Index

Note to the reader: Throughout this index boldfaced page numbers indicate primary discussions of a topic. Italicized page numbers indicate illustrations.

Active Directory groups, strict control of, Numbers 476–479 802.3 and Wireless Policy Client-Side Sites and Services tool, 24 Extension, 368 for manual replication, 398 802.3 Wired Policy Active Directory Users and , 27, on slow networks, 172 54, 612 for Vista, 527–528 attribute editor, 455 802.11 Wireless Policy vs. GPMC, 35–36 on slow networks, 171 and , 33 for Vista, 527–528 logon script visibility to user, 795 for Windows XP, 527 to view GPCs and GUIDs, 351, 352 Active X controls, 804 Add or Remove Programs folder, 736 user removal of application with, 743 A Add/Remove Programs , application display on, 746 files, 363, 749 .AAS Add/Remove Snap-in dialog box, 15, 35 account management, auditing, 460 Add/Remove Templates dialog box, 317 Accounts: Administrator account status Add the Administrators Security Group to policy setting, 440, 515 Roaming User profiles policy setting, Accounts: Guest account status policy 596, 606 setting, 441 Add Upgrade Package dialog box, 750, 750 Accounts: Rename administrator account .ADM files, 238–239, 293, 362 policy setting, 440 vs. ADMX files, 301–302 Accounts: Rename guest account policy distributing updated definitions to setting, 440 administrators, 305–306 settings available for, 112 for Group Policy Object Editor, 184 ACLs, troubleshooting, 404–405 introduction, 298–299 Action on Disconnect policy SYSVOL for storing, 302–304, 303 setting, 696–697 templates from other sources, 316–324 Active Administrator, 866 leveraging from Windows management Active Directory station, 317–319 Change and Configuration Office, 319–323 Management, 616 COPYRIGHTED.ADM MATERIAL files, turning off automatic and Group Policy, 11, 18–20 update, 175–176 Group Policy Objects (GPOs), 346–349 \Adm folder in GPT, 361–362 network levels, 18 Admin Log, 425 site configuration, 402 for troubleshooting in Windows Active Directory-based Group Policy, 17–21 7, 426–428 Active Directory-based Group Policy viewing event, 427 Objects, 11 administrative credentials, users and, 518 Active Directory Domain Controller, in Administrative Template Policy Client-Side sample test lab, 2 Extension, 365

581858bindex.indd 867 3/22/10 7:07:23 AM 868 Administrative Templates (.adm files) – applications

Administrative Templates (.adm files), 7, 291, Advanced , 157 362. See also .ADM files Advanced Group Policy Management, default, 299 templates, 130 history, 292, 292–293, 293 AdventNet, 864 location of Registry settings, 389–390 advertisement of package, 363, 721, 722 policy settings, 66–67 AGPM (Advanced Group Policy policy vs. preference, 293–298 Management) tool, templates, 128 preventing background refresh, 178 “All Users” profile, 555 for restricting access to hardware, 807 Allow Admin to Install from Terminal on slow networks, 172 Services Session policy setting, 773 for User and nodes, 4 Allow administrators to override device Administratively Assigned Offline Files installation restrictions policy policy setting, 630, 663, 698–699, setting, 817 699, 708 Allow Cross-Forest User Policy and Administrator accounts, 161–162 Roaming User Profiles policy setting, disabling, 440 177, 207, 590 protected, 522–523 Allow installation of devices that match renaming, 440 any of these device IDs policy setting, and scripts, 794 817–818 Administrator security group, adding to Allow installation of devices using drivers Roaming user profiles, 596 that match these setup classes policy administrators setting, 817 distributing updated definitions Allow Only Bitmapped Wallpaper policy to, 305–306 setting, 203 granting access to redirected Allow or Disallow use of the Offline Files folders, 629–631 feature policy setting, 703 AdminStudio (Flexera), 727, 752 allow rules, for WFAS, 542 ADML files, 293, 300–301 “Allowed to Authenticate” right, 210 copying to Central Store, 310 Always Install with elevated privileges policy faAdmxConv.exe tool to create, 325 setting, 770–771, 776–777 ADMX editor, 326–328, 327 Always use local ADM files for Group Policy in ADMX Migrator, 324 Object Editor policy setting, 184, 306 ADMX files, 186, 238–239, 293, Always wait for the network at computer 300, 300–301 startup and logon policy setting, 159, vs. ADM files, 301–302 394, 795 copying to Central Store, 310 AND, for item-level targeting, 271 deciding how to use templates, 324 Anderson, Christa, 204 faAdmxConv.exe tool to create, 325 Andersson, Christoffer, 458 templates from other sources, 316–324 AppData folder, 558 ADMX Migrator tool, 324, 325–326, 862 Application Data folder, 555 ADMX schema, 339 redirecting, 638–639 adprep command, 526 for Roaming Profiles, 584 ADSI Edit, for FGPP, 449–454, 451 Application Event Log, 405 Advanced configuration, for folder Application Management, 7, 291 redirection, 619 applications Advanced Deployment Options dialog advanced published or assigned, 744–756 box, 748 assigning, 728–729 Advanced Features, for Password Setting deleting, users and, 743 object, 455 isolation, 742–743

581858bindex.indd 868 3/22/10 7:07:23 AM Applications extension – Background Refresh cycle 869

package-targeting strategy, 731–738 Audit object access policy setting, 464 and Policies keys, 296 Audit policies PolicyPak Community Edition advanced configuration, 470, 470–472 limitations, 329 for domain controllers, 443 PolicyPak node to manage, 335 auditing, 458–475 publishing, 729–730 auditable events, 460–464 testing, 741–742 Event IDs for , pulling through network, 720 469–470 Registry for controlling, 294–295 file access, 464–465, 465 removing, 759–763 Group Policy Object changes, 465–470 automatic for Assigned or Published event IDs for Windows Server 2003, .MSI applications, 760 467–469, 468 forcefully removing, 761–762 specific OU, 473–474 immediately uninstalling from Users step-by-step guide on advanced, 474 and Computers, 761–762 using Group Policy, 459–464 published .ZAP applications, 762 Auditpol.exe, 458, 472, 473 user control, 759–760 authenticated bypass rules, for WFAS, 542 rules of deployment, 730–731 Authenticated IP (AuthIP), 547, 548 testing assigned, 737–738 Authenticated Users when they will be installed, 736–737 administrators as members, 86 Applications extension, for User computers as, 87 configuration, 226 removing from GPO, 89 \Applications folder, 363, 364 authentication, forest-wide or Applock modes, in PolicyPak, 336 selective, 209 AppLocker, 480 auto-install, with Windows AppID service, 497–499, 498 Installer, 722 enforcement or auditing, 496–497, 497 Autocache, 663–667 importing and exporting rules, 505 vs. administratively assigned Offline modifying message for client, 500 Files, 662–663 for restricting software, 489–491 Explorer and, 657–670 rules and rule conditions, 491 in Vista, 666 testing, 499, 499–500 in , 666, 667 Default deny, 501 in , 664, 664 user option for subverting, 505 in Windows XP, 665, 665–666, 667 Apply Group Policy permission, 393 autolaunching application, at login with “Apply once and do not reapply” setting for GPO, 62–63 Group Policy, 268 automatic state transition, 685 AppMgmtDebugLevel key, 419 Automatically Generate Executable Rules appmgmts.dll, 384 Wizard, 502–504, 503, 504 Appstation, 616 Avecto, 864 assigned applications, 728–729 testing, 737–738 asynchronous processing, 152 of scripts, 794 B in Windows 2000, 395 background BMP, for user at command, 87 logon, 202–203 At logoff, delete local copy of user’s offline background policy processing, files policy setting, 705 forcing, 159–160 Attachmate/NetIQ, 866 Background Refresh cycle, 77

581858bindex.indd 869 3/22/10 7:07:23 AM 870 background refresh interval – Checkbox Wizard (PolicyPak)

background refresh interval, 152 Block Inheritance, 81, 81–82, 145 computer check for timing in, 169 Enforced function and, 82 for Computer node, 176 icon for, 142 for Windows 2000/2003/2008 domain troubleshooting, 393 controllers, 154 block rules, for WFAS, 542 for Windows 2000/2003/2008 member Blue Exclamation Point (!), 393 servers, 152–153 BMP files, for server identification background refresh policy processing, details, 202 152–160, 186 Browse for a Group Policy Object dialog for domain controllers, 149 box, 16, 16 exemptions, 154–155 Built-in Administrator account policy for member computers, 149 setting, 515 security, 161–166 background security refresh processing, 163–164 background synchronization C policy setting for, 694, 695 CAB file, saving Starter GPOs as, 132, 133 in Windows 7, 654 Cache Transforms in Secure Location on Background upload of a Roaming Workstation policy setting, 773 user profile’s Registry file while Cachemov.exe utility, 585 user is logged on policy setting, caching. See also Offline Files 600, 601 default size, policy setting for, 703–704 backup and Roaming Profiles, 574–575, 592 directory for, 136–137 and security, 711 GPMC vs. old interface, 28 transparent, 694–695 for Group Policy, 135–142 turning off automatic offline for GPOs, 136–137 desktops, 710–716 IPsec settings, 141–142 calc.exe, autolaunch at login with Starter GPOs, 140, 141 GPO, 62–63 of test lab, 859 Capture Wizard (PolicyPak), 333 WMI filters, 141 case, and Filter Options search, 115 Backup Operator Properties dialog Central Store, 307–312 box, 477, 477 for ADMX files, 317 Baseline File Cache Maximum Size policy creating, 309–310 setting, 775–776 populating, 310 Basic configuration, for folder updating, 311–312 redirection, 618 verifying use of, 310–311 Basic User credentials, 483 Windows ADMX/ADML, 308–312 .BAT files, 792 Central Store Creator utility, 863 creating, 793, 793 Centralized Group Policy administration, 17 BDT (Bitmap Differential Transfer), 653, Centrify, 864 659–660 CER (Corporate Error Reporting), 323 BeyondTrust Software, 382, 864 Cer2.adm file, 323 BGINFO tool, 203 Certificate rule, for Software BitLocker, 711 Restriction, 484 Bitmap Differential Transfer (BDT), Certificate Services, 551 653, 659–660 change management, overview, 616–617 black list for software, 482 changes, verifying cumulative, 65 Explicit Deny, 492–496, 493 Checkbox Wizard (PolicyPak), 333

581858bindex.indd 870 3/22/10 7:07:24 AM classes of devices – Configure Toolbar Buttons policy setting 871

classes of devices Folder Options extension, 219 for access restriction, 813–815 Local Users and Groups Microsoft identifiers for, 815 extension, 220 client-side cache, moving, 585 Network Options extension, 220 Client-Side Caching, 679. See also Power Options extension, 221, 221 Offline Files Printers extension, 222 Client-Side Extensions (CSE), 211, 381–389 Scheduled Tasks extension, installing, 234–237 222–224, 223 registrations, 252 Services extension, 224–225 and storage locations, 365–368  Windows Settings, 214–218 timing and overlap, 252–254 .INI files extension, 215 values, 388–389 Environment preference extension, 214 verbose log files for, 424–425 Files preference extension, 215, viewing, 383, 383–384 243–244, 278 for Vista and Windows Server 2008, Folders extension, 215 385–386 Network Shares extension, 217 for Windows 7 and Windows Server Registry preference extension, 2008, 386 216–217 client-side troubleshooting, 405–418 Shortcuts extension, 217–218 RSoP (Resultant Set of Policy), 406–418 Computer half of Group Policy Object, 4 client systems, 147 background refresh interval, 153 checking time and date accuracy, 402 disabling, 62, 76–78, 391, 392 Group Policy Objects applied to, 378–390 Group Policy settings to affect, 176–184 manually forcing processing of Offline Files options, 692–702, 693 GPOs, 165–166 refreshing, 160 Offline Files configuration, 662–687 settings for Window Installer, 769–776 Collection item, for Registry extension, 217 vs. User half, 5–6 Commented policy settings, filter to Computer objects, moving, 166–167 display, 116 computer trust, 399 comments computers for GPOs and policy settings, 110, assigning applications to, 729 121–127, 126 Office 2007, 779–781 searching, 115 managing new, 52–53 in specific GPO, 123, 123–124, 124 moving, and reapplying Group Policy, 149 for starter GPO, 129 processing GPOs as user, 198–199 SYSVOL for storing, 127 redirecting default location to OUs, 53 Common Name (CN), of GPC object, 353 Computers folder common shares as container, 52 conflicts in synchronizing, 660–661, purposes, 52–53 661, 662 Conf.adm template, 298, 299, 362 Offline Files for, 643 configuration management, 616–617 compatibility table for GPMC, 143–144 Configure Background Sync policy setting, compatws.inf template, 838–839 688, 694, 695 computer account, moving, troubleshooting Configure slow-link mode policy impact, 398–399 setting, 688 Computer Configuration  Preferences examples, 691–692  Control Panel Settings, 218–225 Configure slow link speed policy Data Sources extension, 218–219 setting, 706 Devices extension, 219 Configure Toolbar Buttons policy setting, 66

581858bindex.indd 871 3/22/10 7:07:24 AM 872 Configured policy settings – decentralized administration

Configured policy settings, filter to Create New Group Policy Object Links display, 116 disabled by Default policy setting, 175 Configuresoft, 864 CreateEnvironmentFromXML.vbs config.xml file, for Office 2007 customized script, 859 deployment, 782, 784 CreateXMLFromEnvironment.xml Connect Home Directory to root of the script, 859 share policy setting, 605 Creator owner rights, for WMI filters, 99 connection security rules, for WFAS, 538, “Crimson” Event Log system, 425 540, 541, 542 Cross-Domain Linking, 25, 80, 348 Contacts folder, 558 cross-forest trusts, 204–209, 205, 402 containers, Computers folder and Users disabling loopback processing when folder as, 52 using, 207 Control Panel logging on to different clients  Programs  Turn Windows features on across, 205–207 or off, 32 older machine types and, 208 Add/Remove Programs, application permissions, 208–209, 209 display on, 746 restricted access to user profiles Control Panel Settings across, 207 for Computer configuration, 218–225 and Roaming Profiles, 589–590 Data Sources extension, 218–219 CRUD (Create, Replace, Update, or Delete) Devices extension, 219 method, for GPPrefs action items, Folder Options extension, 219 256, 260–261 Local Users and Groups CSC (Client-Side Caching), 617 extension, 220 CSC Agent, 647 Network Options extension, 220 CSCCMD.EXE command-line tool, 679 Power Options extension, 221, 221 cscobj.dll, 385 Printers extension, 222 CSE. See Client-Side Extensions (CSE) Scheduled Tasks extension, Custom Classes: Deny read access policy 222–224, 223 setting, 813 Services extension, 224–225 Custom Classes: Deny write access policy for User configuration setting, 813 Folder Options extension, 227–228 Custom permissions, 95 Internet Settings extension, 228–229 custom rules for WFAS, 539 Printers extension, 229 Regional Options extension, 230 extension, 230 Cookies folder, 556 D copy and paste, in Group Policy databases, caching and, 704 Management Editor, 274, 274 .DB? file extension, caching and, 704 Copy To dialog box (Windows XP), for User DC01, 2 profiles, 582 DCGPOFIX, 445, 445–446 copying, local GPO, 345 DCOM: Machine Access Restrictions core processing of Group Policy, 381 in SDDL syntax policy setting, for Windows 7 machine, 380–381 416, 417–418 for Windows XP, 379–380 DCOM: Machine Launch Restrictions in Corporate Error Reporting (CER), 323 SDDL syntax policy setting, 416, 418 Correlation Activity ID, 429 debugging, 145 locating in Group Policy Event, 429 multiple policy settings per GPO, 61 Create a GPO in this domain and Link it decentralized administration, 12 here command, 49

581858bindex.indd 872 3/22/10 7:07:24 AM Default cache size policy setting – Disable Group Policy (KillPol) utility 873

Default cache size policy setting, 703–704 Deny attribute, filtering with, 91–92, 92, 94 Default Domain Controllers Policy, 438, Deployed Printer Connections category in 439, 476 Group Policy, 9 to enable audit directory service Deployed Printer Connections Client-Side access, 467 Extension, 368 Default Domain Controllers Policy design of security policy, 552 GPO, 444 Desktop folder, 556, 558 default auditing settings in, 459, 459 desktop management. See also restoring defaults, 445–446 managed desktop Default Domain Policy GPO, 439, 439 decentralized, 17 directly modifying, 441 desktop, redirecting, 637, 638 and precedence, 442, 442–443 Desktop Wallpaper policy setting, 203 restoring defaults, 445–446 DesktopStandard, 237 Default Domain User Profile, 566–569, 612 Details tab for GPO in GPMC, 71 for type 1 computers, 566–567 Details view in Explorer, reaction to caching for type 2 computers, 568–569, 570 with offline files, 668 default Group Policy Objects, 438–446 Device Installation Restrictions, vs. GPPrefs Default Local User Profile, 563–566, 612 Devices Preference extension, default location for users and computers, 245–247, 246 redirecting to OUs, 53 , Properties, Details tab, Default Name for Group Policy Objects 814, 814 policy setting, 175 Devices extension, for Computer .DEFAULT profile, 216, 589 configuration, 219 default rules, for AppLocker, 491, 492 Devices: Restrict CD-ROM access to locally default settings, resetting Local Group Policy logged in user only, settings available to, 345 for, 112 .default user profile, 202 DFS (Distributed File Systems) Namespaces, DefaultSecurityDescriptor attribute, on 724–725 groupPolicy Container class, 357 vs. shares, 732–733 delegating control diagnostic event logging with GPMC, 84–99 for Windows 7 machine, 419–420, 420 for Group Policy management, 53–55 for Windows XP, 419 preparing for, 51, 51–53 dial-up networking (DUN) connections, 220 special permissions, 97, 97–98 dialog boxes, timeout for Roaming of Starter GPOs, 132 profile, 595 Delegation of Control Wizard, Tasks to digital signatures, and Software Restriction Delegate, 54, 54 Policies, 486 Delegation tab for GPO in GPMC, 72 DirectAccess, for Group Policy, 173 Advanced, 90 DirectControl, 864 Delete Cached Copies of Roaming Profiles directories. See folders policy setting, 591–592, 595 directory service and GPSI, 778 auditing access, 461 Delete User Profiles older than a specific auditing changes, 472–473 number of days policy setting, 592–593 disabilities, persons with, UIAccess deleting for, 517 applications, users and, 743 Disable changing proxy settings policy Group Policy Objects, 78–80, 378 setting, 251–252, 252 Delprof tool, 862 Disable Group Policy (KillPol) Deny access, 393, 394 utility, 862

581858bindex.indd 873 3/22/10 7:07:24 AM 874 Disable IE Security Prompt for Scripts – Domain Profile

Disable IE Security Prompt for Windows Do not detect slow network connection Installer Scripts policy setting, 772 policy setting, 592, 594 Disable Logging via Package Settings policy Do not forcefully unload the users Registry setting, 776 at user logoff policy setting, 599 Disable Windows Installer policy Do not log users on with temporary profiles setting, 770 policy setting, 595 disabled GPOs, 341 document invocation, 746 and start-up speed, 76 with Windows Installer, 722 Disabled option for administrative template Document Properties dialog box policy settings, 66 Settings tab, 625–628, 626 Disallow Interactive Users from Generating Target tab, 623, 623–625 Resultant Set of Policy Data policy \Documents and Settings folder, 364 setting, 176, 178 Documents/ folder, 558 Disk Quota Client-Side Extension, 366 limiting size, 601–604 Disk Quota policy processing, 183 as Redirected Folders, 619–637 on slow networks, 171, 400 Roaming Profiles and, 580 disk quotas, 8 Domain Administrators (DAs), 45, 349, 356 as refresh exemption, 155 domain-based Group Policy Objects, 11 restrictions and Roaming Profiles, 604 Domain Controller Event Log settings, 444 disk space, controlling use by Offline Files, domain controllers 672, 674, 708 background refresh policy processing Display a custom message when installation for, 149 is prevented by policy policy setting, 817 Central Store on, 308 Display Name, of GPC object, 353 changing default for GPO initial write, Display Properties dialog box, disabled, 200 371–372 Display Properties dialog box firewall for, 403–404 (Windows XP), 40 Group Policy refresh interval for, Desktop tab, 48 176–177 Screen Saver tab, removing, 47 .INF template files, 838 Distinguished Name (DN), of GPC for modeling server, 108 object, 353 OU, 438 Distributed File Systems (DFS) Namespaces, replicating GPC and GPT to, 370 724–725 selecting, 174 distribution point domain Guest account, renaming, 440 MSIEXEC to patch, 767 domain joined computers, Safe mode for storing software, 732 and, 516 DLLs (Dynamic Link Libraries) domain level CSEs as, 382 applying GPO to, 48, 48–50 enabling blocking, 497 GPOs from perspective of, 348 DNS configuration, troubleshooting, 395 GPOs linked at, 439–443 for client, 402 GPOs set at, 19 Do Not Automatically Make Redirected granting GPO creation rights, 96, 96–97 Folders Available Offline policy setting, policy settings for, 440–441 639, 682, 702, 710 RSoP (Resultant Set of Policy) at, 24 Do not check for user ownership of Roaming troubleshooting machine joined to, 399 Profiles Folders policy setting, 591 verifying changes, 50, 50 Do not check for user ownership of Roaming Domain Profile settings, 103–104 Profiles policy setting, 625 Domain Profile, vs. Standard Profile, for firewall, 532

581858bindex.indd 874 3/22/10 7:07:25 AM domains – expensive operations 875

domains Enabled option for administrative template migrating GPOs between, 851–858 settings, 66 copy operation, 852, 853 Encrypt the Offline Files cache policy drag and drop, 856 setting, 705, 706 import operation, 854, 854–855 Encrypted Data Recovery Agents category in with migration tables, 855–858, 857 Group Policy, 8 viewing in GPMC, 37 encryption of Offline Files, 658–659, dot3gpclnt.dll, 385 675–676 downlevel compatible Folder Redirection End-User License Agreement, 725 mode, 627 Enforce Show Policies Only policy downloading setting, 175 GPMC scripts, 29 Enforce Upgrade of Component Rules policy missing Group Policy settings, 286 setting, 775 spreadsheet on policy settings, 122 Enforced function, 82, 84, 145 Windows Server 2008 trial versions, 3 lock icon, 393 Downloads folder, 558 enforcement modes, in PolicyPak, 336 dragging GPPrefs to file, 274, 275 Enforcement rules, in AppLocker, 496 drive mappings, 263 Enterprise Administrators (EAs), 45, Drive Maps extension, for User 343, 356 configuration, 226–227 Enterprise Configuration Manager, 864 drivers Enterprise QoS Policy Client-Side preventing install, 245 Extension, 368 restricting access with Policy settings for environment variables, 278–279 Windows 7, 812, 812–813 for computers in zone, 822, 823, 825 DRSR, migrating SYSVOL replication “Run in logged-on user’s security to, 377 context” (User Policy Option) dskquota.dll, 384 and, 263 DUN (dial-up networking) error messages, trapping on central connections, 220 server, 323 Event IDs Event ID 101, 640, 641 Event ID 112, 640 E Event ID 566, 467 Edit settings, delete, modify security contents, 468–469 permissions, 95 for Windows Server 2003, Group Policy Edit settings permissions, 95 auditing, 467–469, 468 EFS (Encrypting ), 551 Event Logging level policy setting, 701 slow links and, 400 event logs, 284, 284–285 EFS Recovery Policy, 181–182 Event Properties dialog box, 701 on slow networks, 169–170, 172 Enable Active Desktop policy setting, 203 for troubleshooting Group Policy, 418, Enable Transparent Caching policy setting, 418–420 694–695 viewing failure event, 428 Enable User Control over Installs policy Exclude files from being cached policy setting, 772 setting, 705 Enable User to Patch Elevated Products exclusive rights to Documents, granting to policy setting, 773 user, 626 Enable User to Use Media Source While Executable rules, for AppLocker, 491 Elevated policy setting, 772 expensive operations, 434

581858bindex.indd 875 3/22/10 7:07:25 AM 876 Explicit Deny – Folder Redirection policy

Explicit Deny, to blacklist specific filtering. See also WMI filters applications, 492–496, 493 activity under the hood, 90–91 Explorer.exe, 390, 487 with Deny attribute, 91–92, 92, 94 and Offline Files, 657–670 in GPMC, 87–91 exporting rules to AppLocker, 505 testing, 89–90 and GPMC All Settings node, 120, 121 Group Policy, origins, 112, 113 inside GPO for policy settings, F 111–121, 112 faAdmxConv.exe tool, 325, 326 positive or negative, 93–94 failure event, viewing in Event preference items at a level, 276 Viewer, 428 Find command, for workstation, 64 Fast Boot, 156 Find command, to find workstation, 64 and Assigned application changes, 760 Find Users, Contacts, and Groups dialog and assigning applications to box, 64 users, 737 Fine-Grained Password Policy (FGPP), 552 automatically killing, 157–158 with Windows Server 2008, 448–458 manually turning off, 158–159 getting ready, 449 troubleshooting, 394 Password setting object (PSO), fast connectivity for users, changing default 449–454 definition, 174 required attributes, 452–453 Favorites folder, 556, 558 resulting set of PSOs, 454–458 fdeploy.dll, 384, 634 firewall. See also Fdeploy.ini file, 364 for domain controllers, 403–404 FGPP. See Fine-Grained Password and Group Policy Results Wizard, 102 Policy (FGPP) rules calculation, 548–550 file access, auditing, 464–465, 465 precedence order for File and Registry Virtualization, 521 properties, 549 File Hash Rule Condition, for precedence order for AppLocker, 491 rules, 549–550 File Hash Rules, for AppLocker, 505 WFAS vs. Windows XP, 530–531 (FRS), 377 Windows XP and Windows Server 2003, for Group Policy Templates, 361 manipulating, 531–534 File Security, vs. GPPrefs Files Preference Flexera AdminStudio, 727, 752 extension, 243–244 Folder Options dialog box, Offline Files File Server Migration Toolkit (FSMT), 733 tab, 649 File.html, 407 Folder Options extension Files not cached policy setting, 704 for Computer configuration, 219 Files Preference extension, 215, 278 for User configuration, 227–228 vs. Group Policy File Security, 243–244 Folder Redirection Client-Side Filter Options dialog box Extension, 365 browsing results, 117, 119 log file for, 425 keyword filters, 114–115 Folder Redirection policy, 8, 180 on/off, 118–119, 119 on slow networks, 171, 400, 680–716 opening, 113, 114 with redirected My Documents, Requirements Filters, 116–117 681–683 results, 117, 118 turning off automatic offline caching for type of settings to display, 115–116 desktops, 710–716 filtered token, 510 Group Policy Preference Extensions to force, 714, 715

581858bindex.indd 876 3/22/10 7:07:25 AM Folder Redirection policy processing policy setting – Group Policy 877

PolicyPak to apply, 716, 717 GPLogView tool, 430–432, 431, 862 WMI filters to forcibly apply to GPMC. See Group Policy Management desktops, 713–714 Console (GPMC) in Windows 2000, 157 GPMC-centric view, 38–39, 39 Folder Redirection policy processing policy GPME. See Group Policy Management setting, 681–682 Editor (GPME) folders. See also Redirected Folders GPMonitor command, 104, 860, 860 for backups, 136–137 GPO links, 46 excluding in Roaming Profile, 605 attributes set at, 145 roaming and nonroaming, 583–586 backup and, 136 for Roaming Profiles, 572 GPMC and, 83 Force classic Start Menu policy setting, 66 new disabled by default, 175 forced mandatory profiles, 611, 612 restoring GPOs and, 139–140 forest trust. See cross-forest trusts GPO Migration, 138 forest-wide authentication, vs. GPO Status, changing entry, 78 selective, 209 GPOAccelerator tool, 134, 840 forests, viewing in GPMC, 37 GPOAdmin, 866 FRS (File Replication Service), 377 Gpotool.exe, 373, 373–375, 374, 405 for Group Policy Templates, 361 /checkacl switch, 375 Full Control permission, 624 gpprefcl.dll, 387–388 Full control rights, for WMI filters, 99 gpprnext.dll, 385 “Full Lockdown” approach, 482 GPresult.exe tool, 104, 284, 406 Full Sync, 651 for Redirected folders verification, FullArmor Corporation, 324, 864 641–642, 642 fully qualified domain name, for DNS results with no arguments, 409–412 resolution, 402 setting to control use, 176 function keys, for enabling and disabling /v switch, 412–413 settings, 257, 257–258 GPSI Viewer, 862 funnel icon, 118 gpsvc service, 380 GPT (Group Policy Templates), 136, 361–364 replication, troubleshooting, 395 G verifying synchronization with GPCs, ghosting, 657, 658 370–376 GPanswers.com, 834 gptext.dll, 384, 385, 386 gPCFileSysPath attribute, for GPOs, 358 gpt.ini file, 346, 361, 369 gpCMachineExtensionNames attribute, for GptTmpl.inf file, 363 GPOs, 358 gpupdate command, 160 GPCs. See Group Policy Containers (GPCs) /force option, 160–161, 166, 268 gPCUserExtensionNames attribute, for GPOs, and move recognition, 399 359 user access to, 177–178 GPEDIT.MSC, 11, 14, 343 Group Policy and lockout with Software Restriction and Active Directory, 18–20 Policy, 489 Active Directory-based, 17–21 GPExpert Backup Manager for Group to affect Group Policy, 174–186 Policy, 866 User settings, 174–176 GPInventory (Group Policy Inventory tool), application example, 21–23, 22 861, 861 Resultant Set of Policy (RSoP), 23–26 gPLink attribute, 360–361 back up and restore, 135–142

581858bindex.indd 877 3/22/10 7:07:25 AM 878 Group Policy Administrator – Group Policy Modeling Wizard

basics, 238 Advanced Deployment Options, 748–749 client request for, 148 All Settings node, 120–121, 121 delegating control for managing, 53–55 and filtering, 120 testing, 55–56, 56 sorting Comment column, 126 Details tab, to view version number, 369 common procedures, 70–82 getting started, 4–11 compatibility table, 143–144 vs. Group Policy Preferences, 240–255 Delegation tab, Advanced, 90 Inheritance tab, 101 editing GPOs from older, 633–634 levels, 341, 343–349 icon view, 142 Local Group Policy, 343–346 implementing on management missing policy settings, 184–186 station, 29–32 normal processing, 196 link warning, 41, 74, 74–75 for Offline Files configuration, overview, 28–29 692–702, 693 preferences display in, 297 old-style interface, 28 risk in deleting OU, 36 original 18 categories, 6–11 RSoP (Resultant Set of Policy) scripts use with, 792 calculations, 100–108 strategy, number of GPOs, 60–62 Scope tab troubleshooting Filtering section, 87–91 with log files, 418–434 listing for use of links, 80 progression for, 405 Security Filtering section, 93 turning off Fast Boot and, 159 scripting interface, 29, 144 viewing failure event, 428 security filtering and when it applies, 252–254 delegation, 84–99 Windows versions and, 1 to set permissions, 356 Group Policy Administrator, 866 for troubleshooting Group Policy Group Policy Anywhere, 864 results, 101 Group Policy Auditor for SCOM, 866 updated for management station, 307 Group Policy Client Service, 380 Vista Extra Registry settings in older Group Policy Containers (GPCs), 136, GPMC, 315 350, 351–354 Windows versions and, 26, 30, 69 attributes, 353 XP version, GPSI and, 724 replication, troubleshooting, 395 Group Policy Management verifying synchronization with Editor (GPME) GPTs, 370–376 copy and paste in, 274, 274 Group Policy Creator Owners security displaying, 72 group, 58, 349, 356 and folder redirection, 622, 622 Group Policy Domain Controller Selection opening, 43 policy setting, 372 searching within, 112 Group Policy Editor Settings tab, and Central Store, 312 Preferences node, 212 Group Policy Modeling, 98 user interface, old vs. new, 40, 40 what-if scenarios with, 107–108 various versions, 6 Group Policy Modeling Analysis, remote Group Policy Guardian, 866 calculation when permissions are Group Policy Management Console delegated, 417–418 (GPMC), 6, 83 Group Policy Modeling Wizard vs. Active Directory Users and summary screen, 109 Computers, 35–36 Welcome screen, 108 adjusting view within, 36–38 what to expect, 109

581858bindex.indd 878 3/22/10 7:07:26 AM Group Policy Object Editor – Group Policy Objects (GPOs) 879

Group Policy Object Editor deleting, 378 Classic Administrative Templates (ADM) deleting and unlinking, 78–80 node, 318, 319 Details tab, 71 loading, 15–16 with comments, 125 local ADM files for, 184 determining number needed, 60–62 Group Policy Objects container, 347 disabled, 341 Delegation tab, 96 disabling half, 62, 76–78, 78 linking and, 41–42 from domain, 348 Group Policy Objects folder, 39 editing from older GPMC, 633–634 creating GPO in, 42 filtering inside for policy settings, Group Policy Objects (GPOs), 18, 851. See 111–121, 112 also starter GPOs origins, 112, 113 Active Directory, 346–349 what’s available for, 112–117 affecting users in multiple domains, 25 filtering scope of, 85–93 applying to client systems, 378–390 for folder redirection, 618 applying to domain level, 48, 48–50 GMPC tabs for, 71 applying to OU level, 50–55 granting creation rights in domain, applying to site level, 45–48 96, 96–97 attributes, 358–361 granting OU Admins access to create auditing changes, 465–470 new, 57–58 backing up, 136–137 inheritance for, 25 birth of, 349–350 linking, 20–21 comments about specific, 123, at domain level, 439–443 123–124, 124 multiple at same level, 73 comments about specific settings, linking delegation, 57, 58 124–127, 126 manually forcing clients to process, comments for, 121–127 165–166 converting SCW policy to, 849–850 migrating between domains, 851–858 creating copy operation, 852, 853 to affect computers in OU, 62–63 drag and drop, 856 with Group Policy loopback - replace import operation, 854, 854–855 mode, 200, 201 with migration tables, 855–858, 857 linked at domain level, 441–442 multiple at level, troubleshooting, 392 and linking at OU level, 59–60 names for, 87–88 selecting Starter GPO for, order of precedence, raising or lowering 131–132, 132 for multiple, 73–74 who has permission for, 355–356 owner of, 358 for Word 2003 Settings, 322 query to view attributes, 359 creating and editing in mixed reasons not applied, 411–412 environment, 312–316 reasons to disable, 77 with older GPMC, 313–314 removing Authenticated Users from, 89 with older GPMC, editing with restoring, 138–140 updated GPMC, 314, 314–315 searching for characteristics, with updated GPMC, 316 110–111, 111 creating and editing to deploy Office, stopping from applying, 75–80 733–736, 734 synchronous processing, 151 death, 377–378 vs. System Management Server (SMS), default, 438–446 786–789 default names, 175 User half and Computer half, 4

581858bindex.indd 879 3/22/10 7:07:26 AM 880 Group Policy Operational Log – Group Policy processing

user permissions, 94–96, 95 Files preference extension, 215, 278 version numbers, 165 vs. Group Policy File Security, what’s-going-on calculations, 101–106 243–244 who can manipulate and edit existing, importing, 282 357, 357–358 settings, 801 Group Policy Operational Log, Internet Settings extension, vs. Group 425–426, 426 Policy Internet Explorer, Group Policy Preference Extensions 241–242, 242 (GPPrefs), 10, 211 Local Users and Groups extension, vs. Devices extension, 807, 808, Group Policy Restricted Groups, 808–812, 810 247–248 unlisted devices, 811 locations, 231–232 disabling, 280 managing, hiding extensions, 279–280 dragging or pasting to file, 274 multiple items at a level, 276–277 enabling tracing for, 432, 433 Power Options extension, vs. Group hiding, 279–280, 281 Policy Power Management, 242–243, passwords inside, 225–226 243, 244 on slow networks, 172 powers, 213–232 variables, 278 Printers extension, vs. Group Policy Group Policy Preferences deployed printers, 241 action items, 255 quick copy/paste, 274, 274 complications from multiple tabs, Services Preference extension, vs. Group 259–260 Policy System Services, 244–245 CRUD method, 256, 260–261 Start menu, vs. Group Policy Start Menu lines and circles, 256–258, 258 policy settings, 247 architecture and installation instructions, temporarily disabling a single item or 233–237 extension root, 277–278 basics, 211–212 testing default behavior, 266 Common tab, 262, 262–272 tips, tricks, and troubleshooting, 273–288 “Apply once and do not reapply”, 268 troubleshooting, 282–288 Description field, 272, 273 with event logs, 284, 284–285 item-level targeting (ILT), 269, with GPresult.exe tool, 284 269–272 with Group Policy Results report, “Remove this item when it is no longer 282–283, 283 applied “option on Common tab, with tracing, 285–288, 287, 288 262, 262, 263–268 turning on AppID Service “Run in logged-on user’s security using, 498–499 context (User Policy verifying install, 237 Option), 263 Group Policy Preferences Registry “Stop processing item in this extension extension, 329 if an error occurs”, 263 Group Policy Preferences Tracing concepts, 237–272 Logs, 282 overlaps of policy and preferences, Group Policy processing, 379–381 248–255 background refresh policy processing, preference vs. policy, 238–240 152–160 CSEs for, 386–388 behavior variation, 150 Devices Preference extension, vs. initial policy processing, 150–152 Group Policy Device Installation performance, 432–434 Restrictions, 245–247, 246 principles, 147–167

581858bindex.indd 880 3/22/10 7:07:26 AM Group Policy Refresh Interval for Computers – HKEY_LOCAL_MACHINE\SOFTWARE 881

Group Policy Refresh Interval for Computers GUID (globally unique identifier) policy setting, 176 of Client-Side Extensions, and order of Group Policy Refresh Interval for Domain processing, 252, 253 Controllers policy setting, 176–177 of GPC object, 353 Group Policy Results report, 255, for GPOs, 350 282–283, 283 for Group Policy Preference Extensions, Policy Events tab, 106, 107 387–388 Settings tab, 105, 106 for pre- machines, Summary tab, 105 384–385 Group Policy Results tool, 405 Group Policy Results Wizard, 102 Group Policy settings, storage, 364–368 Group Policy Slow Link Detection policy H setting, 174, 400 hardware for domain controllers, 177 GPOs vs. SMS, 786 Group Policy snap-in, manually loading, 13 restricting access, 807–819 Group Policy Software Installation (GPSI), 7 restricting or allowing with Group Policy, clean-up after, 778 815–818, 816 and customizing Office 2007 Hash rule, for Software Restriction, 484 deployments, 781–783, 784 Heidelberg, Jakob H., 379, 450, 488, 565 default properties, 757, 757–759 Heitbrink, Mark, 282 and licensing, 735 help text for policy settings, 71, 114–115 .MSI packages, 722–723 hex editor, 484 utilizing existing, 723–726 hidden files, displaying in Explorer over slow links, 764, 764–766 window, 555 overview, 720–728 Hide previous versions list for local files rules constraining use, 730–731 policy setting, 833 software distribution share setup, Hide Previous Versions list for remote files 724–725 policy setting, 834 when applications will be installed, Hide previous versions of files on backup 736–737 location policy setting, 833 Windows Installer service, 721–722 Hide Screen Saver Tab policy setting, 42, 59 Group Policy Template (GPT) hierarchy of policy settings, 4 folder, 350 hisecdc.inf template, 838 Group Policy Templates (GPT), 136, hisecws.inf template, 839 361–364 hive, loading for user profile, 563, 565 replication, troubleshooting, 395 HKEY_CURRENT_USER, 554, 554 verifying synchronization with GPCs, HKEY_CURRENT_USER\Control Panel 370–376 \Mouse\DoubleClickSpeed, 264 groupPolicy Container class, deleted value, 267, 267 DefaultSecurityDescriptor HKEY_CURRENT_USER\SOFTWARE attribute on, 357 \Policies\Microsoft\Windows\ groups. See also Restricted Groups NetCache, 711, 714 Active Directory, strict control of, \Policies\Microsoft\Windows\Safer\ 476–479 CodeIdentifiers, 487 restricted, 475–479 HKEY_LOCAL_MACHINE\SOFTWARE Guest account \Microsoft\Windows NT\ disabling, 441 CurrentVersion, 774 profile, 587

581858bindex.indd 881 3/22/10 7:07:27 AM 882 HKEY_LOCAL_MACHINE\SOFTWARE – Internet Explorer User Accelerators

\CurrentVersion\\ Install a program from the network, GPExtensions, 164 applications published in, 730 \Winlogon, 421 Install-On-First-Use feature, 363 \Winlogon\GPExtensions, 252 installing for Diagnostics key, 419 applications, with MSIEXEC, 767 HKEY_LOCAL_MACHINE\SOFTWARE, \ Client-Side Extensions (CSE), 234–237 Policies\Microsoft\Windows\Safer\ RSAT (Remote Server CodeIdentifiers, 487, 488 Administration Toolkit), home directory 31–32, 32 connecting to share root, 605 software, as refresh exemption, 155 redirecting to user’s, 623 Integrity Level (IL), 519 %HOMEDRIVE% variable, 605 IntelliMirror, 615, 720. See also %HOMEPATH% variable, 605 managed desktop HTML, for GPResult report, 407 interactive users desktop, 520 Hybrid Users, 510 Internet Explorer action items on multiple tabs, 259 and GPMC, 72 Group Policy for managing, 799–805 I Group Policy settings, 804–805 ICMP, 168, 379 warnings, 805 disabling, 404 Group Policy vs. GPPrefs Internet Settings icons extension, 241–242, 242 for GPMC, 142 inetcorp.adm and inetset.adm templates for pinned file, 646 and, 298 iedkcs32.dll, 384, 386 Maintenance Settings, on slow IKE rules, 546–547 connection, 170 IL (Integrity Level), 519 on slow networks, 400 ILT. See item-level targeting (ILT) Internet Explorer 7, blocking for existing Immediately uninstall the Software from Windows XP, 799 Users and Computers policy setting, Internet Explorer Administration Kit 761–762 (IEAK), 806 importing, Group Policy Preferences, 282 Internet Explorer Enhanced Security importing rules, to AppLocker, 505 Configuration policy setting, turning inbound rules for WFAS, 537, 538 off, 72 rule types, 538–540 Internet Explorer hardening, in Windows incremental security templates, 838–839 2003, 804 Inetcorp.adm template, 299 Internet Explorer Machine Accelerators Inetres.adm template, 298, 299, 362 category in Group Policy, 10 Inetset.adm template, 299 Internet Explorer Maintenance and .INF template files, for domain Zonemapping Client-Side controllers, 838 Extension, 366 infrastructure, problems, 342 Internet Explorer Maintenance (IEM), inheritance, 341 799–800, 800, 801 of settings, 19 deploying settings, 802–803 troubleshooting, 392 proxy server setting, 805 initial policy processing, 148, 150–152, 186 Internet Explorer Maintenance policy Initial Reminder balloon lifetime policy processing, 8, 179, 251 setting, 700 Internet Explorer User Accelerators .INS file type, 806 category in Group Policy, 10

581858bindex.indd 882 3/22/10 7:07:27 AM Internet Settings extension – Local Group Policy 883

Internet Settings extension laptops, technologies for keeping on and preferences vs. policy, 250, 250–252 network, 173 for User configuration, 228–229 Large icons view in Explorer, reaction to IP Security Client-Side Extension, 367 caching with offline files, 668 IP Security Policies on Active Directory last time group policy was applied, for policy setting, 545 GPResult, 411 IPsec (IP Security), 542–547 latency speed of network connection, 687 general resources, 543 latency threshold, 688 getting started, 545–546 launching process, 487 server and domain isolation with, LDAP, 379 543–544 .LDB file extension, caching and, 704 settings LDP, 359 backup and restoring, 141–142 Leave Windows Installer and Group Policy backup for, 136 Software Installation data policy IPsec (IP Security) Policy Processing, 9, setting, 597, 599, 778 181, 182 licensing, GPSI and, 735 on slow networks, 169–170, 172, 400 Likewise Enterprise, 864 isolation of applications, 742–743 Likewise Software, 864 item-level targeting (ILT), 217, 269, Limit disk space used by Offline Files policy 269–272, 823, 824 setting, 708 editor, 272 Limit profile size policy setting, 600–604, Items to Synchronize dialog box, 649, 650 602, 862 Link an Existing GPO command, 49 link enable status, disabling, 75–76, 76 Link GPOs permissions, 97 J link warning, in GPMC, 41, 74, 74–75 Junction Points, 559 linking Group Policy Object delegation, 57, 58 Group Policy Objects (GPOs), 20–21 Links folder, 558 K List view in Explorer, reaction to caching with offline files, 668 Kerberos, 396 local Administrator account, and time accuracy, 402 enabling, 515 Kerberos ticket, 87 Local Computer Policy, directory Kerbtray, 396 for, 17 keying files, 728 Local Computer Policy Editor, 11 keyword filters, 114–115 Local Computer Policy layer, in Vista, 14 KillPol (Disable Group Policy) utility, 862 Local Default User Profile, vs. klist.exe, 396–397, 397 mandatory, 611 known good applications, white list for “Local file is incomplete” as file software for, 501–504 status, 666 Local folder, 558 Local Group Policy, 11–17, 343–346 location, 343–345, 344 L pointing toward other computers’, 13 language on pre-Vista computers, 11–13 of ADM files, 301, 304–305 tips, 345–346 and application deployment, 748 turning off, 184 on Vista and later, 13–16

581858bindex.indd 883 3/22/10 7:07:27 AM 884 Local Group Policy Objects (LGPOs) – management stations

Local Group Policy Objects (LGPOs) logon directories in Windows 7, 344 autolaunch application at, 62–63 rights, 343 to different clients across cross-forest stopping from applying, 75 trust, 205–207 local policies, 6, 11 as refresh exemption, 155 Local Profiles, 553, 612 Roaming Profiles for multiple, 571 establishing mandatory profile from, verifying, 395–397, 396 606–608, 608 logon events, auditing, 460, 461 merging with Roaming, 587 Logon Optimization, 156 migrating to Roaming Profiles, 581–583 logon scripts, 794 Local Service, 588 vs. Group Policy Preferences, 213 Local Settings folder, 556 with network drive mappings, local user account, first as troubleshooting, 795–798, 796 administrator, 515 slow networks and, 172, 400 Local Users and Groups extension, for for users, 364 Computer configuration, 220 using Cachemove.exe in, 585 Local Users and Groups Group Policy logon speed, disabling GPOs and, 76 Preferences, 476 logon time, 148 Local Users and Groups preference LOGONSERVER variable, 396, 396 extension, vs. Group Policy Restricted logs, centralizing collection from domain Groups, 247–248 controllers, 459 LocalLow folder, 558, 559 Loopback policy, enabling, 399 lockout, by Software Restriction loopback processing, 6, 196–204, 342 Policies, 489 disabling, for cross-forest “Log on using dial-up connection”, and trusts, 207 GPO processing, 170 merge mode, 197 Log users off when roaming profile fails replace mode, 197–198 policy setting, 611 for creating GPO, 200, 201 logging for Terminal Services, 202 for .MSI applications, 773–774 verifying working, 200–201, 201 Event Logging level policy setting, 701 files for Group Policy troubleshooting, 418–434 Group Policy Preferences Tracing M Logs, 282 \Machine folder, in Group Policy for Offline Files, 709, 709 Templates, 363 for Redirected folders, 642 managed desktop, 615. See also Offline Sync Log, 709–710 Files; Redirected Folders for troubleshooting in Windows 7, creation process, 617 428–430 moving Documents folder contents, Logging and tracing node, 186 626–627 logoff Managed policy settings, vs. Unmanaged, and deleting local copy of Offline filter to display, 115–116 Files, 705 managed software, 721 forcing after exceeding hours ManageEngine ADManager Plus, 864 permitted, 440 management stations Group Policy update requiring, 160 for Group Policy Preferences, 233 as refresh exemption, 155 implementing GPMC on, 29–32 logoff scripts, 364, 794 recommendations, 70

581858bindex.indd 884 3/22/10 7:07:27 AM Mandatory Integrity Control (MIC) – .MSP files 885

in sample test lab, 2 on UAC, 508 Windows 7 or Windows Server 2008 as, Windows Server 2008 Security 30–32 Guide, 134 Mandatory Integrity Control (MIC), Microsoft Application Virtualization 507, 519 (App-V), 719 Mandatory mode for Internet Explorer Microsoft Corporate Error Reporting, 323 Maintenance, 802–803 \Microsoft\IEAK folder, 364 Mandatory Profiles, 553, 606–611, 613 \Microsoft\RemoteInstall folder, 364 from established Roaming Profile, Microsoft Software Update Services 609–611 (SUS), 323 forced, 611, 612 Microsoft System Center Desktop Error from local profile, 606–608, 608 Monitoring, 323 mapping printers, based on computer being Microsoft Transform Files (.MST) files, 751 used, 821–822 Microsoft Update patch, 234 Mar-Elia, Darren, 324, 378, 425 Microsoft Visual C++ Express Edition, 330 Maximum Retries to unload and update \Microsoft\Windows NT\Secedit User Profile policy setting, 571, 596 folder, 363 Maximum wait time for Group Policy scripts migration tables, 855–858, 857 policy setting, 795 Minasi, Mark, 345 .MDB file extension, caching and, 704 mixed environment .MDE file extension, caching and, 704 creating and editing GPOs, 312–316 .MDW file extension, caching and, 704 with older GPMC, 313–314 member computers, background refresh with older GPMC, editing with policy processing for, 149 updated GPMC, 314, 314–315 messages with updated GPMC, 316 at logoff, for exceeding profile size creating and editing GPOs in, 312–316 limit, 604 roaming profiles in, 579–580 modifying in AppLocker for client, 500 MMC, creating one-stop-shop, 33–34, setting for verbose vs normal status, 34, 35 737, 737 mouse, double-click speed, 264, 265 trapping error messages on central moving server, 323 client into OU, 200 User Access Control (UAC) message, 15 client-side cache, 585 MIC (Mandatory Integrity Control), computer account, troubleshooting 507, 519 impact, 398–399 Microsoft. See also Office (Microsoft) computers into OU, 64–65 document on Group Policy User or Computer object, 166–167 troubleshooting and Event Logs for and reapplying Group Policy, 149 Windows Vista, 432 .MSI packages, 722–723 Excel spreadsheet of administrative automatic removal for Assigned or template settings, 145 Published .MSI applications, 760 Group Policy tools, 858–862 creating, 727–728 Office 2007 Security guides, 134 managing, 766–777 pre-created Starter GPOs, 134–135 prohibiting rollback, 771 profile tools from, 862 utilizing existing, 723–726 security templates from, 839–840 administrative installation setup, TechNet 725–726, 726 advanced auditing articles, 471, 471 MSIEXEC tool, 725, 766–769 on FRS replication, 376 .MSP files, for Office 2007 customized Software Restriction Policies, 488 deployment, 784

581858bindex.indd 885 3/22/10 7:07:28 AM 886 .MST (Microsoft Transform Files) files – Office 2003

.MST (Microsoft Transform Files) files, 751 networks, slow connections applying to installation, 755 Group Policy for Windows 7, 169 transform-creation programs, 752 Group Policy for Windows 2000/XP, .MSU file format, 234 167–168 Multiple Local GPOs (MLGPOs), 343 processing, 169–172 copying, 346 New GPO dialog box, 42, 43, 131, 131, 733 storage, 343 New Object - New Organizational Unit on Vista and later, 13–14 dialog box, 199 applying to system, 15 new users, Default Local User Profile trying out, 14–16 for, 563 Music folder, 558 NLA (Network Location Awareness), 381 My Documents folder, 556. See also troubleshooting, in Windows 7, 401 Documents/My Documents folder No Override, 82, 393. See also Enforced function nodes, 4 Non-default server disconnect actions policy N setting, 697, 698 names non-PowerShell-based scripts, 792–798 for GPOs, 87–88, 349, 351 logon and logoff, 794 for preference items at a level, changing, startup and shutdown, 793–794 277, 277 Not Configured option for administrative NAP (Network Access Protection), 538 template settings, 66 National Institute of Standards and Notepad, for creating .BAT files, 793 Technology, security templates NTFS inheritance, 626 from, 840 NTFS permissions net computer command, 52 for applications, 724 net group command, 52 for shared folders, 727 net user command, 52 NTUSER.DAT file, 554–555, 600 NetHood folder, 556 history of unloading of, 571–572 NetMeeting, 787 for mandatory profile, 607–608, 608 advfirewall command, 547 Registry settings in, 563–565, 564 netsh command, 535 NTUSER.MAN file, 607, 608 Network Access Protection (NAP), ntuser.pol file, 390 528, 538 network drive mappings, logon scripts with, troubleshooting, 795–798, 796 O Network Location Awareness (NLA), 381 object access, auditing, 462 troubleshooting, in Windows 7, 401 OCX, enabling blocking, 497 Network Location Awareness 2 Office (Microsoft), 721 (NLA 2), 169 .MST Generation tool, 753–754 Network Options extension, for Computer ADM templates, 319–323 configuration, 220 creating and editing GPO to deploy, Network Security: Force logoff 733–736, 734 when logon hours expire policy implementing customized setting, 440 policy, 321–322 Network Service, 588–589 Office 2000, ADM templates, 320–322 Network Zone rule, for Software Office 2000 Resource kit, 319 Restriction, 484 Office 2003, ADM templates, 320–322

581858bindex.indd 886 3/22/10 7:07:28 AM Office 2003 Administration Installation – OU level 887

Office 2003 Administration Installation, Offline Files category in Group Policy, 10 .MSI files for, 733 Offline Files Client-Side Extension, 368 Office 2003 Custom Installation Wizard Offline Files Ghosting, 657, 658 (CIW), 754, 754 Offline Folders, 617 Office 2007 (Microsoft) Offline Folders policy, 639 ADM templates, 320–322 Only allow local user profiles policy ADM templates and ADMX setting, 597 templates, 312 Open Database Connectivity (ODBC) data ADMX templates for, 323–324 sources, setting with Group Policy, deploying with Group Policy, 778–785 218–219, 219 GPSI and customizing deployments, deployment, GPOs vs. 781–783 SMS, 787 Office 2010 (Microsoft), deploying with Operational Event Logs, filtering by Group Group Policy, 778–785 Policy Activity ID, 429–430 Office Installation Wizard, and operational logs, for troubleshooting in Administrative Installation, 725 Windows 7, 428–430 Office Resource Kit Optimized for Performance option, for Custom Installation Wizard, 753 Offline Files, 648 location of downloads, 753 OR, for item-level targeting, 271 Office XP, ADM templates, 320–322 order of precedence, 19 Office XP Resource Kit, 319 changing for preference items at a Offline Files, 617, 643–677 level, 276 autocache vs. administratively assigned, raising or lowering for multiple Group 662–663 Policy Objects, 73–74 client configuration, 662–687 Orktools.exe, 320 Explorer.exe and, 657–670 OU Admins, granting access to create new Group Policy for configuring, GPOs, 57–58 692–702, 693 OU group, creating, 52 log, 709, 709 OU level making available, 644, 644–648 for assigning or publishing all files users open from share, application, 731 647, 662 auditing, 473–474 files from share will not be available creating, 36, 199 offline, 648 deleting, 36 only files that users specify, GPOs 644–646, 645 applying at, 50–55 optimized for performance, 648 creating, 51 policy setting to allow or disallow, 703 creating and linking, 59–60 preventing user configuration, 695 settings, 19 on slow networks, 680–716 GPOs from perspective of, 348 in Windows 2000, 683–684 group inside, Group Policy and, 392 synchronization moving client into, 200 interaction, 651–652 moving computer between, and Group manually tweaking for pre-Vista, Policy results, 106 671–673 moving computers into, 64–65 manually tweaking for Windows 7, nesting, 18 674, 674–677 passwords and, troubleshooting, 402 schedule in Windows 7, 677, 678, 679 redirecting default location of users and in Windows XP, 648–652 computers to, 53

581858bindex.indd 887 3/22/10 7:07:28 AM 888 outbound rules for WFAS – PolicyPak

RSoP (Resultant Set of Policy) Perform Group Policy Modeling analyses at, 24 permission, 97–98 for target computer, troubleshooting, 403 permissions, 354–358 verifying changes, 59–60, 60 for applications, 724 outbound rules for WFAS, 537, 538 cross-forest trusts, 208–209, 209 rule types, 538–540 on GPO, modifying, 354 “Over-the-Shoulder” (OTS) assistance, 522 problems, 342 ownership problems for Redirected Folders, of Group Policy Objects (GPOs), 358 640–641 of Roaming Profile, 609–610, 610 troubleshooting, 393–394 Personalization screen (Windows 7), 40, 47 Desktop Settings option, 48 Pictures folder, 558 P Ping utilities, 168 package-targeting strategy, 731–738 disabling, 404 Password policy, 446–458 on profiles server, 593–594 fine-grained, with Windows Server 2008, pinning a file, 645, 645–646 448–458 and cache, 647 password settings at OU level, and disk usage control, 675 446–448, 447 with Group Policy, 699, 699, 700 Password Setting objects icon for, 646 attributes that override, 458 preventing, 701–702 command-line management, 457–458 PKI (Public Key Infrastructure), Application precedence, 456 Data folder redirection and, 638 resulting set of, 454–458 pointer to GPO, 360 Password Settings Container object, 453 Policies container passwords, 224 Properties, Security tab, 355, 355 inside Group Policy Preference Extensions viewing, 467 (GPPrefs), 225–226 Policies folder, locking mechanisms on, 354 and OU, troubleshooting, 402 policies, vs. preferences, 317 for user, 52 Policy Controls Management Pack for pasting, GPPrefs to file, 274, 275 MOM, 866 patches Policy Enabled application, 295 for distribution point, MSIEXEC for, policy settings 767–769 comments for, 121–127 GPPrefs as, 234 debugging multiple per GPO, 61 SMS for managing, 789 filtering inside GPO for, 111–121, 112 WSUS for deploying, 323 help text for, 71 environment variable, 214 mandatory reapplication for nonsecurity, Path Rule Condition, for AppLocker, 491 164–165 Path rule, for Software Restriction, 484 PolicyDefinitions folder, 307 Path Rules, for AppLocker, 505 creating, 309 PDC emulator, 350 PolicyPak, 6, 291–292, 382, 864 creating Central Store on, 309 Community edition, 328–339 per-computer logs, for .MSI compiling in Group Policy, 334–335 applications, 773 concepts and installation, 330–331 Per-User Application Data, 586 creating first, 331–339 per-user logs, for .MSI applications, 773 deploying first compiled extension, 335–336

581858bindex.indd 888 3/22/10 7:07:28 AM PolicyPak Admin Console.msi – profiles 889

disabling items to deny user access, 338 Prevent installation of devices using drivers enforcement modes in, 336 that match these device setup classes to hide unused settings, 337 policy setting, 817 purpose of, 296 Prevent installation of removable devices testing, 336–339 policy setting, 818 for turning off automatic offline caching Prevent Removable Media Source for Any for desktops, 716, 717 Install policy setting, 777 PolicyPak Admin Console.msi, 330 Prevent restoring local previous versions PolicyPak AutoUI Wizard, 331–332, 332 policy setting, 834 PolicyPak CSE.msi, 330 Prevent restoring previous versions from PolicyPak Design Studio, 332–334, 863 backup policy setting, 833 PolicyPak Design Studio.msi, 330 Prevent restoring remote previous versions PolicyPortal, 864 policy setting, 834 PolicyReporter, 863 Prevent Roaming Profile changes from PolicySettings.XLS spreadsheet, 122 propagating to the server policy Polman, 866 setting, 597 polstore.dll, 386 Prevent Use of Offline Files folder policy port 135, 102, 104, 415 setting, 698 port 445, 102, 415 Prevention installation of devices not port rule for WFAS, 539 described by other policy settings policy Posey, Brien, 506 setting, 818 Power Management, vs. GPPrefs Power Principle of Least Privilege, and UAC, 507 Options Preference extension, 242–243, printers 243, 244 assigning via Group Policy, 818–826 Power Options extension, 256, 261, 262 deploying same printer to all for Computer configuration, 221, 221 computers in zone, 822–825 power users, computer shared by standard deploying shared printer to only user and, 524 shared computers, 825–826, 826 PowerShell Cmdlets for Group Policy, 863 Group Policy vs. GPPrefs Printers PowerShell scripts, deploying to Windows 7 extension, 241 clients, 798, 798–799 script for setting all who log onto specific precedence, 341 computer to use, 198–199 PSO, 456 Printers extension predefined rules for WFAS, 539, 540 for Computer configuration, 222 Preference mode for Internet Explorer vs. Group Policy deployed printers, 241 Maintenance, 803, 803 for User configuration, 229 preference settings, updating some vs. Printers Group Policy Preferences extension, all, 257 819, 819–826 preferences, meaning of term, 295 PrintHood folder, 556 Preferences node in Group Policy Editor, 212 Privilege Guard, 864 availability, 213 Privilege Manager, 864 preferences, vs. policies, 317 privileges, auditing use, 463 Prevent Changing Mouse Pointers policy process injection, 507–508 setting, 71 process tracking, auditing, 463 Prevent Changing Screen Saver policy profiles. See also Local Profiles; Mandatory setting, 42 Profiles; Roaming Profiles Prevent installation of devices that match basics, 553 any of these device IDs policy setting, changing from Roaming to Local, 583 815, 816, 817, 818 Default Domain User Profile, 566–569

581858bindex.indd 889 3/22/10 7:07:29 AM 890 program rules for WFAS – Redirected Folders

Default Local User Profile, 563–566 .PST file extension, caching and, 704 folders for type 1 computers, 555–557 Public Key Infrastructure (PKI), 551 folders for type 2 computers, 557–563 public profile, in Vista and Windows for Guest account, 587 2008, 563 mandatory, 606–611 Publisher Rule Condition, for from established Roaming Profile, AppLocker, 491 609–611 Publisher Rules, for AppLocker, 505 from local profile, 606–608, 608 publishing modifying multiple users’ paths, 576–578 applications, 729–730 NTUSER.DAT file, 554–555 testing, 741–742 order of resolving, 599 .ZAP files, 740, 740 restricted access across cross-forest pXML file, 332 trust, 207 program rules for WFAS, 539 Prohibit Access to Control Panel policy setting, 60 Q Prohibit Changing Sounds GPO, 49 QoS Packet Scheduler Client-Side Prohibit Flyweight Patching policy Extension, 366 setting, 771 Quality of Service (QoS) Packet Scheduler Prohibit ‘Make Available Offline’ for these and Policy-Based QoS category in file and folders policy setting, 701–702 Group Policy, 9 Prohibit Nonadministrators from Applying Quest Authentication Services, 866 Vendor Signed Updates policy Quick Mode crypto settings, 547 setting, 775 Quick Sync, 651 Prohibit Patching policy setting, 771 Prohibit Removal of Updates policy setting, 775 Prohibit Rollback policy setting, 771, 777 R Prohibit Use of Restart Manager policy setting, 776 Re-Apply Filter option, 120 Prohibit user configuration of Offline Files Read access, for GPO backup, 136 policy setting, 695 Read and Apply Group Policy, 90 Prohibit User Installs policy setting, 774 for computers, 86 Prompt user when a slow network Read (from Security Filtering) connection is detected policy setting, permissions, 95 594–595 Read Group Policy Results data Properties dialog box for Published or permission, 98 Assigned applications, 744–756 Read permissions, 95, 393 Categories tab, 751 reading comment about GPO, 124, 125 Deployment tab, 744, 745, 745–749 reboot General tab, 744–745 for Group Policy changes, 394 Modifications tab, 751–755, 756 Group Policy update requiring, 160 Security tab, 755–756, 756 Recent folder, 557 Upgrades tab, 750, 750–751 REDIRCMP command, 53 Proquota tool, 862 Redirected Folders, 617–642 protected administrator, 522–523 advanced options, 631–632 Protected mode, for Vista, 559 Application Data folder, 638–639 Proxy Settings, for home page, 251 Documents/My Documents, 619–637 .PS1 file extension, 798 Basic configuration, 620–622 PSOmgr, 457 creating folder for, 620, 621, 622

581858bindex.indd 890 3/22/10 7:07:29 AM redirecting – restoring 891

granting administrator access, Remote Desktop, 522 629–631 disabling to use Offline Files in Windows redirection to home directory, 623 2003, 673 testing, 634–637 removable media, restricting access to, editing GPOs from older GPMC, 807–819 633–634 Remove Browse Dialog Box for New Source enabling logging, 642 policy setting, 771 folders available for, 618–619 Remove Lock Computer policy setting, GPResult for verification, 641–642 11–12, 12 Group Policy settings for, 639–640 Remove ‘Make Available Offline’ policy pitfalls, 628–629 setting, 697–698 as refresh exemption, 154 Remove Software dialog box, 761 troubleshooting, 640–642 “Remove this item when it is no longer redirecting applied “option on Common tab, 262, Application Data folder, 638–639 262, 263–268 Start menu and Desktop, 637 Remove Users Ability to Invoke REDIRUSR command, 53 Machine Policy Refresh policy refresh interval, for Users, 174 setting, 177–178 Regional Options extension, for User removing applications, 759–763 configuration, 230 automatic for Assigned or Published .MSI Registry, 293–294 applications, 760 disabling hard-coded on settings, 67 forcefully removing, 761–762 impact on policy setting, 162 immediately uninstalling from inspecting Software Restriction Policies Users and Computers, location in, 487 761–762 location of Administrative Templates published .ZAP applications, 762 settings, 389–390 user control, 759–760 policies representing punches, 296 repairing applications, with MSIEXEC, 767 Preferences tattoo of, 317 replication setting punches using PolicyPak Design of GPC and GPT, separate timing Studio, 333, 333 for, 374 settings altered by GPOs, 412 isolating problems, 376 settings in NTUSER.DAT file, manually, with Active Directory Sites and 563–565, 564 Services, 398 and virtualized files, 561–562 problems, 342 Registry policy Processing policy setting, time delays, 167 178–179, 185 Replication Monitor (Replmon) tool, 375, Registry Preference extension, 265 375–376 finding value to change with, 264 Report when logon server was not Registry Settings, 7. See also Administrative available during user logon policy Templates (.adm files) setting, 600–601 Registry Wizard, 217 restore points, 827 Registry.pol file, 363, 364 restoring regtran-ms files, 561 files, with shadow copies client, Reminder balloon frequency policy 830–831, 831 setting, 700 Group Policy Objects (GPOs), 138–140 Reminder balloon lifetime policy IPsec settings, 141–142 setting, 700 Starter GPOs, 140, 141 Remote Assistance, 787 test lab, 859 remote control, GPOs vs. SMS, 786 WMI filters, 141

581858bindex.indd 891 3/22/10 7:07:29 AM 892 Restricted Groups – Scope tab for GPO in GPMC

Restricted Groups, 475–479 RSoP (Resultant Set of Policy), 23–26 applying group nesting, 478–479 determining for client side, 405 vs. Local Users and Groups preference at domain level, 24 extension, 247–248 GPMC for calculating, 100–108 policies, 476 at OU level, 24 processing of, 479 rights to view, 415 when settings get refreshed, 478 at site level, 23–26 when settings take effect, 477–478 for Windows clients, 406–418 restricted software, AppLocker for, 489–491 remote calculation, 414–415 restricting access to hardware, 807–819 remote calculation when permissions Resultant Set of Policy (RSoP), 23–26, 177 are delegated, 415–416, 417 disallowing interactive users from RSOP.MSC, 177 generating data, 176, 178 Run command, 345 at domain level, 24 removing from Start menu, 12–13 at OU level, 24 Run legacy logon scripts visible policy at site level, 23–24 setting, 795 resulting set of PSOs, 454–458 Run logoff scripts visible policy setting, 794 reversing policy setting, 66 Run logon scripts synchronously policy Reversion modes, in PolicyPak, 336 setting, 795 RGPrefresh tool, 149, 378, 862 Run logon scripts visible policy setting, 794 rights, to create GPOs, 349 Run shutdown scripts visible policy Riley, Steve, 543 setting, 794 Roaming folder, 558 Run startup scripts visible policy setting, 794 Roaming Profiles, 553, 570–605, 612 Run these programs at user logon policy and caching, 574–575 setting, 63, 162 Computer Group Policy settings for, 590, Run Windows PowerShell scripts first at user 590–601 logon, logoff policy setting, 799 and cross-forest trust, 207 Run Windows PowerShell scripts first at user and Documents/My Documents, 619 startup, shutdown policy setting, 799 excluding directories in, 605 runas command, 407, 421, 642 impact on Documents folder, 580 RunDiagnosticLoggingGroupPolicy key, 419 limitations, 615 Russinovich, Mark, 508 limiting size, 603 managing, 587–590 merging with local profile, 587 mandatory profiles from, 609–611 S migrating Local Profiles to, 581–583 Safe mode, security changes, 516 modifying user account to use, 575 sample test lab, 1–3, 3 policies, 598 Saved Games folder, 558 roaming and nonroaming folders, Scalable Software, 727 583–586 scecli.dll, 384 setting up, 572–576 Scheduled Tasks extension, for Computer Terminal Services support for, 571 configuration, 222–224, 223 testing, 578–580 Scope of Management (SOM), User Group Policy settings filtering, 85–86 for, 600–605 Scope tab for GPO in GPMC, 71 RPC, 379 Filtering section, 87–91 RSAT (Remote Server Administration listing for use of links, 80 Toolkit), 6, 26, 33 Security Filtering section, 93 installing, 31–32, 32

581858bindex.indd 892 3/22/10 7:07:29 AM Screen Saver – security rights 893

Screen Saver basics, 437–438 hiding option, 42 default Group Policy Objects, 438–446 removing option at site level, 46 options for domain controllers, 444 Script rules, for AppLocker, 491 security background refresh processing, ScriptLogic, 866 161–166 Scriptomatic version 2 tool, 191–192, 192 Security Client-Side Extension, log file scripts, 792–799 for, 424 default timeout, 434 Security Compliance Management Toolkit non-PowerShell-based, 792–798 templates, 840 logon and logoff, 794 Security Configuration Wizard, 841–851 startup and shutdown, 793–794 Audit Policy section, 848 for offline cache management, 659 converting policy to GPO, 849–850 for Offline Files, 679 installing PowerShell, deploying to Windows 7 for Windows Server 2003, clients, 798, 798–799 842–843, 843 processing and running, over slow links, for Windows Server 2008, 843 172–173 Network Security section, 847, 847–848 processing defaults, 794–795 practical example, 843–848 for Published or Assigned application, initial kickoff, 844, 844–845 name for, 749 primer and installation, 842–843 for setting all who log onto specific Registry Settings section, 848 computer to use specific printer, Role-based configuration, 845, 845–846 198–199 Save Security Policy section, 848, 849 for test lab backup, 859 viewing and applying transformed GPO, timeout, 795 850, 850 update on slow network, 171 warnings, 851 Scripts category in Group Policy, 7 Security Editor dialog box, 94 \Scripts\Logoff folder, 364 security filtering and delegation, with \Scripts\Logon folder, 364 GPMC, 84–99 Scripts policy processing, 180–181 Security Group Membership dialog box, 89 \Scripts\Shutdown folder, 363 security groups \Scripts\Startup folder, 364 adding users to, 89 scroll icons, meaning of, 142 creating, 88 scwcmd.exe command, 849 to filter GPOs, 372 SDM Software, 865–866 filtering, and Assign or Publish Search Order policy setting, 777–778 application, 731 Searches folder, 558 Group Policy and, 86 searching, for GPO characteristics, Group Policy Creator Owners, 58 110–111, 111 membership, 475 SECEDIT command, 403 minimizing number, 434 Secedit.exe, 166 security holes, in nonsecurity sections of secure channel, 399 Group Policy, closing, 164 Secure Desktop, 520 security permissions, viewing which are Secure Vantage, 866 set, 90 securedc.inf template, 838 security policy securews.inf template, 839 design of, 552 security processing, 149, 181, 187 cached copies of documents and, 711 Security Properties dialog box, for and GPResult, 407–408 permissions, 630 implementation security rights, for restoring GPOs, 139

581858bindex.indd 893 3/22/10 7:07:30 AM 894 Security Settings category in Group Policy – Software Installation and Maintenance

Security Settings category in Group Policy, 7 shell program, 487 Security Settings Client-Side Extension, 366 Shields, Greg, 505 security templates, 837–841 Show Analytic Channels, 709 applying with Group Policy, Show Contents dialog box, 63, 63 840–841, 841 Shutdown Event Tracker policy setting, 67 incremental, 838–839 shutdown scripts, 363, 793–794 from Microsoft, 839–840 as refresh exemption, 155 from National Institute of Standards and simulation, Group Policy Modeling Wizard Technology, 840 and, 109 security warnings, from GPMC, 72 site level security_mmc.exe, 72 applying GPO to, 45–48 Select a Device Class or Device dialog box, GPOs from perspective of, 348–349 809, 809 GPOs set at, 19 Select a Variable dialog box, 279 Resultant Set of Policy (RSoP) at, 23–24 sending, Starter GPOs, 132–133, 133 verifying changes, 47, 47–48 SendTo folder, 557 viewing in GPMC, 37 Server Operators group, adding user, 55 sites, viewing in GPMC, 37 servers .SLM file extension, caching and, 704 Security Configuration Wizard for, 842 slow connections, 342 trapping error messages on central checking for, 676–677 server, 323 GPSI over, 764, 764–766 Services extension, for Computer and Offline Files, 659 configuration, 224–225 and software deployment, 179 Set a Support Web Page Link policy synchronization on setting, 500 with redirected My Documents, Set maximum wait time for the network if 681–683 a user has a Roaming user profile or with regular shares, 683–692 remote home directory, 600 teaching Vista and Windows 7 how to Set path for TS Roaming Profiles policy react, 688–692, 689 setting, 599 troubleshooting, 400, 400–401 Set Roaming Profile path for all users Windows XP Synchronization Manager logging onto this computer policy over, 684–685 setting, 599 slow link detection, by Windows 7, 381 set store command, 535 Slow network connection timeout for user Settings tab for GPO in GPMC, 71, 71–72 profiles policy setting, 593–594 Setup.exe, and application uninstall, 762 Small icons view in Explorer, reaction to shadow copies, 619, 827–834 caching with offline files, 668 Group Policy settings for, 833–834 SMB, 379 restoring files with client, 830–831, 831 software setup for local Windows 7 machines, 827 GPOs vs. SMS, 786 setup on server, 827–830, 829 installing, as refresh exemption, 155 share permissions, 624, 727 Software Deployment shared computer log, 287 basics, 719 shared computers, by power user and on slow networks, 400 standard user, 524 Software Distribution policy, in Windows shared planning log, 287 2000, 157 shared printer, setup on User side, 819, 820 software distribution share, setup, 724–725 shared user log, 286 Software Installation and Maintenance, on shares, vs. DFS namespaces, 732–733 slow networks, 171 shatter attacks, 507–508

581858bindex.indd 894 3/22/10 7:07:30 AM Software Installation Client-Side Extension – Sync Log 895

Software Installation Client-Side Start menu Extension, 367 Assigned applications on, 728 log file for, 425 GPPrefs for, 249 Software Installation policy processing, Group Policy Start Menu policy settings, 179–180 vs. GPPrefs Start menu, 247 Software Installation Properties dialog box Office icons and program names on, Advanced tab, 758, 758 738, 782 Categories tab, 759 policy setting to remove Help option, File Extensions tab, 758–759 249, 249 General tab, 757, 757 redirecting, 618, 637 software metering, 787 removing Run from, 12–13 Software Restriction Policies, 8, 480–481, Start Menu folder, 557 481, 552 start-up speed, disabling GPOs and, 76 advanced logging, troubleshooting, 488 Starter GPOs, 127–134 and digital signatures, 486 backup and restoring, 140, 141 lockout by, 489 comments for, 129 philosophies, 482–483 creating, 129 rules, 483, 483–489 delegating control of, 132 Security Levels branch, 482 editing, 129–130, 130 setting up with rule, 484–485 leveraging, 130–132 on slow networks, 171 with Starter GPOs node, 131, 131 testing, 486 Microsoft’s pre-created, 134–135 troubleshooting, 487–488 selecting for creating new GPO, weaknesses, 490 131–132, 132 when they apply, 487 wrapping up and sending, 132–133, 133 Software Settings, for User and Computer Starter GPOs folder, creating, 128 nodes, 4 Startup Policy Processing Wait Time policy software vendors, CSEs from, 382 setting, 184 Sonar, 376 startup scripts, 793–794, 795 special permissions, delegating, 97, 97–98 for Office 2007 deployment, 785 Specops Command Basic utility, 863 as refresh exemption, 155 Specops Deploy, 155, 382, 788 running after user logon, 198 Specops GPUpdate tool, 149, 378, 863 slow networks and, 172 Specops Inventory, 382, 786 Startup/Shutdown and Logon/Logoff Scripts Specops Password Policy, 448 Client-Side Extension, 366 Specops Password Policy Basic, 457, startup time, 148 457, 863 state transitions, 685–686 Specops Software, 865 Subfolders always available offline policy CSEs from, 382 setting, 705 split token, 511–513 subfolders, creating for file Split Token Users, 510 redirection, 624 spreadsheet on policy settings, Sun VirtualBox, 3 downloading, 122 SUS (Microsoft Software Update srchadmin.dll, 385 Services), 323 Standard Profile Symantec/Altiris Wise Package vs. Domain Profile, for firewall, Studio, 727 532, 532–533 Symantec pcAnywhere, 786 settings, 103–104 Symantec Wise Package Studio, 752 Standard user, 508 Sync Center, troubleshooting, 708–710 and , 506 Sync Log, 709–710

581858bindex.indd 895 3/22/10 7:07:30 AM 896 synchronization – testing

synchronization System settings: Use Certificate Rules on conflicts in, 660–661 Windows Executables for Software and deleting local copy of Offline Restriction Policies policy setting, 486 Files, 705 System.adm template, 298, 299, 362 on Offline Files, 646, 651–652 SYSTEMINFO utility, 396 on slow networks SYSVOL with redirected My Documents, ADM file storage, 302–304, 303 681–683 checking replication, 376 with regular shares, 683–692 preventing bloat when using pre-Vista verifying for GPTs and GPCs, 370–376 management stations, 306 in Vista, over slow links, 686–687 seeing GPTs in, 361 in Windows 7, 652–660 for storing comments, 127 cache encryption, 658–659 ghosting, 657, 658 handling of downed shares, 652–653 logoff and, 653 T over slow links, 687–688 target computer, OU for, transfer technology, 653–654 troubleshooting, 403 user interface, 655, 655 Targeting Editor, 823 in Windows XP, 648–652 (Windows), Services tab, Synchronization Manager, 649, 650 380, 380 controlling response to logon and logoff, Taskstation, 616 651–652 tattoos, 295, 390 limitations in Windows XP, 707 of Registry, 317 over slow links, 684–685 TCO (Total Cost of Ownership) model, state transitions, 685–686 508, 616 Synchronize All Offline Files before logging %temp% folder, 792 off policy setting, 696 templates. See also Administrative Synchronize All Offline Files when logging Templates (.adm files); Group on policy setting, 696 Policy Templates (GPT) Synchronize Offline Files before suspend ADM and ADMX, from other sources, policy setting, 696 316–324 synchronous processing security, 837–841 of GPO, 151 Starter GPOs as, 128 of scripts, 794–795 Templates folder, 557 SysPro Software, 325, 423, 866 Terminal Services “The system cannot execute the specific additional tips, 203–204 program” message, for restricted loopback processing - replace mode software, 486 for, 202 System Center Configuration Manager shadowing, 787 2007, 785 support for Roaming Profiles, 571 System Event Log, 425 test lab system events, auditing, 464 backup and restoring, 859 System Management Server (SMS), 785–789 sample, 1–3, 3 vs. Group Policy Objects, 786–789 testing patch management, 789 AppLocker, 499, 499–500 software metering, 787 Default deny, 501 System Protection, 827 assigned applications, 737–738 System Services, vs. GPPrefs Services Preference extension, 244–245

581858bindex.indd 896 3/22/10 7:07:30 AM throughput threshold – Use Localized Subfolder Names When Redirecting 897

default behavior of Group Policy logon scripts with network drive Preferences, 266 mappings, 795–798, 796 delegation of Group Policy management, machine joined to domain, 399 55–56, 56 NLA (Network Location Awareness), in folder redirection for Documents/My Windows 7, 401, 401 Documents, 634–637 permissions, 393–394 PolicyPak, 336–339 Redirected Folders, 640–642 publishing applications to users, 741–742 slow connections, 400, 400–401 Roaming Profiles, 578–580 Software Restriction Policies, 487–488 Software Restriction Policies, 486 Sync Center, 708–710 .ZAP files, 740–741 turning on verbose logging, 420–432 throughput threshold, 688 for Windows XP, 420–424, 421 Thumbnail view in Explorer, reaction to viewing GPO from Security caching with offline files, 668 Configuration Wizard, 850, 850 Tiles view in Explorer, reaction to caching Trusted Platform Module (TPM), 711 with offline files, 668 Turn Off Automatic Update of ADM Files Timeout for dialog boxes policy setting, 595 policy setting, 175–176 token filtering, 511–513 Turn Off Background Refresh of Group Tools menu, Folder Options, for Offline Files Policy policy setting, 176 configuration, 648 Turn off Creation of Total Cost of Ownership (TCO) model, Checkpoint policy setting, 774 508, 616 Turn Off Group Policy Objects Processing TPM (Trusted Platform Module), 711 policy setting, 184 tracing, 285–288, 287, 288 Turn off Local Group Policy objects enabling for Group Policy Preferences processing policy setting, 75 Extensions, 432, 433 Turn Off Resultant Set of Policy Logging Transform files, 751 policy setting, 177 transparent caching, 694–695 Turn on economical application of troubleshooting, 341–342 adminstrative assigned offline files advanced inspection, 394–405 policy setting, 706, 708 client-side, 405–418 DNS configuration, 395 for client, 402 GPC and GPT replication, 395 U Group Policy UI Process Isolation (UIPI), 507 with log files, 418–434 UIAccess (UIA), 517, 519 turning off Fast Boot and, 159 Ultrasound, 376 using Event Viewer, 418, 418–420 Unified Access Gateway (UAG), for Group Group Policy Preferences, 282–288 Policy, 173 with event logs, 284, 284–285 unlinking Group Policy Objects (GPOs), with GPresult.exe tool, 284 78–80 with Group Policy Results report, unloading of NTUSER.DAT file, history of, 282–283, 283 571–572 with tracing, 285–288, 287, 288 Unmanaged policy settings, vs. Managed, Group Policy processing failure, 391–405 filter to display, 115–116 basics, 391–394 UPHClean, 571–572 Group Policy results with GPMC, 101 USB devices, restricting access to, 807–819 ICMP (Ping), 404 Use Localized Subfolder Names When leveraging Windows 7 Admin logs for, Redirecting Start and My Documents 426–428 policy setting, 640

581858bindex.indd 897 3/22/10 7:07:31 AM 898 User Access Control (UAC) message – Users folder

User Access Control (UAC) message, 15 delegating ability to view Computer-side User Account Control (UAC), 506–525, 507 RSoP data, 408 additional resources, 524–525 first local account as administrator, 515 elevated rights and SE privileges, 510–511 managing new, 52–53 Group Policy controls for, modifying to use Roaming 513, 513–521 Profiles, 575 groups affected by, 510 moving, and reapplying Group policy setting suggestions, 522–525 Policy, 149 prompts for, 506 password for, 52 Windows 7 updated interface, 509 redirecting default location to OUs, 53 User Account Control: Admin Approval User Configuration  Preferences, 226–231 mode for built-in Administrator  Control Panel Settings, 227–231 Account policy setting, 516–517 Folder Options extension, 227–228 User Account Control: Allow UIAccess Internet Settings Applications to Prompt for Elevation extension, 228–229 without Using the Secure Desktop Printers extension, 229 policy setting, 517, 524 Regional Options extension, 230 User Account Control: Behavior of the Start menu extension, 230 Elevation Prompt for Administrators in  Windows Settings, 226–227 Admin Approval Mode policy setting, Applications extension, 226 517–518, 524 Drive Maps extension, 226–227 User Account Control: Behavior of the \User folder, 364 Elevation Prompt for Standard Users User Group Policy Loopback Processing policy setting, 518, 522, 523 Mode policy setting, 203 User Account Control: Detect Application User half of Group Policy Object, 4 Installations and Prompt for Elevation background refresh interval, 153 policy setting, 518–519 vs. Computer half, 5–6 User Account Control: Only Elevate disabling, 62, 76–78, 391, 392 Executables That are signed and Group Policy refresh interval, 174 validated policy setting, 519, 524 Group Policy settings to affect, 174–176 User Account Control: Only Elevate Offline Files options, 692–702, 693 UIAccess applications that are installed refreshing, 160 in secure locations policy setting, shared printer setup, 819, 820 519–520 slow link detection, 174 User Account Control: Run All for Windows Installer, 776–778 Administrators in Admin Approval User objects, moving, 166–167 mode policy setting, 520 user permissions, for GPOs, 94–96, 95 User Account Control: Switch to the user profiles. See profiles Secure Desktop when prompting for User Profiles dialog box, 567 elevation policy setting, 520–521, User Rights Assignment policy, for domain 522, 523 controllers, 444 User Account Control: Virtualize file and userenv process, 166 registry write failures to per-user userenv.dll, 168, 384 locations policy setting, 562 userenv.log file, 405, 420, 422–424 user accounts %username% variable, 612, 625, 637 adding to security group, 88 and Roaming Profiles, 576 adding to Server Operators group, 55 Users folder assigning applications to, 729 as container, 52 Office 2007, 779 purposes, 52–53

581858bindex.indd 898 3/22/10 7:07:31 AM Value field – Windows 7 machine 899

WFAS (Windows Firewall with Advanced V Security), 529, 534–542, 545. See also Value field, and searching GPOs, 110 IPsec (IP Security) VBScript, to change user profile path, blocking rules application, 550 577–578 connection security rules, 540, 542 vendors list, third-party, 863–866 creating new inbound and outbound verbose logging, turning on, 420–432 rules, 537–538, 538 for Windows 7, 425–426 how IPsec rules work, 546–547 for Windows XP, 420–424, 421 properties, 535–536, 536 Verbose vs normal status messages policy rule precedence, 541–542 setting, 737, 737 ways of setting, 534–535 verifying cumulative changes, 65 vs. Windows XP, firewall controls, version numbers 530–531 of GPOs, 346, 353 what-if scenarios, 98 for Group Policy, 369–370 with Group Policy Modeling, 107–108 Replmon to view, 375, 375–376 what’s-going-on calculations, 102 to track GP changes, 153–154 white list for software, 482 versions of files AppLocker to autogenerate rules, 504 restoring to previous, 831 automatically generating rules to add reverting to previous, 830 to, 502 Videos folder, 558 for known good applications, 501–504 view whoami command, 87, 511, 512, 512–513 in GPMC, adjusting, 36–38 Win7management.corp.com machine, in GPMC-centric, 38–39, 39 sample test lab, 2 Virtual PC, virtual hard disk (VHD) images Win32_ComputerSystem WMI class, 192 for, 3 Windows 7 virtual private network (VPN) Group Policy over slow network connection, 220 connections, 169 Virtual Server 2005, 2 Network Logon icon for connecting via Virtualize File and Registry write failures VPN, 171 to per-user locations policy setting, synchronization in, 652–660 521, 523 updated UAC interface, 509 virtualized files, and Registry, 561–562 Windows 7 machine viruses, 480 and \Adm folder, 362 Vista. See Windows Vista Admin Log for troubleshooting, 426–428 Vista RTM, GPMC edition for, 69 Administrator accounts, disabled, VMware Server, 2 514–516 VMware Workstation, 2 AppLocker, 480 VNC, 787 and background processing, 155 VPN connections, 220 Client-Side Extensions (CSE) for, 383, 386 core processing for, 380–381 and cross-forest trust, 208 W Default Domain User Profile for, 568–569, 570 Wait for Remote User profile policy deploying PowerShell scripts to, 798, setting, 594 798–799 warnings, before deleting GPOs, 79 diagnostic event logging for, web resources, GPanswers.com, 834 419–420, 420 “well-known GUIDs”, 354 enabling advanced auditing, 473

581858bindex.indd 899 3/22/10 7:07:31 AM 900 Windows 2000 – Windows Application log

Event Log in, 419 asynchronous processing, 395 Explorer reaction to caching with offline Autocache in, 664, 664 files, 668–670 background refresh interval, firewall, 529 152–153, 154 Folder Redirection policy caching, 574 automatic offline caching, 712 CSEs in, 382 for Documents/My Documents, 636 default processing of GPOs, 394 on slow networks, 681, 682 Explorer reaction to caching with offline GPMC edition for, 69 files, 668–670 GPResult for, 406–412 failure of Group Policy processing, 371 installing Client-Side Extensions, 234 folder redirection for Documents/My local GPO directories, 344 Documents, 635, 635 log file for Folder Redirection, 642 Group Policy over slow network as management station, 30–32 connections, 167–168 moving client-side cache, 585 initial policy processing, 150–151 Offline Files synchronization schedule, making files always available offline, 699 677, 678, 679 Mixed mode domains, group nesting, 479 operational logs for troubleshooting, moving client-side cache, 585 428–430 Offline Files, over slow links, 683–684 pinning a file, 645 profile folders for, 555–557 policy settings, 185 repairing defaults for domains, 446 Previous Versions tab, 828 Software Restriction Policies and, 481 profile folders for, 557 what-if calculations and, 107 reaction to enabling caching on shares, WMI filters and, 195 666, 667 Windows 2000 Scripting Guide, 191 restricting driver access with Policy Windows 2000 Server settings, 812, 812–813 applying redirection policy to, 627 roaming and nonroaming folders for, and cross-forest trust, 208 584–586, 585 Windows 2003 roaming between machines in mixed and Active Directory, 26 environment, 579–580 Default Domain Controllers Policy, 459 roaming between machines with, Event Log in, 419 578–579 firewall, 403 in sample test lab, 2 GPResult for, 406 Scheduled Tasks on, 223 Interim mode domains, group shadow copies setup, 827 nesting, 479 synchronization, over slow links, Offline Files for, 673–674 687–688 profile folders for, 555–557 teaching response to slow links, Windows 2003 domains, repairing defaults, 688–692, 689 445–446 trial version download, 3 Windows 2003 Resource Kit, 858 troubleshooting NLA in, 401, 401 Windows 2003 servers, caching, 574 for updated GPMC management Windows 2008 station, 307 profile folders for, 557 verbose logging, 425–426 public profile in, 563 WMI query to target machine, 531 Windows 2008 domains, repairing defaults, Windows 2000 445–446 and Active Directory, 26 Windows ADMX/ADML Central Store, Application Data folder redirection, 638 308–312 applying redirection policy to, 627 Windows Application log, 284, 284

581858bindex.indd 900 3/22/10 7:07:32 AM Windows clients – Windows versions 901

Windows clients, RSoP (Resultant Set of as management station, 33 Policy) for updating domain schema, 526 remote calculation, 414–415 Windows Server 2008 remote calculation when permissions are advanced auditing settings and, 472 delegated, 415–416, 417 Client-Side Extensions (CSE) for, 385–386 Windows Firewall, 103–104 CSEs for, 383 configuring, 528–551 Default Domain Controllers Policy, 459 Windows Firewall: Allow inbound remote downloading trial versions, 3 administration exception policy setting, enabling advanced auditing, 473 104, 414, 415, 530 “extra” policy settings, 185 Windows Firewall: Protect All Network Fine-Grained Password Policy (FGPP) Connections policy setting, 67, 104, 533 with, 448–458 Windows Firewall with Advanced Security getting ready, 449 (WFAS), 529, 534–542, 545 Password setting object (PSO), blocking rules application, 550 449–454 creating new inbound and outbound required attributes, 452–453 rules, 537–538, 538 resulting set of PSOs, 454–458 how IPsec rules work, 546–547 firewall, 403, 529 properties, 535–536, 536 GPMC edition for, 69 ways of setting, 534–535 GPResult for, 406–412 vs. Windows XP, firewall controls, installing Client-Side Extensions, 234 530–531 installing Security Configuration Wizard Windows Installer service, 721–722 for, 843 affecting with Group Policy, Offline Files for, 674 769–778, 770 policy settings, 185 Computer-side policy settings, profile folders for, 557 769–776 Terminal Services, updates, 204 disabling, 770 for updated GPMC management User-side policy settings, station, 307 776–778, 777 WMI query to target machine, 531 .MSI packages and, 766–777 Windows Server 2008 machine, as rules for AppLocker, 491 management station, 30–32 Windows management station, leveraging Windows Server Update Services (WSUS), ADM templates from, 317–319 323, 789 Windows NT, domains, creating, 18 hardening rule for Windows Remote Assistance, 517, 524 WFAS, 541 category in Group Policy, 9 Windows Settings Windows Search Client-Side Extension, 368 for Computer configuration Windows Server 2003 Network Shares extension, 217 advanced auditing settings and, 472 Shortcuts extension, 217–218 applying redirection policy to, 627 for User and Computer nodes, 4 firewall, 529 for User configuration, 226–227 killing, 533 Applications extension, 226 manipulating, 531–534 Drive Maps extension, 226–227 GPMC edition for, 69 Windows system Path variable, 214 installing Client-Side Extensions, Windows versions 234–237 filtering settings based on, 116 installing Security Configuration Wizard and hash value, 485 for, 842–843, 843 system profiles for, 588–589

581858bindex.indd 901 3/22/10 7:07:32 AM 902 Windows Virtual PC – Windows XP

Windows Virtual PC, 3 caching, 574–575 Windows Vista core processing for, 379–380 802.11 Wireless Policy for, 527–528 and cross-forest trust, 208 Administrator accounts, disabled, CSEs for, 382, 384–385 514–516 diagnostic event logging for, 419 advanced auditing settings and, 472 Event Log in, 419 Client-Side Extensions (CSE) for, 382, Explorer reaction to caching with offline 385–386 files, 668–670 and cross-forest trust, 208 fast boot, and folder redirection, Default Domain User Profile for, 640, 641 568–569, 570 File hash entry, 485 enabling advanced auditing, 473 file types not cached, 653 Explorer reaction to caching with offline firewall, 403, 529 files, 668–670 killing, 533 Extra Registry settings in older manipulating, 531–534 GPMC, 315 Folder Redirection File and Registry Virtualization, 521 automatic offline caching, 712 firewall, 529 for Documents/My Documents, 635, 635 Folder Redirection on slow networks, 681, 682 automatic offline caching, 712 GPMC edition for, 69 for Documents/My Documents, 636 GPResult for, 406 on slow networks, 681, 682 Group Policy over slow network GPMC edition for, 69 connections, 167–168 GPMC removal from, 26 .INF template files, 838–839 GPResult for, 406–412 initial policy processing, 151–152 installing Client-Side Extensions, installing Client-Side Extensions, 234–237, 236 234–237 Local Service and Network Service log file for Folder Redirection, 642 profiles, 589 LOGONSERVER variable, 396 as management station, 2, 32–33 as management station, 2, 33 public profile in, 563 moving client-side cache, 585 reaction to enabling caching on pinning a file, 645 shares, 666 profile folders for, 555–557 running only logo’d software for, 523 and Redirected Folder names and Scheduled Tasks on, 223 directories, 560–561 Sync Center, troubleshooting, 708–710 removing Run from Start menu, 12–13 synchronization, over slow links, roaming between machines in mixed 686–687 environment, 579–580 teaching response to slow links, roaming between machines with, 578 688–692, 689 in sample test lab, 2 Wired Policy processing, 525 Scheduled Tasks on, 223 WMI query to target machine, 531 setting, to synchronous behavior, 159 Windows XP slow connections, 680 802.11 Wireless Policy, 527 Synchronization Manager adjusting for holdovers from, 559–561 over slow links, 684–685 advanced auditing settings and, 472 policy settings and, 693 Application Data folder redirection, 638 state transitions, 685–686 applying redirection policy to, 627 verbose logging for, 420–424, 421 Autocache in, 665, 665–666 vs. WFAS, firewall controls, 530–531 and background processing, 155–159 WMI query to target machine, 531

581858bindex.indd 902 3/22/10 7:07:32 AM WinINSTALL – Zero Administration for Window (ZAK) initiative 903

WinINSTALL, 727 Wmplayer.adm template, 298, 299, 362 Winlogon process, Group Policy processing workstations, finding, 64, 64 in, 379 wrapping up, Starter GPOs, 132–133, 133 WinZip, 331 write overlaps, and ADM files, 305 Wired Network (802.3) Settings category in write permissions, for Redirected Group Policy, 7 folders, 621 Wired Policy processing, 183 WSUS (Windows Server Update Services), node for, 526 323, 789 Wireless Client-Side Extension, 365 Wuau.adm template, 298, 299, 362 Wireless Network (802.11) Settings category in Group Policy, 7 wireless networks, 525–528 Wireless Policy processing, 183 X WMI CIM Studio, 191 XML attributes, for devices, 811 WMI Filter Validations utility, 863 XML files WMI filters, 138, 189–195, 341 creating, by pasting or dragging GPPrefs, for Assign or Publish application, 732 274, 275 backup and restoring, 141 for GPO backup report, 136 backup for, 136 for GPResult report, 407 creating and using, 193, 193–194 XmlLite, 234 icon for, 142 command-line options, 235 impact on performance, 194–195 vs. item-level targeting, 269 items to filter on, 190 managing, 98–99 Z delegating who can create, 99 delegating who can use, 99, 100 .ZAP files, 738–741 processing time, 434 creating, 739–740 selecting, 195 for Office deployment, 783 syntax, 192–193 publishing, 740, 740 for targeting operating system, 531 removing applications, 762 tools and references for, 191–192 testing, 740–741 WMI (Windows Management Zero Administration for Window (ZAK) Instrumentation), and scripts, 660 initiative, 616

581858bindex.indd 903 3/22/10 7:07:32 AM