Introduction xxv
Chapter 1 Group Policy Essentials 1
Getting Ready to Use This Book 2
Getting Started with Group Policy 7
Group Policy Entities and Policy Settings 7
Active Directory and Local Group Policy 9
Understanding Local Group Policy 10
Group Policy and Active Directory 13
Linking Group Policy Objects 15
Final Thoughts on Local GPOs 20
An Example of Group Policy Application 21
Examining the Resultant Set of Policy 23
At the Site Level 23
At the Domain Level 24
At the OU Level 24
Bringing It All Together 25
Group Policy, Active Directory, and the GPMC 26
Implementing the GPMC on Your Management Station 27
Creating a One-Stop-Shop MMC 30
Group Policy 101 and Active Directory 32
Active Directory Users and Computers vs. GPMC 32
Adjusting the View within the GPMC 33
The GPMC-centric View 35
Our Own Group Policy Examples 37
More about Linking and the Group Policy Objects Container 38
Applying a Group Policy Object to the Site Level 41
Applying Group Policy Objects to the Domain Level 44
Applying Group Policy Objects to the OU Level 47
Testing Your Delegation of Group Policy Management 52
Understanding Group Policy Object Linking Delegation 54
Granting OU Admins Access to Create New Group Policy Objects 55
Creating and Linking Group Policy Objects at the OU Level 56
Creating a New Group Policy Object Affecting Computers in an OU 59
Moving Computers into the Human Resources
Computers OU 61
Verifying Your Cumulative Changes 62
Final Thoughts 64
Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67
Common Procedures with the GPMC and PowerShell 69
Raising or Lowering the Precedence of Multiple Group Policy Objects 75
Understanding GPMC's Link Warning 76
Stopping Group Policy Objects from Applying 78
Block Inheritance 85
The Enforced Function 87
Security Filtering and Delegation with the GPMC 90
Filtering the Scope of Group Policy Objects with Security 91
User Permissions on Group Policy Objects 102
Granting Group Policy Object Creation Rights in the Domain 104
Special Group Policy Operation Delegations 105
Who Can Create and Use WMI Filters? 107
Performing RSoP Calculations with the GPMC 109
What's-Going-On Calculations with Group Policy Results 110
What-If Calculations with Group Policy Modeling 116
Searching and Commenting Group Policy Objects and Policy Settings 118
Searching for GPO Characteristics 119
Filtering Inside a GPO for Policy Settings 121
Comments for GPOs and Policy Settings 132
Starter GPOs 137
Creating a Starter GPO 139
Editing a Starter GPO 139
Leveraging a Starter GPO 141
Delegating Control of Starter GPOs 142
Wrapping Up and Sending Starter GPOs 143
Should You Use Microsoft's Pre-created Starter GPOs? 144
Back Up and Restore for Group Policy 145
Backing Up Group Policy Objects 146
Restoring Group Policy Objects 148
Backing Up and Restoring Starter GPOs 152
Backing Up and Restoring WMI Filters 153
Backing Up and Restoring IPsec Filters 153
Migrating Group Policy Objects between Domains 154
Basic Interdomain Copy and Import 154
Copy and Import with Migration Tables 162
GPMC At-a-Glance Icon View 166
Final Thoughts 167
Chapter 3 Group Policy Processing Behavior Essentials 169
Group Policy Processing Principles 170
Don't Get Lost 172
Initial Policy Processing 172
Background Refresh Policy Processing 174
Security Background Refresh Processing 187
Special Case: Moving a User or a Computer Object 193
Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194
Policy Application via Remote Access, Slow Links, and after Hibernation 200
When and How Does Windows Check for Slow Links? 200
What Is Processed over a Slow Network Connection? 201
Always Get Group Policy (Even on the Road, through the Internet) 202
Using Group Policy to Affect Group Policy 205
Affecting the User Settings of Group Policy 205
Affecting the Computer Settings of Group Policy 207
The Missing Group Policy Preferences Policy Settings 219
Final Thoughts 221
Chapter 4 Advanced Group Policy Processing 223
Fine-Tuning When and Where Group Policy Applies 223
Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224
Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object's Contents 230
Group Policy Loopback Processing 231
Reviewing Normal Group Policy Processing 232
Group Policy Loopback-Merge Mode 233
Group Policy Loopback-Replace Mode 233
Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239
Group Policy with Cross-Forest Trusts 242
What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243
Disabling Loopback Processing When Using Cross-Forest Trusts 245
Understanding Cross-Forest Trust Permissions 245
Final Thoughts 247
Chapter 5 Group Policy Preferences 249
Powers of the Group Policy Preferences 252
Computer Configuration ¿ Preferences 258
User Configuration ¿ Preferences 269
Group Policy Preferences Concepts 278
Preference vs. Policy 279
The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281
The Lines and Circles and the CRUD Action Modes 293
Common Tab 301
Group Policy Preferences Tips, Tricks, and Troubleshooting 313
Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313
Multiple Preference Items at a Level 315
Temporarily Disabling a Single Preference Item or Extension Root 317
Environment Variables 318
Managing Group Policy Preferences: Hiding Extensions from within the Editor 320
Troubleshooting: Reporting, Logging, and Tracing 321
Giving Group Policy Preferences a "Boost" (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329
Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330
Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using "Not Group Policy" 330
Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non-Domain-Joined Machines) 331
Final Thoughts 332
Chapter 6 Managing Applications and Settings Using Group Policy 335
Understanding Administrative Templates 336
Administrative Templates: Then and Now 336
Policy vs. Preference 337
Exploring ADM vs. ADMX and ADML Files 342
Looking Back at ADM Files 342
Understanding the Updated GPMC's ADMX and ADML Files 342
Comparing ADM vs. ADMX Files 344
ADMX and ADML Files: What They Do and the Problems They Solve 345
Problem and Solution 1: Tackling SYSVOL Bloat 345
Problem 2: How Do We Deal with Multiple Languages? 346
Problem 3: How Do We Deal with "Write Overlaps"? 347
Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349
The Central Store 349
The Windows ADMX/ADML Central Store 351
Creating and Editing GPOs in a Mixed Environment 355
Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355
Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356
Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358
Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358
Using ADM and ADMX Templates from Other Sources 359
Using ADM Templates with the Updated GPMC 359
Using ADMX Templates from Other Sources 361
ADMX Migrator and ADMX Editor Tools 362
ADMX Migrator 363
ADMX Creation and Editor Tools 365
PolicyPak Application Manager 365
PolicyPak Concepts and Installation 367
Top PolicyPak Application Manager Pak Examples 369
Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373
Final Thoughts 376
Chapter 7 Troubleshooting Group Policy 379
Under the Hood of Group Policy 381
Inside Local Group Policy 381
Inside Active Directory Group Policy Objects 383
The Birth, Life, and Death of a GPO 385
How Group Policy Objects Are "Born" 386
How a GPO "Lives" 387
Death of a GPO 415
How Client Systems Get Group Policy Objects 416
The Steps to Group Policy Processing 416
Client-Side Extensions 419
Where Are Administrative Templates Registry Settings Stored? 427
Why Isn't Group Policy Applying? 429
Reviewing the Basics 429
Advanced Inspection 432
Client-Side Troubleshooting 441
RSoP for Windows Clients 442
Advanced Group Policy Troubleshooting with the Event Viewer Logs 450
Group Policy Processing Performance 462
Final Thoughts 463
Chapter 8 Implementing Security with Group Policy 465
The Two Default Group Policy Objects 466
GPOs Linked at the Domain Level 467
Group Policy Objects Linked to the Domain Controllers OU 471
Oops, the "Default Domain Policy" GPO and/or "Default Domain Controllers Policy" GPO Got Screwed Up! 473
The Strange Life of Password Policy 475
What Happens When You Set Password Settings at an OU Level 475
Fine-Grained Password Policy 477
Inside Basic and Advanced Auditing 482
Basic Auditable Events Using Group Policy 482
Auditing File Access 487
Auditing Group Policy Object Changes 489
Advanced Audit Policy Configuration 491
Restricted Groups 495
Strictly Controlling Active Directory Groups 497
Strictly Applying Group Nesting 499
Which Groups Can Go into Which Other Groups via Restricted Groups? 500
Restrict Software Using AppLocker 500
Inside Software Restriction Policies 501
Software Restriction Policies' "Philosophies" 502
Software Restriction Policies' Rules 503
Restricting Software Using AppLocker 510
Controlling User Account Control with Group Policy 531
Just Who Will See the UAC Prompts, Anyway? 534
Understanding the Group Policy Controls for UAC 539
UAC Policy Setting Suggestions 548
Wireless (802.3) and Wired Network (802.11) Policies 551
802.11 Wireless Policy for Windows XP 552
802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553
Configuring Windows Firewall with Group Policy 554
Manipulating the Windows Firewall (the Old Way) 557
Windows Firewall with Advanced Security WFAS 558
IPsec (Now in Windows Firewall with Advanced Security) 567
How Windows Firewall Rules Are Ultimately Calculated 572
Final Thoughts 576
Chapter 9 Profiles: Local, Roaming, and Mandatory 579
Setting the Stage for Multiple Clients 579
What Is a User Profile? 583
The NTUSER.DAT File 583
Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584
Profile Folders for Type 2-5 Computers (Windows Vista and Later) 586
The Default Local User Profile 591
The Default Network User Profile 594
Roaming Profiles 599
Are Roaming Profiles "Evil"? And What Are the Alternatives? 601
Setting Up Roaming Profiles 604
Testing Roaming Profiles 608
Roaming and Nonroaming Folders 610
Managing Roaming Profiles 614
Manipulating Roaming Profiles with Computer Group Policy Settings 617
Manipulating Roaming Profiles with User Group Policy Settings 630
Mandatory Profiles 635
Establishing Mandatory Profiles for Windows XP 636
Establishing Mandatory Profiles for Modern Windows 638
Mandatory Profiles-Finishing Touches 639
Forced Mandatory Profiles (Super-Mandatory) 640
Final Thoughts 642
Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643
Redirected Folders 644
Available Folders to Redirect 644
Redirected Documents/My Documents 645
Redirecting the Start Menu and the Desktop 665
Redirecting the Application Data Folder 666
Group Policy Setting for Folder Redirection 667
Troubleshooting Redirected Folders 669
Offline Files and Synchronization 672
Making Offline Files Available 673
Inside Windows 10 File Synchronization 676
Handling Conflicts 684
Client Configuration of Offline Files 686
Using Folder Redirection and Offline Files over Slow Links 694
Synchronizing over Slow Links with Redirected My Documents 695
Synchronizing over Slow Links with Regular Shares 697
Teaching Windows 10 How to React to Slow Links 698
Using Group Policy to Configure Offline Files (User and Computer Node) 702
Troubleshooting Sync Center 710
Turning Off Folder Redirection's Automatic Offline Caching for Desktops 712
Final Thoughts 720
Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723
Group Policy Software Installation (GPSI) Overview 724
The Windows Installer Service 726
Understanding .MSI Packages 726
Utilizing an Existing .MSI Package 727
Assigning and Publishing Applications 732
Assigning Applications 732
Publishing Applications 733
Rules of Deployment 734
Package-Targeting Strategy 734
Advanced Published or Assigned 745
The General Tab 746
The Deployment Tab 746
The Upgrades Tab 750
The Categories Tab 752
The Modifications Tab 752
The Security Tab 754
Default Group Policy Software Installation Properties 755
The General Tab 755
The Advanced Tab 756
The File Extensions Tab 757
The Categories Tab 757
Removing Applications 757
Users Can Manually Change or Remove Applications 758
Automatically Removing Assigned or Published .MSI Applications 758
Forcibly Removing Assigned or Published .MSI Applications 759
Using Group Policy Software Installation over Slow Links 761
MSI, the Windows Installer, and Group Policy 764
Inside the MSIEXEC Tool 764
Patching a Distribution Point 765
Affecting Windows Installer with Group Policy 767
Deploying Office 2010 and Later Using Group Policy (MSI Version) 771
Steps to Office 2013 and 2016 Deployment Using Group Policy 772
Result of Your Office Deployment Using Group Policy 782
Installing Office Using Click-to-Run 783
Getting Office Click-to-Run 784
Installing Office Click-to-Run by Hand 784
Deploying Office Click-to-Run via Group Policy 786
System Center Configuration Manager vs. Group Policy (and Alternatives) 793
Final Thoughts 796
Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797
Scripts: Logon, Logoff, Startup, and Shutdown 798
Non-PowerShell-Based Scripts 798
Deploying PowerShell Scripts to Windows 7 and Later Clients 801
Managing Internet Explorer with Group Policy 802
Managing Internet Explorer with Group Policy Preferences 803
Internet Explorer's Group Policy Settings 805
Understanding Internet Explorer 11's Enterprise Mode 806
Managing Internet Explorer 11 Using PolicyPak Application Manager 808
Restricting Access to Hardware via Group Policy 808
Group Policy Preferences Devices Extension 809
Restricting Driver Access with Policy Settings 814
Getting a Handle on Classes and IDs 815
Restricting or Allowing Your Hardware via Group Policy 817
Understanding the Remaining Policy Settings for Hardware Restrictions 819
Assigning Printers via Group Policy 821
Zapping Down Printers to Users and Computers (a Refresher) 821
Implementing Rotating Local Passwords with LAPS 830
What to Install from LAPS 831
Extending the Schema and Setting LAPS Permissions 832
Using a Group Policy Object to Manage LAPS 835
Using LAPS Management's Tools: Fat Client and PowerShell 836
Final Thoughts for This Chapter and for the Book 838
Appendix A Scripting Group Policy Operations with Windows PowerShell 839
Using PowerShell to Do More with Group Policy 840
Preparing for Your PowerShell Experience 841
Getting Started with PowerShell 842
Documenting Your Group Policy World with PowerShell 846
Setting GPO Permissions 867
Manipulating GPOs with PowerShell 870
Performing a Remote GPupdate (Invoking GPupdate) 880
Replacing Microsoft's GPMC Scripts with PowerShell Equivalents 881
Final Thoughts 883
Appendix B Group Policy and VDI 885
Why Is VDI Different? 886
Tuning Your Images for VDI 887
Specific Functions to Turn Off for VDI Machines 888
Group Policy Settings to Set and Avoid for Maximum VDI Performance 889
Group Policy Tweaks for Fast VDI Video 891
Tweaking RDP Using Group Policy for VDI 891
Tweaking RemoteFX using Group Policy for VDI 892
Managing and Locking Down Desktop UI Tweaks 893
Final Thoughts for VDI and Group Policy 894
Appendix C Advanced Group Policy Management 897
The Challenge of Group Policy Change Management 898
Architecture and Installation of AGPM 899
AGPM Architecture 899
Installing AGPM 900
What Happens after AGPM Is Installed? 906
GPMC Differences with AGPM Client 906
What's With All the Access Denied Errors? 908
Does the World Change Right Away? 908
Understanding the AGPM Delegation Model 908
AGPM Delegation Roles 909
AGPM Common Tasks 912
Understanding and Working with AGPM's Flow 914
Controlling Your Currently Uncontrolled GPOs 915
Creating a GPO and Immediately Controlling It 918
Check Out a GPO 919
Viewing Reports about a Controlled GPO 921
Editing a Checked-Out Offline Copy of a GPO 921
Performing a Check In of a Changed GPO 923
Deploying a GPO into Production 924
Making Additional Changes to a GPO and Labeling a GPO 926
Using History and Differences to Roll Back a GPO 927
Using "Import from Production" to Catch Up a GPO 931
Uncontrolling, Restoring, and Destroying a GPO 932
Searching for GPOs Using the Search Box 934
AGPM Tasks with Multiple Admins 935
E¿mail Preparations and Configurations for AGPM Requests 936
Adding Someone to the AGPM System 939
Requesting the Creation of New Controlled GPO 943
Approving or Rejecting a Pending Request 944
Editing the GPO Offline via Check Out/Check In 946
Requesting Deployment of the GPO 946
Analyzing a GPO (as a Reviewer) 948
Advanced Configuration and Troubleshooting of AGPM 950
Production Delegation 950
Auto-Deleting Old GPO Versions 951
Export and Import of Controlled GPOs between Forests and/or Domains 951
Troubleshooting AGPM Permissions 953
Leveraging AGPM Templates 955
Changing Permissions on GPO Archives 958
Backing Up, Restoring, and Moving the AGPM Server 959
Changing the Port That AGPM Uses 962
Events from AGPM 963
Leveraging the Built-in AGPM ADMX Template 963
Final Thoughts 968
Appendix D Security Compliance Manager 969
SCM: Installation 970
SCM: Getting Around 972
SCM: Usual Use Case 974
Importing Existing GPOs 980
Comparing and Merging Baselines 980
LocalGPO Tool 983
Installing SCM's LocalGPO Tool 984
Using SCM's LocalGPO 985
Final Thoughts on LocalGPO and SCM 989
Appendix E Microsoft Intune and PolicyPak Cloud 991
Microsoft Intune 991
Getting Started with Microsoft Intune 992
Using Microsoft Intune 995
Setting Up Microsoft Intune Groups 995
Setting Up Policies Using Microsoft Intune 996
Microsoft Intune and Group Policy Conflicts 997
Final Thoughts on Microsoft Intune 998
PolicyPak Cloud 998
PolicyPak Cloud 101 999
Understanding PolicyPak Cloud Policies 999
Creating and Using PolicyPak Cloud Groups 1001
Joining PolicyPak Cloud 1001
Final Thoughts on PolicyPak Cloud 1003
Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003
Index 1005
