. Note that Starter GPOs can contain only policy settings (ADM settings); they cannot include preference items, security settings, or other types of Group Policy settings. In Windows Vista SP1 and Windows Server 2008, you had to download Starter GPOs before using them. Now, however, a default set of Starter GPOs are included in RSAT for Windows 7 and in the GPMC feature of Windows Server 2008 R2. RSAT for Windows 7 includes two different categories of Starter GPOs: n Enterprise Client (EC) Client computers in this type of environment are members of an AD DS domain and need to communicate only with systems running Windows Server 2003. The client computers in this environment may include a mixture of Windows versions, including Windows 7, Windows Vista, and Windows XP. n Specialized Security Limited Functionality (SSLF) Client computers in this type of environment are members of an AD DS domain and must be running Windows Vista or later. Concern for security in this environment is a higher priority than functionality and manageability, which means that the majority of enterprise organizations do not use this environment. The types of environments that might use SSLF are military and intelligence agency computers. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 14 Managing the Desktop Environment 506 In addition to these two categories, the default Starter GPOs in RSAT for Windows 7 can also be categorized by whether they do the following: n Apply only to clients running Windows XP SP2 or later or Windows Vista SP1 or later. n Apply to users or to computers. The result of this categorization is the following eight types of Starter GPOs included in RSAT for Windows 7: n Windows Vista EC Computer n Windows Vista EC User n Windows Vista SSLF Computer n Windows Vista SSLF User n Windows XP EC Computer n Windows XP EC User n Windows XP SSLF Computer n Windows XP SSLF User For more information concerning the default configuration of policy settings in Starter GPOs designed for Windows Vista SP1 or later, see the Windows Vista Security Guide at http://go.microsoft.com/?linkID=5744573. For more information concerning the default configuration of policy settings in Starter GPOs designed for Windows XP SP2 or later, see the Windows XP Security Compliance Management Toolkit at http://go.microsoft.com /fwlink/?LinkId=14839. Updated information on Starter GPOs should also be available; search for Windows 7 Security Guide on the Microsoft Download Center. Before you can use Starter GPOs, you must prepare your environment by creating a sepa- rate folder for these GPOs in the SYSVOL share on your domain controllers. If your forest has more than one domain, you must create a separate Starter GPOs folder in each domain of your forest. To create the Starter GPOs folder, perform the following steps: 1. Open the GPMC and select the Starter GPOs node in the console tree for the domain. 2. Click the Create Starter GPOs Folder button in the details pane (see Figure 14-3). 3. Repeat for each domain in your forest. After you create your Starter GPOs folder, you can use the default Starter GPOs as templates when you create new GPOs, as described in the next section. You can also create and manage your own Starter GPOs by right-clicking the Starter GPOs node in the console tree of the GPMC. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Managing Group Policy CHAPTER 14 507 FIGURE 14-3 Creating the Starter GPOs folder in SYSVOL for the domain Creating and Managing GPOs Using the GPMC To create and configure a GPO using the GPMC, follow these steps: 1. Log on to an administrative workstation running Windows 7 with RSAT using a user account that is a member of the Domain Admins built-in group. 2. Right-click Start and then click Properties. On the Start Menu tab, click Customize. Then in the Customize Start Menu dialog box, scroll down to System Administrative Tools, select Display On The All Programs Menu And The Start Menu, and click OK. 3. Click Start, then Administrative Tools, and then Group Policy Management. (Alterna- tively, you can type gpmc.msc in the Start Search box and then click gpmc.msc when it appears under Programs in your search results.) 4. Expand the console tree to select the domain or OU to which you will link the new GPO when you create it. 5. Right-click this domain or OU and select Create A GPO In This Domain And Link It Here. 6. Type a descriptive name for your new GPO, such as Seattle Computers GPO, and (optionally) select a Starter GPO as a template for it. Then click OK. 7. Expand the domain or OU to display the GPO link for your new GPO beneath it, as shown in the following image. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 14 Managing the Desktop Environment 508 8. Right-click the GPO link and then select Edit to open the GPO. 9. Configure policy settings and preference items in the GPO as desired for the comput- ers and/or users targeted by the GPO. note If a domain controller is unavailable when a computer running Windows 7 tries to log on to the network, the computer will log on using cached credentials and will use the local copies of the ADMX template files to surface ADM policy settings in the Local Group Policy Editor. Also, if an administrator uses a computer running Windows 7 with RSAT to start GPMC or the Local Group Policy Editor and no central store is found, local copies of the ADMX template files will be used to surface ADM policy settings in the Local Group Policy Editor. Creating and Managing GPOs Using Windows PowerShell Beginning with Windows 7 and Windows Server 2008 R2, you can also use 25 new Windows PowerShell cmdlets to create and manage GPOs from the PowerShell command line or by us- ing PowerShell scripts. This new capability builds upon the earlier Component Object Model (COM)–based Group Policy scripting capabilities found in Windows Vista and Windows Server 2008. This feature enables administrators to manage the full life cycle of GPOs, including cre- ating, deleting, copying, configuring, linking, backing up and restoring, generating Resultant Set of Policy (RSoP) reports, configuring permissions, and migrating (importing and export- ing) GPOs across domains and forests and from test to production environments. This new functionality is implemented using the GPMC application programming inter- faces (APIs) and is available as a module that you can import from the Windows PowerShell command line. This means that the GPMC must be installed on the computer from which you Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Managing Group Policy CHAPTER 14 509 run your Windows PowerShell commands. These new cmdlets provide functionality both for performing GPMC operations and for reading and writing registry settings to GPOs (including both policy settings and preference items). You can also use Group Policy to configure policy settings that specify whether Windows PowerShell scripts can run before non-PowerShell scripts during user computer startup and shutdown and during user logon and logoff. By default, Windows PowerShell scripts run after non-PowerShell scripts. As shown in Table 14-3, the Windows PowerShell cmdlets in Group Policy can be organized into five different categories according to their verb. TABLE 14-3 Windows PowerShell cmdlets for Group Policy in Windows 7 and Windows Server 2008 R2 VERB CMDLETS Get Get-GPInheritance Get-GPO Get-GPOReport Get-GPPermissions Get-GPPrefRegistryValue Get-GPRegistryValue Get-GPResultantSetofPolicy Get-GPStarterGPO New New-GPLink New-GPO New-GPStarterGPO Set Set-GPInheritance Set-GPLink Set-GPPermissions Set-GPPrefRegistryValue Set-GPRegistryValue Remove Remove-GPLink Remove-GPO Remove-GPPrefRegistryValue Remove-GPRegistryValue Misc Backup-GPO Copy-GPO Import-GPO Rename-GPO Restore-GPO Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 14 Managing the Desktop Environment 510 As an example of using these new cmdlets, the procedure described here creates a new Seattle Users GPO and links it to the Seattle Users OU beneath the Seattle OU in the contoso.com domain to complement the Seattle Computers GPO created using the GPMC in the previous section. 1. Log on to your domain controller and click the Administrator: Windows PowerShell icon pinned to the taskbar. This opens the Windows PowerShell command-prompt window. 2. Type import-module GroupPolicy to import the Group Policy module into Windows PowerShell. This step is required at the beginning of each Windows PowerShell script or series of PowerShell commands that you execute to manage Group Policy. 3. Type $gpo = New-GPO "Seattle Users GPO" to create a new GPO named Seattle Users GPO and assign the GPO to the Windows PowerShell variable named $gpo. 4. Type Get-GPO $gpo.DisplayName to retrieve the properties of the newly created GPO and verify its creation, as shown here. 5. Type New-GPLink $gpo.DisplayName –target "ou=Seattle Users,ou=Seattle,dc= contoso,dc=com" –order 1 to link the new GPO to the Seattle Users OU beneath the Seattle OU in the contoso.com domain and assign the GPO a link order of 1. If you refresh the GPMC view, you should now see the newly created GPO linked to the OU you specified. For more examples on how to use these new Group Policy cmdlets to create and manage Group Policy, see the Windows PowerShell section of the Group Policy Team Blog on Microsoft TechNet at http://blogs.technet.com/grouppolicy/archive/tags/PowerShell/default.aspx. For a gen- eral introduction to the Windows PowerShell capabilities of Windows 7, see Chapter 13, “Over- view of Management Tools.” Editing GPOs After you’ve created a GPO, you can edit the settings that it contains using one of two methods: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Managing Group Policy CHAPTER 14 511 n From the GUI by using the Group Policy Management Editor, which can be started from the GPMC. This is the only method available for editing GPOs in earlier versions of Windows. Using this method, you can modify any GPO setting, including policy set- tings, preference items, and security settings. n From the command line or via script automation by using the Set-GPRegistryValue, SetGPPrefRegistryValue, Get-GPRegistryValue, Get-GPPrefRegistryValue, Remove-GPRegistryValue, and Remove-GPPrefRegistryValue cmdlets, which are among the new Windows PowerShell Group Policy cmdlets in Windows 7. Using this method, you can modify either policy settings or Group Policy preferences registry- based preference items (you cannot modify other types of preference items using the cmdlets). You cannot use Windows PowerShell to modify security settings, software installation settings, or any other types of GPO settings. Configuring Policy Settings To configure a policy setting in a GPO, follow these steps: 1. Right-click the GPO or its associated GPO link in GPMC and select Edit to open the GPO in the Group Policy Management Editor. 2. Expand the Policies node under either Computer Configuration or User Configuration as desired. 3. Expand the Administrative Templates node under Policy and browse to select the policy you want to configure, as shown here. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 14 Managing the Desktop Environment 512 4. Double-click the policy setting to open its properties, then enable or disable the set- ting as desired, and (optionally) type a comment to document your action, as shown here. 5. Click OK to apply the change to the GPO. After Group Policy is updated for the users or computers targeted by the GPO, the policy setting will be applied. This policy setting, which applies only to Windows 7 and later versions, displays a Search The Internet link above the Start menu button whenever a user types some- thing into the Search box on the Start menu. In addition to using the Group Policy Management Editor to configure policy settings, you can use Windows PowerShell to do this if you have the GPMC installed on a computer running Windows 7 or Windows Server 2008 R2. For example, to edit the Seattle Users GPO and enable the Add Search Internet Link To Start Menu policy setting as was done previously, open a Windows PowerShell command-prompt window and follow these steps: 1. Type Import-module GroupPolicy to import the GroupPolicy module into Windows PowerShell. 2. Type $key = "HKCU\Software\Policies\Microsoft\Windows\Explorer" to assign the registry path for the Add Search Internet Link To Start Menu policy setting to the variable named $key. 3. Use the Set-GPRegistryValue cmdlet, as shown in Figure 14-4, to create a new DWORD registry value named AddSearchInternetLinkinStartMenu under the registry key and assign a value of 1 to this registry value. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... information on how to troubleshoot Group Policy application issues for Windows 7 and Windows Vista SP1, see “Troubleshooting Group Policy Using Event Logs” at http://technet2.microsoft.com/WindowsVista/en/library/7e940882-33b743db-b0 97- f 375 2c84f67f1033.mspx?mfr=true Troubleshooting Group Policy  Chapter 14 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 521 Direct from the Source An... running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 and copy the ADMX files from your computers running Windows 7 to this store Summary  Chapter 14 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 5 27 n Migrate your custom ADM files to ADMX format using ADMX Migrator Do not migrate the default ADM files found on previous versions of Windows; Windows 7 does... GPEDIT(b6c.10c8) 12:10:03 :71 6 PDX parser: Obtained appropriate PDX resource file 'C: \Windows\ PolicyDefinitions\en-US\FolderRedirection.adml' for language 'en-US' GPEDIT(b6c.10c8) 12:10:03 :71 7 PDX parser: Parsing resource file 'C: \Windows\ PolicyDefinitions\en-US\FolderRedirection.adml' GPEDIT(b6c.10c8) 12:10:03 :71 9 PDX parser: Parsing resource file completed successfully GPEDIT(b6c.10c8) 12:10:03 :72 0 PDX parser:... http://technet.microsoft.com /en-us/library/cc7096 47. aspx n Deploying Group Policy Using Windows Vista at http://technet.microsoft.com/en-us /library/cc766208.aspx n “Troubleshooting Group Policy Using Event Logs” at http://technet.microsoft.com /en-us/library/cc749336.aspx n Windows Group Policy Resource Kit: Windows Server 2008 and Windows Vista (Microsoft Press, 2008) n Windows Group Policy Administrator’s... by AGPM Additional Resources These resources contain additional information and tools related to this chapter Related Information n n “What’s New in Group Policy” in Windows Server 2008 R2 and Windows 7 at http://technet.microsoft.com/en-us/library/dd3 678 53.aspx n “Group Policy Frequently Asked Questions (FAQ)” at http://technet.microsoft.com /en-us/windowsserver/grouppolicy/cc8 175 87. aspx n “Group Policy... capabilities of this new format ADMX Migrator is available from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=10 377 4 and can be installed on Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003 SP1 or later, and Windows XP SP2 or later, provided that MMC 3.0 and the Microsoft NET Framework 2.0 are installed Important ADMX Migrator was developed... needed if: n Your clients run Windows Server 2008 or Windows Vista n Your Windows XP and Windows Server 2003 clients run Internet Explorer 7 and/or the latest service packs For clients that run Windows Server 2003 and Windows XP operating system versions that support the CSEs, the following list indicates the requirements and where to obtain XMLLite from the Download Center: n Windows XP SP3  XMLLite is... Resources  Chapter 14 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 529 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark C hapter 1 5 Managing Users and User Data n Understanding User Profiles in Windows 7 531 n Understanding Libraries  546 n Implementing Corporate Roaming  556 n Working with Offline Files  585 n Summary  608 n Additional Resources ... are saved, which changed from the My Documents known folder in Windows XP to the Documents known folder in Windows Vista Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 531 Windows 7 does not introduce any significant changes to the underlying structure of user profiles or where they are stored However, Windows 7 does change the user experience of accessing user profile folders... profile namespace In Windows Vista and later versions of Windows, this namespace is organized in a significantly different manner than in earlier versions of Windows, including Windows XP and Microsoft Windows 2000 Understanding these differences is essential for understanding how RUP works in mixed environments, such as a network that has computers running Windows 7 and computers running Windows XP Such . http://go.microsoft.com/fwlink/?LinkId=10 377 4 and can be installed on Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003 SP1 or later, and Windows. in RSAT for Windows 7: n Windows Vista EC Computer n Windows Vista EC User n Windows Vista SSLF Computer n Windows Vista SSLF User n Windows XP EC