Get the in-depth information you need to use Group Policy to administer your
enterprise system - direct from industry experts and the Microsoft Group Policy
team. With Group Policy and Active Directory® directory service, administrators
can take advantage of policy-based management to streamline the administration
of users and computers throughout the enterprise - from servers running Windows
Server 2003 or Windows 2000 Server to workstations running Windows XP Professional
or Windows 2000 Professional. This essential resource explains how to simplify
and automate administrative tasks, including policy enforcement, system updates,
and software installations, as well as how to centralize the management of network
resources. The CD provides essential utilities, custom ADMs, GPO spreadsheets,
and more. It's everything you need to help increase your efficiency while bolstering
user productivity, security services, and system reliability.
Table of Contents
Foreword
Introduction
Part I Getting Started with Group Policy
Overview of Group Policy
Understanding Group Policy
What It Does
How It Works
Using and Implementing Group Policy
Using Group Policy in Workgroups and Domains
Working with Group Policy Objects
Getting Started with Group Policy
Understanding Group Policy Settings and Options
Using Group Policy for Administration
Understanding the Required Infrastructure for Group Policy
DNS and Active Directory
Applying Active Directory Structure to Inheritance
Examining GPO Links and Default GPOs
Understanding GPO Links
Working with Linked GPOs and Default Policy
Summary
Working with Group Policy
Navigating Group Policy Objects and Settings
Connecting to and Working with GPOs
Applying Group Policy and Using Resultant Set of Policy
RSoP Walkthrough
Managing Group Policy Objects
Managing Local Group Policy
Managing Active Directory-Based Group Policy
Creating and Linking GPOs
Creating and Linking GPOs for Sites
Creating and Linking GPOs for Domains
Creating and Linking GPOs for OUs
Delegating Privileges for Group Policy Management
Determining and Assigning GPO Creation Rights
Determining Group Policy Management Privileges
Delegating Control for Working with GPOs
Delegating Authority for Managing Links and RSoP
Removing Links and Deleting GPOs
Removing a Link to a GPO
Deleting a GPO Permanently
Summary
Advanced Group Policy Management
Searching and Filtering Group Policy
Filtering Policy Settings
Searching Policy Objects, Links, and Settings
Filtering by Security Group, User, or Computer
Managing Group Policy Inheritance
Changing Link Order and Precedence
Overriding Inheritance
Blocking Inheritance
Enforcing Inheritance
Managing Group Policy Processing and Refresh
Changing the Refresh Interval
Enabling or Disabling GPO Processing
Changing Policy Processing Preferences
Configuring Slow Link Detection
Refreshing Group Policy Manually
Modeling and Maintaining Group Policy
Modeling Group Policy for Planning Purposes
Copying and Importing Policy Objects
Backing Up GPOs
Restoring Policy Objects
Determining the Effective Group Policy Settings and Last Refresh
Summary
Part II Group Policy Implementation and Scenarios
Deploying Group Policy
Group Policy Design Considerations
Active Directory Design Considerations
Physical Design Considerations
Remote Access Connection Design Considerations
GPO Application Design Considerations
Additional GPO Design Considerations
Controlling GPO Processing Performance
Common Performance Issues
Performance Tips
Best Practices for Deploying GPOs
Choosing the Best Level to Link GPOs
Resources Used by GPOs
Software Installation
Designing GPOs Based on GPO Categories
Limit Enforced and Block Policy Inheritance Options
When to Use Security Filtering
When to Use WMI Filters
Network Topology Considerations
Limiting Administrative Privileges
Naming GPOs
Testing GPOs Before Deployment
Migrating GPOs from Test to Production
Migrating GPOs from Production to Production
Using Migration Tables
Summary
Hardening Clients and Servers
Understanding Security Templates
Default Security Templates
Sections of the Security Template
Tools for Accessing, Creating, and Modifying Security Templates
Using the Security Configuration Wizard
Deploying Security Templates
Importing Security Templates into GPOs
Using the Security Configuration and Analysis Tool
Using the Secedit.exe Command-Line Tool
Using the Security Configuration Wizard and the scwcmd Command
General Hardening Techniques
Closing Unnecessary Ports
Disabling Unnecessary Services
Tools Used in Hardening Computers
Server Hardening
Member Servers
Domain Controllers
File and Print Servers
Web Servers
Client Hardening
Ports Required for Clients
Restricted Groups for Clients
Client Computers for IT Staff and Administrators
Client Computers for Help Desk Staff
Troubleshooting
Security Areas and Potential Problems
Tools
Summary
Managing and Maintaining Essential Windows Components
Configuring Application Compatibility Settings
Optimizing Application Compatibility Through Group Policy
Configuring Additional Application Compatibility Settings
Configuring Attachment Manager Settings
Working with Attachment Manager
Configuring Risk Levels and Trust Logic in Group Policy
Configuring Event Viewer Information Requests
Using Event Viewer Information Requests
Customizing Event Details Through Group Policy
Controlling IIS Installation
Configuring Access to and Use of Microsoft Management Console
Blocking Author Mode for MMC
Designating Prohibited and Permitted Snap-Ins
Requiring Explicit Permission for All Snap-Ins
Optimizing NetMeeting Security and Features
Configuring NetMeeting Through Group Policy
Enabling Security Center for Use in Domains
Managing Access to Scheduled Tasks and Task Scheduler
Managing File System, Drive, and Windows Explorer Access Options
Hiding Drives in Windows Explorer and Related Views
Preventing Access to Drives in Windows Explorer and Related Views
Removing CD-Burning and DVD-Burning Features in Windows Explorer and Related Views
Removing the Security Tab in Windows Explorer and Related Views
Limiting the Maximum Size of the Recycle Bin
Optimizing the Windows Installer Configuration
Controlling System Restore Checkpoints for Program Installations
Configuring Baseline File Cache Usage
Controlling Rollback File Creation
Elevating User Privileges for Installation
Controlling Per-User Installation and Program Operation
Preventing Installation from Floppy Disk, CD, DVD, and Other Removable Media
Configuring Windows Installer Logging
Optimizing Automatic Updates with Windows Update
Enabling and Configuring Automatic Updates
Controlling Auto Download and Notify for Install
Blocking Access to Automatic Updates
Designating an Update Server
Summary
Managing User Settings and Data
Understanding User Profiles and Group Policy
Configuring Roaming Profiles
Configuring the Network Share for Roaming Profiles
Configuring User Accounts to Use Roaming Profiles
Optimizing User Profile Configurations
Modifying the Way Local and Roaming Profiles Are Used
Modifying the Way Profile Data Is Updated and Changed
Modifying the Way Profile Data Can Be Accessed
Limiting Profile Size and Included Folders
Redirecting User Profile Folders and Data
Understanding Folder Redirection
Configuring Folder Redirection
Managing Computer and User Scripts
Working with Computer and User Scripts
Configuring Computer Startup and Shutdown Scripts
Configuring User Logon and Logoff Scripts
Controlling Script Visibility
Controlling Script Timeout
Controlling Script Execution and Run Technique
Summary
Maintaining Internet Explorer Configurations
Customizing the Internet Explorer Interface
Customizing the Title Bar Text
Customizing Logos
Customizing Buttons and Toolbars
Customizing URLs, Favorites, and Links
Customizing Home, Search, and Support URLs
Customizing Favorites and Links
Configuring Global Default Programs
Optimizing Connection and Proxy Settings
Deploying Connection Settings Through Group Policy
Deploying Proxy Settings Through Group Policy
Enhancing Internet Explorer Security
Working with Security Zones and Settings
Restricting Security Zone Configuration
Deploying Security Zone Configurations
Importing and Deploying the Security Zone Settings
Configuring Additional Policies for Internet Options
Summary
Deploying and Maintaining Software Through Group Policy
Understanding Group Policy Software Installation
How Software Installation Works
What You Need to Know to Prepare
How to Set Up the Installation Location
What Limitations Apply
Planning the Software Deployment
Creating Software Deployment GPOs
Configuring the Software Deployment
Deploying Software Through Group Policy
Deploying Software with Windows Installer Packages
Deploying Software with Non Windows Installer Packages
Configuring Advanced and Global Software Installation Options
Viewing and Setting General Deployment Properties
Changing the Deployment Type and Installation Options
Defining Application Categories
Adding, Modifying, and Removing Application Categories
Adding an Application to a Category
Performing Upgrades
Customizing the Installation Package with Transforms
Controlling Deployment by Security Group
Setting Global Deployment Defaults
Deploying Microsoft Office and Service Packs
Deploying Office Through Policy
Deploying Windows Service Packs Through Policy
Maintaining Deployed Applications
Removing Deployed Applications
Redeploying Applications
Configuring Software Restriction Policies
Troubleshooting Software Installation Policy
Summary
Managing Microsoft Office Configurations
Introducing Office Configuration Management
Customizing Office Configurations
Downloading and Installing the Tools
Working with the Custom Installation Wizard
Working with the Custom Maintenance Wizard
Preparing the Policy Environment
Deploying Office Administrative Template Files
Creating Office Configuration GPOs
Managing Multiple Office Configuration Versions
Managing Office-Related Policy
Working with Office-Related Policy
Examining Global and Application-Specific Settings
Configuring Office-related Policy Settings
Preventing Users from Changing Office Configurations
Controlling Default File and Folder Locations
Configuring Outlook Security Options
Controlling Office Language Settings
Troubleshooting Office Administrative Template Policy
Summary
Maintaining Secure Network Communications
Understanding IPSec Policy
How IPSec Works
How IPSec Policy Is Deployed
When to Use IPSec and IPSec Policy
Managing and Maintaining IPSec Policy
Activating and Deactivating IPSec Policies
Create Additional IPSec Policies
Monitoring IPSec Policy
Deploying Public Key Policies
How Public Key Certificates Work
How Public Key Policies Are Used
Managing Public Key Policy
Understanding Windows Firewall Policy
How Windows Firewall Works
How Windows Firewall Policy Is Used
Managing Windows Firewall Policy
Configuring IPSec Bypass
Enabling and Disabling Windows Firewall with Group Policy
Managing Firewall Exceptions with Group Policy
Configuring Firewall Notification, Logging, and Response Requests
Summary
Creating Custom Environments
Loopback Processing
Replace Mode
Merge Mode
Troubleshooting Loopback
Terminal Services
Controlling Terminal Services Through Group Policy on an Individual Computer
Controlling Terminal Services Through Group Policy in a Domain
Configuring Order of Precedence
Configuring Terminal Services User Properties
Configuring License Server Using Group Policy Settings
Configuring Terminal Services Connections
Managing Drive, Printer, and Device Mappings for Clients
Controlling Terminal Services Profiles
Group Policy over Slow Links
Default Policy Application over Slow Links
Slow Link Behavior for RAS Connections
Slow Link Detection Group Policy Settings
Additional Slow Link Detection Settings for Client-Side Extensions
Summary
Part III Group Policy Customization
Group Policy Structure and Processing
Navigating Group Policy Logical Structure
Working with Group Policy Containers
Examining Attributes of groupPolicyContainer Objects
Examining the Security of groupPolicyContainer Objects
Examining GPO Creation Permissions
Viewing and Setting Default Security for New GPOs
Navigating Group Policy Physical Structure
Working with Group Policy Templates
Understanding Group Policy Versioning
Understanding Group Policy Template Security
Navigating Group Policy Link Structure
Examining Group Policy Linking
Examining Inheritance Blocking on Links
Understanding Group Policy Security and Links
Understanding Group Policy Processing
Examining Client-Side Extension Processing
Examining Server-Side Extension Processing
Understanding Policy Processing Events
Asynchronous vs. Synchronous Policy Processing
Tracking Policy Application
Tracking Slow Link Detection
Modifying Security Policy Processing
Group Policy History and State Data
Navigating Local GPO Structure
Understanding LGPO Creation and Application
Understanding LGPO Structure
Managing and Maintaining LGPOs
Controlling Access to the LGPO
Summary
Customizing Administrative Templates
What Is an Administrative Template?
Default .adm Files
Working with .adm Files
Default Installed .adm Files
Tips for Importing .adm Files
Adding .adm Files
Removing .adm Files
Managing .adm Files
Policies vs. Preferences
Creating Custom .adm Files
A Simple .adm File
Using .adm File Language
Structure of an .adm File
#if version
Syntax for Updating the Registry
Syntax for Updating the Group Policy Object Editor Interface
Additional Statements in the .adm Template
.adm File String and Tab Limits
Best Practices
Summary
Security Templates
Understanding the Security Template Structure
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Where Security Template Settings Overlap with GPO Settings
Working With Security Templates
Security Templates Snap-in
Raw Security Template INF Files
Customizing Security Templates
Copying Templates
Creating New Security Templates
Customizing Security Options
Structure of the Sceregvl.inf File
Customizing the Sceregvl.inf File
Getting the Custom Entry to Show Up
Customizing Services in the Security Templates
Getting the Correct Service to Automatically Display
Acquiring the Service Syntax for the Security Template File
Manually Updating Services in the Security Template File
Microsoft Solutions for Security Settings
Summary
Part IV Group Policy Troubleshooting
Troubleshooting Group Policy
Group Policy Troubleshooting Essentials
Verifying the Core Configuration
Verifying Key Infrastructure Components
Verifying the Scope of Management
Essential Troubleshooting Tools
Working with Resultant Set Of Policy
Viewing RSoP from the Command Line
Verifying Server-Side GPO Health
Managing RSoP Logs Centrally
Group Policy Logging
Navigating the Application Event Logs
Managing Userenv Logging
Managing Logging for Specific CSEs
Summary
Resolving Common Group Policy Problems
Solving GPO Administration Problems
Domain Controller Running the PDC Emulator Is Not Available
Not All Settings Show Up in the Group Policy Editor
Delegation Restrictions Within the GPMC
Group Policy Settings Are Not Being Applied Due to Infrastructure Problems
Domain Controllers Are Not Available
Active Directory Database Is Corrupt
Local Logon vs. Active Directory Logon
SYSVOL Files Are Causing GPO Application Failure
Problems with Replication and Convergence of Active Directory and SYSVOL
DNS Problems Causing GPO Application Problems
Solving Implementation Problems
Tracking Down Incorrect GPO Settings
GPO Links Causing GPO Application Problems
Accounts Are Not Located in the Correct OU
Trying to Apply Group Policy Settings to Groups
Conflicting Settings in Two GPOs
Modifying Default GPO Inheritance
Summary
Part V Appendixes
A Group Policy Reference
Computer Configuration Reference
User Configuration Reference
B New Features in Windows Server 2003 Service Pack 1
Adprep
Administrative Tools
Internet Explorer Feature Control Settings
Managing Feature Control Settings
Configuring Policies and Preferences
Internet Explorer Administration Kit/Internet Explorer Maintenance
Internet Explorer URL Action Security Settings
Changes to Internet Explorer URL Action Security Settings
Resultant Set of Policy
Changes to RSoP in SP1
Administering Remote RSoP with GPMC SP1
Delegating Access to Group Policy Results
Post-Setup Security Updates
Security Configuration Wizard
Windows Firewall
Changes to Windows Firewall
Changes for Audit Logging
Changes for Netsh Helper
Windows Firewall New Group Policy Support
C GPMC Scripting
GPMC Scripting Interface Essentials
Understanding the GPMC Scripting Object Model
Creating the Initial GPM Object
Referencing the Domain to Manage
Creating and Linking GPOs
Automating Group Policy Security Management
Using the GPMC's Prebuilt Scripts
Creating GPOs
Deleting GPOs
Finding Disabled GPOs
Finding GPOs by Security Group
Finding GPOs Without Active Links
Setting GPO Creation Permissions
Setting Other GPO Permissions
Backing Up All GPOs
Backing Up Individual GPOs
Copying GPOs
Importing GPOs
Generating RSoP Reports
Mirroring Your Production Environment
GPMC Prebuilt Script Review
D Office 2003 Administrative Template Highlights
Microsoft Access 2003
Microsoft Excel 2003
Microsoft FrontPage 2003
Microsoft Clip Organizer 2003
Microsoft InfoPath 2003
Microsoft Office 2003
Microsoft OneNote 2003
Microsoft Outlook 2003
Microsoft PowerPoint 2003
Microsoft Project 2003
Microsoft Publisher 2003
Microsoft Visio 2003
Microsoft Word 2003
Index 725
