Project Team
MARK WILKINS Course Director
NANCY DUNHAM Director, Content Development, Instructor-Led Training
KARIN GRODEN Project Manager, Content Development
JOHN VOORHEES Vice President, Proprietary and Partner Products
NINA KNIERIM Product Manager, IT Foundations
Course Objectives
As features of Windows 2000 Server begin to mature, now is the time to get up to speed
on Windows Server 2003. Discover how to migrate systems policies to Windows 2003
Group Policies. Our course will introduce you to new aspects of Active Directory and
Group Policy using profiles and Intellimirror.
Hands-on labs will show you how to design and deploy security policies for all your
Windows 2000 and Windows 2003 servers, workstations, member servers, and Windows
XP clients.
Deploying Group Policy for Windows 2000, 2003, and XP Clients vii
Global Knowledge Training LLC
viii Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Training LLC
Table of Contents
1 Group Policy Essentials
Section Topics ...................................................................................................1-1
Section Objectives .............................................................................................1-2
Section Overview ...............................................................................................1-2
The Philosophy of IntelliMirror ...........................................................................1-3
Active Directory Framework ........................................................................1-5
Software Packages and the Windows Installer .........................................1-11
Folder Redirection .....................................................................................1-12
Offline Files and Folders ...........................................................................1-14
Roaming User Profiles ..............................................................................1-15
Distributed File Shares ..............................................................................1-16
Remote Installation Services .....................................................................1-17
Versions of Group Policy .................................................................................1-18
Windows 2000 Interface ............................................................................1-19
Windows XP and Windows 2003 Interface ...............................................1-21
Which Clients and Servers Can Deploy Group Policy? ............................1-23
Group Policy Architecture ................................................................................1-24
The Secedit Database ...............................................................................1-24
Local Group Policy ....................................................................................1-25
Network Group Policy (Domain, OU, Site) ................................................1-26
Registry Locations .....................................................................................1-26
Group Policy Deployment ................................................................................1-27
Deployment Rules .....................................................................................1-27
Deployment Options ..................................................................................1-29
Block Policy Inheritance ............................................................................1-30
Filtering with Security Groups ...................................................................1-32
Delegation of Group Policy .......................................................................1-33
Section Summary ............................................................................................1-34
Section Review ................................................................................................1-35
Deploying Group Policy for Windows 2000, 2003, and XP Clients TOC-1
Global Knowledge Network, Inc.
2 Designing Group Policy Infrastructure
Section Topics ...................................................................................................2-1
Section Objectives .............................................................................................2-2
Section Overview ...............................................................................................2-2
Implementing Group Policy ...............................................................................2-3
Planning Your Group Policy Design ............................................................2-3
Designing Your Group Policy Solution .......................................................2-6
Applying Group Policy Changes ...............................................................2-12
Default Rights for Group Policy Management ...........................................2-22
Delegating Administration of Group Policy ......................................................2-26
GPO Delegation ........................................................................................2-27
Manually Assigning Permissions ...............................................................2-29
Specifying a Domain Controller for Editing Group Policy ..........................2-31
Using Loopback Processing ......................................................................2-33
Using Group Policy Inheritance .................................................................2-35
Rolling Back Domain GPOs ......................................................................2-37
Section Summary ............................................................................................2-38
Section Review ................................................................................................2-39
TOC-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Migrating Group Policy ................................................................................3-8
Creating Lockdown Desktops ..........................................................................3-10
Lightly Managed Desktop ..........................................................................3-12
Mobile User ...............................................................................................3-13
Multi User Desktop ....................................................................................3-15
App Station (Highly Managed Desktop) ....................................................3-16
Task Station ..............................................................................................3-17
Kiosk .........................................................................................................3-18
Comparison of Features Used in Each Scenario ............................................3-19
Section Summary ............................................................................................3-20
Section Review ................................................................................................3-21
Deploying Group Policy for Windows 2000, 2003, and XP Clients TOC-3
Global Knowledge Network, Inc.
User Rights Assignments ..........................................................................4-45
Microsoft Baseline Security Analyzer ..............................................................4-48
Section Summary ............................................................................................4-50
Section Review ................................................................................................4-51
TOC-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Processing Order ......................................................................................5-26
Managing Printers: Printer Pruning .................................................................5-28
Printer Location Tracking ..........................................................................5-28
Section Summary ............................................................................................5-29
Section Review ................................................................................................5-30
Deploying Group Policy for Windows 2000, 2003, and XP Clients TOC-5
Global Knowledge Network, Inc.
Slow Links .................................................................................................6-37
Folder Redirection ...........................................................................................6-39
Printer Management and Pruning ....................................................................6-42
Pruning ......................................................................................................6-42
Publishing ..................................................................................................6-43
Computer Network Settings .............................................................................6-44
DNS Client ................................................................................................6-44
Offline Files ...............................................................................................6-45
Network Connections ................................................................................6-46
Section Summary ............................................................................................6-47
Section Review ................................................................................................6-48
TOC-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Elements of a Solution ................................................................................8-5
MSI Package Architecture .................................................................................8-6
Elements of a Package ...............................................................................8-8
What Is a Transform? ..................................................................................8-9
Relationship to Group Policy .....................................................................8-11
Group Policy as a Software Deployment Method ............................................8-12
Pros and Cons of Policy-Based Software Deployment .............................8-12
Requirements for Distributing Software via Group Policy .........................8-12
Options for Policy-Based Deployment ......................................................8-13
Assigning Software ..........................................................................................8-14
Assigning Software to Computers .............................................................8-15
Assigning Software to Users .....................................................................8-18
Assigning Software to Users on Demand .................................................8-19
Publishing Software to Users ..........................................................................8-21
Upgrading Packages .......................................................................................8-22
Removing Packages ........................................................................................8-23
Using WinInstall to Create MSI Packages .......................................................8-24
Building (Authoring) an MSI Package .......................................................8-24
Repackaging an Application ......................................................................8-27
Setting up Distribution Points ..........................................................................8-29
Specify a Network Location .......................................................................8-29
Take Advantage of Sites ...........................................................................8-31
Slow Link Behavior ....................................................................................8-31
Dfs Shares ................................................................................................8-32
SMS and RIS ...................................................................................................8-33
Systems Management Server ...................................................................8-33
Remote Installation Service ......................................................................8-34
Using the Software Update Service .................................................................8-35
System Requirements and Limitations ......................................................8-35
Server and Client SUS Components .........................................................8-36
Deploying and Configuring the SUS Server ..............................................8-37
Section Summary ............................................................................................8-41
Section Review ................................................................................................8-42
Deploying Group Policy for Windows 2000, 2003, and XP Clients TOC-7
Global Knowledge Network, Inc.
9 Creating and Deploying ADM Templates
Section Topics ...................................................................................................9-1
Section Objectives .............................................................................................9-2
Section Overview ...............................................................................................9-2
Overview of ADM Templates .............................................................................9-3
What Are Administrative Templates Nodes? ..............................................9-3
What's in an ADM File? ...............................................................................9-5
Why Have ADM Files at All? .......................................................................9-7
Standard ADM Templates .................................................................................9-8
Windows 2000 .............................................................................................9-9
Windows XP ..............................................................................................9-10
Windows 2003 ...........................................................................................9-11
Poledit Templates .....................................................................................9-12
Office ADM Templates ..............................................................................9-13
Registry Structure Used by ADM Templates ...................................................9-17
Machine vs. User ......................................................................................9-17
True Policies vs. Preferences ...................................................................9-17
ADM Template Syntax .....................................................................................9-18
CLASS ......................................................................................................9-19
CATEGORY ..............................................................................................9-20
POLICY .....................................................................................................9-21
KEYNAME .................................................................................................9-21
VALUENAME ............................................................................................9-22
PART .........................................................................................................9-22
EXPLAIN ...................................................................................................9-23
SUPPORTED ............................................................................................9-24
STRINGS ..................................................................................................9-24
Creating Custom ADM Templates ...................................................................9-25
Programming Tips .....................................................................................9-25
A Simple Example .....................................................................................9-25
Loading Additional ADM Templates ................................................................9-29
Using the Policy Template Editor ....................................................................9-31
Section Summary ............................................................................................9-32
Section Review ................................................................................................9-33
TOC-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
10 Software Restriction Policies
Section Topics .................................................................................................10-1
Section Objectives ...........................................................................................10-2
Section Overview .............................................................................................10-2
What Is a Software Restriction Policy? ............................................................10-3
Who Can Use a Software Restriction Policy? ...........................................10-4
Software Restriction Components .............................................................10-4
Software Restriction Policy Architecture ...................................................10-5
How to Create a Software Restriction Policy ...................................................10-7
Creating Policy for a Local Computer .......................................................10-8
Creating Policy for a Domain-Based Computer ........................................10-8
Creating Policy for a Site ...........................................................................10-8
Software Restriction Policy Options ................................................................10-9
DLL Checking ..........................................................................................10-10
Skip Administrators .................................................................................10-10
Selecting Executables to Protect ............................................................10-11
Trusted Publishers ..................................................................................10-12
Default Security Levels and Exceptions ..................................................10-13
Additional Rules to Identify Software .............................................................10-15
The Hash Rule ........................................................................................10-17
The Certificate Rule ................................................................................10-19
The Path Rule .........................................................................................10-20
Registry Path Rules ................................................................................10-22
The Internet Zone Rule ...........................................................................10-23
Software Rules Precedence ..........................................................................10-24
Process 1 ................................................................................................10-25
Process 2 ................................................................................................10-25
Creating an Effective Software Restriction Policy .........................................10-26
Deployment Summary ...................................................................................10-28
Multiple User or Machine Policies ...........................................................10-28
Merging Machine and User Policy ..........................................................10-28
Section Summary ..........................................................................................10-29
Section Review ..............................................................................................10-30
Deploying Group Policy for Windows 2000, 2003, and XP Clients TOC-9
Global Knowledge Network, Inc.
11 Troubleshooting Group Policy
Section Topics .................................................................................................11-1
Section Objectives ...........................................................................................11-2
Section Overview .............................................................................................11-2
Group Policy Infrastructure ..............................................................................11-3
The Sysvol Folder .....................................................................................11-4
The PDC Emulator ....................................................................................11-6
FRS Replication ...............................................................................................11-8
Client-Side Extensions ....................................................................................11-9
Registry Client-Side Extensions ................................................................11-9
GPO Structure ...............................................................................................11-10
The Group Policy Container ....................................................................11-11
The Group Policy Template ....................................................................11-12
GPO Versioning ......................................................................................11-13
Processing Details ..................................................................................11-14
Group Policy Deployment Order ....................................................................11-15
Local Computer System ..........................................................................11-16
Site GPOs ...............................................................................................11-16
Domain GPOs .........................................................................................11-17
Organizational Unit ..................................................................................11-17
Group Policy Processing .........................................................................11-18
Using Command-Line Tools ..........................................................................11-19
Using Gpresult ........................................................................................11-19
Using Gpotool .........................................................................................11-22
Using Gpupdate ......................................................................................11-24
Using ReplMon ........................................................................................11-26
Analyzing Policy Deployment ........................................................................11-29
Using RSoP .............................................................................................11-29
Using the Windows XP Help and Support Center .........................................11-31
Enabling Group Policy Logging: the userenv.log File ....................................11-32
Tips for Troubleshooting Group Policy ..........................................................11-34
Custom Views of Administration Templates ..................................................11-36
Enabling the Administrative Tools Filter ..................................................11-37
Using the Event Logs ....................................................................................11-38
TOC-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Verbose GPO Logging ............................................................................11-38
Using Gpmonitor ............................................................................................11-39
Why Is My Policy Still Not Working? ..............................................................11-40
Section Summary ..........................................................................................11-41
Section Review ..............................................................................................11-42
Deploying Group Policy for Windows 2000, 2003, and XP Clients TOC-11
Global Knowledge Network, Inc.
Restrictions .............................................................................................12-32
Creating WMI Filters ...............................................................................12-33
Linking a WMI Filter to a GPO ................................................................12-35
Section Summary ..........................................................................................12-36
Section Review ..............................................................................................12-37
TOC-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Section Topics
The Philosophy of IntelliMirror
Versions of Group Policy
Group Policy Architecture
Group Policy Deployment
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-1
Global Knowledge Network, Inc.
Group Policy Essentials
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section introduces the IntelliMirror concept: basically, that users should be able to
work with the data and programs they need, when and where they need them. It also
discusses how Group Policy functions as a key facilitator of that enterprise computing
strategy.
1-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-3
Global Knowledge Network, Inc.
Group Policy Essentials
Notes The rest of this topic takes a brief look at the components of this
overarching philosophy called Intellimirror, and then
subsequent topics in this section focus on the part of Intellimirror
that we are concerned with in this course: Group Policy, the tool
that network administrators use to implement many IntelliMirror
features.
Helpful Hint
1-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Where am I?
And wheres
my stuff?
If, according to the preceding definition of IntelliMirror, IntelliMirror means that what
you see when you work on a given computer depends on your identity, then with Windows
2000 and higher versions of the operating system, your identity is determined by where
you and your computer exist within the framework of the Microsoft enterprise directory
service, Active Directory. (Additionally, your identity is determined by your membership
in security groups, which of course were around prior to Active Directory.)
Conversely, if IntelliMirror means that you can get to whichever files, programs, and
network services you need, then the location of those resources is also determined by
where they exist within the context of Active Directory.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-5
Global Knowledge Network, Inc.
Group Policy Essentials
Note
Active Directory is the primary way that a Windows network determines who you are,
where you are, and where everything you need is. Therefore, a basic understanding of
Active Directory is necessary to understand the IntelliMirror strategy and its primary
enabling technology, Group Policy.
Real-World Application
Computers that do not fully support Active Directory (that is, Windows 95, Windows 98, and
Windows NT 4.0) do not benefit from all aspects of IntelliMirror, even though the
downloadable Active Directory client may let them participate in Active Directory to a
limited extent.
Domains
A domain is the primary partition of Active Directory and defines a security boundary
within the organization. Every member of the domain, for example, has the same
password settings (minimum length, complexity, etc.). Domain controllers are servers that
authenticate users to the domain, maintain information about all the directory objects in
the domain, and exchange that information with each other for reasons of performance and
fault tolerance.
1-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Beyond merely defining a security boundary, the domain also typically defines a broad
usage boundary. That is, users within a particular domain are most likely to use resources
that are also defined within that domain. While Active Directory permits users to access
resources outside their domain through the mechanism of trusts, such access can carry
significant performance penalties (although less so than in the past, thanks partly to
Kerberos authentication technology).
Windows 2000 family networks using Active Directory may be able to function
effectively with fewer domains than Windows NT 4.0 networks, largely due to a new
construct called the organizational unit. In fact, many Active Directory environments for
small and medium-sized organizations consist of a single domain. Such a model has great
appeal from the standpoint of administrative overhead.
Real-World Application
Organizational Units
Although they are new to the Microsoft network world, organizational units, or OUs, have
been around in the NetWare world for years. They add great flexibility to your network
design and facilitate the collapsing of domains.
If a domain is a security and usage boundary, then an OU is an administrative boundary.
Users generally are aware of what domain they are in, but they may have no idea as to
what OU they are in. The OU is there for the administrator, to make his life easier by
permitting two activities:
The delegation of control
The application of Group Policy
In fact, the OU is the smallest unit that can be delegated or assigned Group Policy.
OUs are containers: they can contain users, groups, computers, and other OUs (although
you should avoid nesting OUs too many levels deep to avoid unnecessary complexity). At
the same time, an OU is itself contained inside a domain. OUs cannot span domains, that
is, they cannot contain objects outside their own domains.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-7
Global Knowledge Network, Inc.
Group Policy Essentials
Users do not authenticate to an OU; they authenticate to a domain. But a network manager
can delegate authority for an OU to a particular security group or even to a specific
individual. A network manager can also apply Group Policy objects to OUs independently
from each other.
So, for example, a network manager who wants everyone in the Sales OU to have a
particular application but nobody in the Engineering OU to have that same application,
can deploy the program via Group Policy to the Sales OU but not the Engineering OU.
This utility, which takes the place of the old User Manager and Server Manager tools in
Windows NT 4.0, is present on Windows 2000 Server and Windows 2003 Server
computers that have been promoted to domain controllers. You can install Active
Directory Users and Computers, as well as the other Active Directory consoles, onto a
Windows 2000 or Windows XP Professional workstation via adminpak.msi, the
Administrative Tools Pack.
1-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Note
There are different versions for Windows 2000 and Windows XP.
This software also embodies IntelliMirror philosophy in that you can administer your
entire network from any workstation that you happen to be using, as long as you have the
appropriate credentials (for example, you belong to the Domain Admins group).
Trees
A tree is a collection of domains that have a contiguous DNS namespace. For example,
gk.com, sales.gk.com, and foreign.sales.gk.com would constitute a tree of three
domains.
When you build a new domain in Active Directory, you can choose whether you want it to
start a new tree or be part of an existing tree.
Forests
A forest is, as you might suspect, a collection of trees. But it is more than that. A true
forest is built from scratch. That is, rather than merging two trees that already exist, you
build a forest by creating a new tree that will join an existing forest.
All the domains in a forest share a single schema (the data structure that defines the
objects and attributes in the directory) and a single configuration (the map of the domain
structure).
Trusts
The important thing to know about trees and forests is that, by default, all the domains in a
tree or a forest trust each other, meaning that a user in one domain can possibly access a
resource in a different domain. Windows 2000 and Windows 2003 Server build automatic,
bidirectional, transitive trusts between domains, creating a full-mesh trust.
This is an important point because it means that it is possible to create Group Policy
objects in one domain and use them in a different domain, although that is something to be
avoided where possible due to performance issues.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-9
Global Knowledge Network, Inc.
Group Policy Essentials
Sites
Lan 1 Lan 2
Active Directory site: Active Directory site:
San Jose San Francisco
Figure 3: Sites
So far, we have been discussing domains, OUs, trees, and forests, and the trusts that
connect domains within trees and forests. These are all logical constructs rather than
physical ones. Active Directory has a single physical construct, the site, defined as a
collection of well-connected PCs. For example, a LAN would be likely to comprise an
Active Directory site, whereas a slow or expensive WAN link would be likely to delineate
two separate sites.
Sites are defined in the Active Directory Sites and Services console and consist of one or
more subnets defined with the usual TCP/IP network ID and mask notation. Active
Directory uses sites to help clients find domain controllers that are physically nearby.
Active Directory also uses sites to create appropriate schedules for replication of data
between domain controllers.
1-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
IntelliMirror says that your stuff follows you around. A big part of your stuff is the
programs that you need to run. One of the major pieces of technology that helps to ensure
that you get the programs you need is the Windows Installer service and the Software
Settings node of the Group Policy console.
In a nutshell, via Group Policy, you can:
Deploy software in a mandatory mode or one of two on-demand modes,
depending on how important it is that users and computers get the specific
application.
Set up your network so that if users remove an application, its Start menu
entries come back the next time they boot their machine.
Upgrade, patch, and remove applications, based on user and computer
locations within Active Directory.
You may need to use Microsoft SMS rather than policy-based deployment if you need
scheduling, synchronization, inventory, status reporting, or auditing capabilities, or if you
need to support down-level client operating systems.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-11
Global Knowledge Network, Inc.
Group Policy Essentials
Folder Redirection
Users who store data on their PCs at work always use a consistent and rapidly recoverable
procedure to back that data up on a regular basis to reliable and verified backup media.
Now that you have picked yourself up off the floor and have stopped laughing, consider
the merit of folder redirection, that is, the ability to make the My Documents folder of a
user point to a server share instead of to a folder on the local hard drive. (The redirection is
transparent to the user, except for the speed difference.) In most organizations, servers
actually do get backed up regularly, consistently, recoverably, and reliably. This is the
genius of folder redirection. It makes it feasible to restore the data files of a damaged
computer in a predictable way.
1-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-13
Global Knowledge Network, Inc.
Group Policy Essentials
Helpful Hint
This facility works best with server folders that are being used by one and only one user.
The reason is that Windows offers no facility for reconciling offline files when more than one
user has updated them away from the network. Manual reconciliation is difficult for users
and almost guaranteed to create problems for support staff.
Note that the offline files and folders feature does not have to be used in concert with the
folder redirection feature. However, Microsoft has suggested that doing so is not a bad
idea. The concept here would be to redirect, for example, the My Documents folders of
users to a server location, to gain the advantage of network-based backup, then make those
server locations available offline so that users can work on their data when they are
disconnected from the network.
You can use Group Policy to control various aspects of the offline files and folders feature.
1-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Users do not always log on to the same PC. However, when a user logs on to a different
PC, IntelliMirror says that his stuff should follow him around, that is, his wallpaper, his
Start menu, application program preferences, and so forth. You can set up the user
account object in Active Directory to support a server-based user profile location (see
Figure 5) that will let the user roam about the network and have his profile follow him
around to whatever PC he logs on to.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-15
Global Knowledge Network, Inc.
Group Policy Essentials
You can assign network-based profile locations in Group Policy as well, which is usually
more convenient than doing it on a user-by-user basis. Additionally, you can use the
Group Policy console to control various aspects of roaming profile behavior, including
whether profiles roam across slow links, which bits and pieces of a profile roam and which
do not, and what size profiles can occupy. Here, again, Group Policy is clearly the agent
of the IntelliMirror philosophy.
Dfs root
Folder A
Folder C
Folder B
Microsoft Dfs lets administrators present shared folders to users under a unified root, even
if those folders reside on physically separate servers. Like folder redirection, this, too, is
part of the IntelliMirror concept: you can organize the network so that it makes the most
logical sense to users, even if that organization does not match the actual physical layout
of files and folders.
In Figure 7, folders A, B, and C reside on different servers but appear under a single
logical share. An administrator might set this up, for example, when moving the physical
folders might be impractical.
1-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-17
Global Knowledge Network, Inc.
Group Policy Essentials
1-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
You can view and modify Group Policy settings using the Group Policy snap-in to the
MMC console, typically abbreviated as the Group Policy console.
The usual way to open a network-based policy console is to open the relevant Active
Directory utility (for example, Active Directory Users and Computers), right-click the
object of interest (domain or OU), choose Properties, click the Group Policy tab, and
click the Edit button.
An alternative method is to run mmc.exe and load the Group Policy snap-in to the
console. If you use this method, you can specify the focus of the Group Policy (see
Figure 8) when you add the Group Policy standalone snap-in.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-19
Global Knowledge Network, Inc.
Group Policy Essentials
Notes When the console is open, you will see the tree pane (policy
pane) to the left and the details pane to the right.
Expand the various nodes in the policy hierarchy by
clicking the plus (+) sign next to them.
Click a node in the left pane to display the possible
policy choices in the right (details) pane.
To view or change a policy setting, double-click the
setting in the details pane to open its property sheet.
Click the Explain tab, if present, to view additional
details about the policy setting.
1-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
The Group Policy MMC console evolved somewhat with the introduction of Windows XP
Professional, and, like many other aspects of the Windows XP user interface, those
changes found their way into Windows 2003 Server as well.
The first evolution, for administrators with wide displays, is the relocation of the
explanation text to a central column (see Figure 9). You can return to the Windows 2000
view by clicking the Standard tab at the bottom of the details pane.
The second big improvement is the Supported on compatibility information at the
bottom of the Setting tab in the property sheet of any specific policy. This information
identifies the minimum operating system level necessary to support the given policy
setting.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-21
Global Knowledge Network, Inc.
Group Policy Essentials
Notes
Note
1-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Group Policy?
Group Policy is a Windows 2000-family technology. That is to
say, the following clients and servers can participate in Group
Policy deployment:
Windows 2000 Professional
Windows XP Professional
Windows 2000 Server
Windows 2003 Server
Earlier clients (for example, Windows 95 and Windows 98) and
servers (Windows NT 4.0) can participate in something similar,
but more restricted, called System Policies. System Policies has
the following features:
The system policy editor is called poledit.exe.
Different versions of the system policy editor are
distributed with Windows 95, Windows 98, and
Windows NT. These versions are not cross-
compatible.
System policies have the undesirable side effect of not
being easily reversible, unlike Group Policy settings.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-23
Global Knowledge Network, Inc.
Group Policy Essentials
1-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-25
Global Knowledge Network, Inc.
Group Policy Essentials
Registry Locations
In many ways, the Group Policy console is a fancy Registry Editor, with many of the
features that Microsoft left out of the real registry editors (Regedit and Regedt32 in
Windows 2000, and the new, unified Regedit in Windows XP Professional and Windows
2003 Server). These features include:
Descriptive explanations about the registry changes to be made
The ability to easily undo registry changes
The ability to easily view the registry changes made via Group Policy
The ability to restrict the kinds of data one can place into a registry key
In fact, the Administrative Templates nodes of both halves of the Group Policy console
are populated entirely with registry settings. Microsoft sometimes refers to the Adminis-
trative Templates settings as registry-based policy.
In order to properly secure policy settings and facilitate the reversal of policy changes,
Microsoft has restricted true Group Policy registry settings to four specific registry
keys, namely:
HKLM\Software\Policies
HKCU\Software\Policies
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
It is possible to use the Administrative Templates nodes to modify other registry keys,
but such settings are called preferences rather than policies and may not be easily
reversible or secure.
1-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Deployment Rules
Given that Group Policy may be assigned at various points in the hierarchy of an Active
Directory network, the question naturally arises: What happens when the same policy
setting is made at different levels and, perhaps, with conflicting values?
Active Directory implements a pecking order that defines who wins in the event of
multiple conflicting policy settings. The priority order is as follows, with structures at the
top of the list winning out over structures below it:
The OU closest to the user
Any intermediate OUs
The OU furthest from the user (but still containing the user)
Domain
Site
Local
Note that, if the user or computer is only in one OU, the above priority list simplifies to:
OU
Domain
Site
Local
So, if a policy is set one way at the site level and a different way at the OU level, the OUs
setting will win out in the absence of any deployment options.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-27
Global Knowledge Network, Inc.
Group Policy Essentials
Another way to view this issue is to consider the order in which Group Policy is applied.
That order is as follows:
1. Local
2. Site
3. Domain
4. The OU furthest from the user (but still containing the user)
5. Any intermediate OUs
6. The OU closest to the user
Helpful Hint
You could remember the acronym L-S-D-O-O-O as a mnemonic device. Note that the
above sequence is the inverse of the prioritization list, which makes sense when you
consider that the "last write wins."
Note
Some domain-level settings appear to be modifiable at the OU level, but are really not. For
example, the minimum password length is a domain-wide security setting, and even though
it appears to be modifiable when you open the Group Policy console for a particular OU,
such a modification would have no effect.
1-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Deployment Options
The deployment rules set forth in the preceding section may be modified. For example, a
network administrator may want to force a particular setting out to an entire domain and
not worry about whether it might be overridden at some point by an OU-level setting.
No Override
To set a policy object to No Override, highlight the object in the Group Policy tab of the
domain, OU, or site property sheet and click the Options button. Finally, check the No
Override box (see Figure 12).
This is the dictatorial setting that network managers use only for policy objects
containing settings deemed so necessary, either for security, user interface consistency, or
user functionality, that they should not be able to be overruled at any lower level.
Note
It is good design practice to put mandatory policy settings into GPOs that are separate from
settings that are not mandatory (that is, settings that lower-level entities, such as OUs, can
change). The reason is that the No Override flag applies to an entire GPO, not just part of
a GPO.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-29
Global Knowledge Network, Inc.
Group Policy Essentials
You can tell Windows that you want to block the inheritance of Group Policy settings from
Active Directory structures higher in the hierarchy. For example, open the properties sheet
for an OU, choose the Group Policy tab, and check the Block Policy inheritance
checkbox (see Figure 13).
Note
What happens when the irresistible force meets the immovable object, and a policy that
was set at a higher level with No Override meets a policy that was set at the next-lower
level with Block Inheritance? As you might guess, No Override wins. If it did not, there
would be no way to enforce a domain-wide policy.
1-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-31
Global Knowledge Network, Inc.
Group Policy Essentials
Someone once said that the Holy Roman Empire was neither holy, nor Roman, nor an
empire, but that other than that, it was a good name. The Microsoft choice of the term
Group Policy is similarly ironic in that administrators can apply Group Policy to local
computers, sites, domains, and organizational units, but not to security groups (at least, not
directly). Also, Group Policy does not consist of one policy, but of several hundred
policies.
What you can do with Group Policy is filter it with security groups, by modifying the
DACLs of GPOs (see Figure 14). Notice that, by default, Domain Admins are exempt
from the Apply Group Policy permission. Why do you think that might be?
By the way, a security group is a group that you create for the purpose of assigning access
to resources, as opposed to a distribution group, which is a mailing list for e-mail. Often,
the term group is used to mean security group.
1-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
In the Active Directory Users and Computers console, you can delegate the responsibility
for managing Group Policy links to a group or (less likely) to a specific user. The
procedure is to right-click the domain or OU that you wish to delegate, choose Delegate
Control, select the group or user to whom you are delegating, and under Tasks to
Delegate, check Manage Group Policy links (see Figure 15).
The ability to delegate the administration of Group Policy provides network managers
with the ability to implement a decentralized IT infrastructure, wherein individual domain
or OU managers can take responsibility for those Active Directory structures. Of course,
the decision as to whether to delegate Group Policy tasks will depend on how well those
managers understand the power of Group Policy and its inner workings, as well as on the
overall management style of the organization.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-33
Global Knowledge Network, Inc.
Group Policy Essentials
1-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
Knowledge
Check
Section Review
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-35
Global Knowledge Network, Inc.
Group Policy Essentials
7. Can security group filtering be used to apply Group Policy to a specific group directly?
8. Name one advantage that Group Policy has over System Policies.
1-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy Essentials
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 1-37
Global Knowledge Network, Inc.
1-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy
Infrastructure
Section Topics
Implementing Group Policy
Delegating Administration of Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-1
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section details the steps a successful Group Policy deployment should follow linking
your design to how your company can best use the features. Essential network
components and security design are also defined.
2-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
The planning phase involves consultation with your help desk, end users, management,
and support staff to provide enough information for you to decide exactly which
components of Group Policy to deploy in your organization.
Your Group Policy design is ultimately bound by the design and implementation of your
Active Directory infrastructure. Since GPOs can be linked to sites, domains, and OUs,
your Active Directory design may make it easier to use sites rather than domain settings,
or domains instead of sites or OUs.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-3
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
The planning process is ultimately the start of gathering information about your company
and how it carries out its day-to day business with an Active Directory network.
Throughout the design phase of Group Policy, the initial scope of Group Policy may be
broadened or reduced based on the settings that are deployed on all users versus the
settings that are applied for select groups of users.
Analyzing the way your workers do their job will help you design a plan that will be
acceptable and workable.
Your Group Policy will be deemed successful if it can seamlessly fit into your existing
Active Directory environment. Although this may seem like a stretch, remember the basic
rule of a new plan: keep it simple.
Your Group Policy design will be based on your physical and logical Active Directory
deployment. At a minimum, subnets (sites) and domains will be used; organizational units
will be used as well.
If your company has several divisions, how do you manage your network infrastructure?
Is administration centrally controlled and administrated? If this is the case, having
divisions within your company does not provide your structure for network administration
or Group Policy.
2-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
The components that can be managed by a well-thought-out Group Policy design contain
the topics listed in Figure 18.
A successful Group Policy design will take into account the levels of politics practiced
within your company, and acceptable network security levels balanced against the IT
department requirements, the businesses requirements, and potentially, government
requirements.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-5
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
z Networking
z DNS services
z Time synchronization
z Administration
z Client interoperability
Figure 19: Designing Your Group Policy Solution
Networking
Active Directory must be operational in order to deploy Group Policy settings at the site,
domain, or OU. ICMP must be available to process Group Policy. The client or member
servers use ICMP for communication with domain controllers on your network.
DNS Services
DNS must be working perfectly in order to process Group Policy; FQDNs are used, not
NetBIOS names. Because Group Policy works with fully qualified domain names, you
must have DNS running in your forest in order to correctly process Group Policy.
Time Synchronization
The time synchronization for authentication between workstations and servers must be
within 5 minutes. The updating of Group Policy relies on communication between domain
controllers using DNS services and the File Replication Services.
Administrative Requirements
By default, only domain administrators or enterprise administrators can create and link
GPOs. However, you can delegate this task to other users. Local administrators can create
Group Policy but do not need to have full control of the GPO infrastructure.
2-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Client Interoperability
Group Policy applies only to computers running Windows 2000, Windows XP Profes-
sional, or Windows Server 2003; it cannot be deployed on computers running Windows
95, Windows 98, or Windows NT 4.0. Windows Server 2003 and Windows XP Profes-
sional include many new Group Policy settings that are not supported on Windows 2000.
If the client and servers in your company primarily run Windows 2000 Professional and
you have Windows Server 2003 servers, use the Windows Server 2003 administrative
templates; they are the latest .adm files and include settings for Windows 2000, Windows
XP, and Windows 2003 computer systems.
Each GPO setting details what version of Windows it supports. If you attempt to apply a
Windows 2003 GPO containing newer settings to an older version of Windows that does
not support the applied setting, it will be ignored.
To determine which settings apply to which operating systems, look at the Supported on
information in the description for the setting. This information explains which operating
systems can read the setting.
If the destination computer is running Windows 2000, Windows XP Professional, or
Windows Server 2003, and the computer account and the account for the logged-on user
are both located in a Windows 2000 or Windows Server 2003 domain, OU, or site both the
computer and the user portions of a GPO are processed.
If either the logged-on user account or the computer account is located in a Windows NT
4.0 domain, System Policy is processed for those accounts located in the domain.
Note
Computers running Windows NT 4.0, Windows 95, or Windows 98 use System Policy
rather than Group Policy. System Policies can still be deployed from Windows 2000 or
Windows 2003 Active Directory to these older clients.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-7
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
The discussion questions in Figure 20 can help tailor your Group Policy guidelines and
design to the needs of your organization.
2-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Delegation
If possible, designate only one administrator per GPO or administrator group to be respon-
sible for all editing and linking tasks. You can delegate permission to edit and link GPOs
to different groups of administrators. However, without adequate GPO control procedures
in place, delegated administrators with overlapping responsibilities can duplicate GPO
settings or create GPOs that conflict with settings set by another administrator or that are
not in accordance with corporate standards.
Naming GPOs
Define a meaningful naming convention for GPOs that clearly identifies the purpose of
each GPO. This is a very easy habit that is usually overlooked. The name should include
the settings applied, and the date of creation and change.
GPO Functionality
The functional characteristics of GPOs are:
GPOs are inherited: If a GPO is linked at the domain level and at the OU
level, both the user and computer accounts in the domain and OU could be
affected by both OUs.
GPOs are monolithic: Each GPO is created from the same master template
and, therefore, contains the same choices regardless of its location in the site,
domain, or OU.
GPOs and performance are linked: If a computer system or user account has
to process many GPO settings, performance can suffer.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-9
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
DC Location
The location of your domain controllers becomes a consideration if your clients are
located on remote subnets with no DC and must authenticate across a slow WAN link.
GPOs are stored in both Active Directory and in the Sysvol folder on each domain
controller. These locations have different replication mechanisms.
Replication
Replication in Active Directory is controlled by the built-in replication system of Active
Directory. Within the same site, replication between 2003 Domain Controllers that are
running at the functional domain level of Windows 2003 Server within the same site
occurs every 15 seconds.
In environments such as a partially upgraded forest that contains domain controllers
running Windows 2000 and Windows Server 2003, a typical replication might take up to
15 minutes.
Replication of the Sysvol folder is controlled by the FRS (File Replication Service).
Within sites, replication occurs every 15 minutes. If the domain controllers are in different
sites, the replication process occurs at set intervals based on site topology and schedule;
the lowest interval is 15 minutes across a WAN link unless Notification has been enabled.
2-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Real-World Application
Note
All changes made to GPOs are replicated from the Domain Controller which has been
assigned the FSMO role of PDC emulator to the other DCs hosting the domain. The
SYSVOL folders within each domain are linked together and updated by the File
Replication Service.
Slow Links
Active Directory defines a link as slow when it falls below the default threshold of 500
kbps. Group Policy settings that are applied under these conditions are the Administrative
Template settings along with the security settings.
All other Group Policy settings, including software distribution and folder redirection, are
not applied across slow links. However, this default threshold for both the computer and
user can be changed by modifying the Slow Link Detection policy.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-11
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
By default, clients and servers running Windows 2000, Windows XP, or Windows 2003
check for changes to Group Policy objects every 90 minutes by using a randomized offset
of up to 30 minutes.
Any changes to Group Policy settings will not be immediately available on the desktops of
users because changes to each Group Policy object must first replicate to the appropriate
domain controller where authentication is occurring.
Security Policy settings delivered by Group Policy are reapplied every 16 hours (960
minutes) even if security settings have not changed.
Note
Domain controllers running Windows 2000 Server or Windows Server 2003 check for
computer policy changes every 5 minutes.
2-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-13
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Notes
Note
2-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
OU Organization
Make sure that your OU design is based on a solid management strategy for GPO creation
and delegation of administrative duties. The goal of your OU design is to simplify Group
Policy application and troubleshooting.
Separate OU Design
One distinct design is to place all computer accounts in one OU and all user accounts in
another. Using a structure in which OUs contain either user or computer objects but not
both, you could disable the computer section or user section of a GPO to speed up the
processing of each GPO.
However, separating the user and computer components into separate GPOs will require
more GPOs.
You can compensate for this by adjusting the GPO status to disable the user or computer
sections of each GPO that do not apply and to reduce the time required to apply a given
GPO.
Central Control
If central control is desired, consider geographically-based OUs as child OUs and
duplicate the structure for each location for a clean familiar structure.
Remember that GPOs that are linked to the higher layers of your OU structure are
inherited by all child OUs by default.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-15
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Notes
Note
2-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Figure 25: Applying Group Policy to New User and Computer Accounts
By default all new user and computer accounts are created in the CN=Users and
CN=Computers containers shown in Active Directory Users and Computers.
For Windows 2003 Active Directory, it is now possible to apply Group Policy directly to
these containers if you take advantage of two new command-line utilities:
redirusr.exe: For user accounts)
redircomp.exe: for computer accounts)
These command-line utilities enable you to change the default location where new user
and computer accounts are created so that you can more easily design and link GPOs
directly to newly created user and computer objects.
Redirusr and Redircmp are located in WINNT\system32 on a Windows 2003 domain
controller.
Running Redirusr and Redircmp, a domain administrator can specify the OUs into which
all new user and computer accounts are placed when they are created.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-17
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Security Filtering
In order for a GPO to apply to a given user or computer, that user or computer must have
both read and apply Group Policy permissions on the GPO.
By default, authenticated users have both apply Group Policy and read permissions
set to Allow.
If you want only a subset of users within an OU to receive a GPO, remove the authenti-
cated users from the ACL on the desired GPO.
Next, add a new group with the security filtering permissions that contains the subset of
users who are to receive the GPO.
Only members of this group that are within the site, domain, or OU where the GPO is
linked receive the GPO; members of the group in other sites, domains, or OUs will not
receive the GPO.
2-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Isolating Administrators
You might want to prevent certain Group Policy settings from applying to the Adminis-
trator group. To accomplish this, you can do one of the following:
Create a separate OU for administrators and keep this OU out of the user
infrastructure. Administrators will then not receive most of the settings that
you provide for managed users. If this separate OU is a direct child of the
domain, the only possible settings administrators receive are settings from
GPOs linked either to the domain or the site.
Since only broadly applicable settings should be linked here it might be
acceptable to have administrators receive these settings; otherwise, the Block
Inheritance option on the administrators OU can also be set.
Real-World Application
Have administrators use separate administrative accounts to be used only when adminis-
trative tasks are being carried out. Therefore, when not performing administrative tasks,
they would still be managed by the applied Group Policy settings.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-19
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Within each domain, site, and OU, the link order controls the order in which GPOs are
applied.
To change the precedence of a link, you can change the link order, moving each link up or
down in the list to the appropriate location, using the Up and Down buttons.
Links with the lowest number have higher precedence for a given site, domain, or OU.
For example, if you add four GPOs, the GPO highest in the list, for example Default
Domain Policy as shown in Figure 27, has a link order of 4. This GPO will be deployed
last, and only after the other three GPOs have been deployed. Since it is deployed last; the
settings contained in the Default Domain Policy GPO have a higher priority and will
override any identical settings defined in the other three GPOs.
2-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Note
With regards to Group Policy, the ACL editor has two functions:
filtering security groups and controlling who can create, edit, and
link to a specific GPO.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-21
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
You can always modify the default permissions shown in Figure 29 that are assigned to
one of the system groups. However, that may present additional problems because a
domain admin or local administrator can perform many additional tasks, some of them
probably unwanted. It is best to create a new group for Group Policy management.
Windows 2003 Group Rights Granted
Enterprise Admin Create, delete, edit, and link GPOs in all forest containers (sites,
domains, and OUs).
Domain Admins Create, delete, edit, and link GPOs in the domain and all OUs hosted
by the domain, but not in sites. See note below for exceptions to this
rule.
Group Policy Creator Create GPOs in the domain to which the group belongs. Users who
Owners are members of this group can edit any GPOs that they create,
however other members of the group cannot. Deleting GPOs is not
allowed. Linking to a site, domain, or OU is also not allowed.
Local Administrators Create GPOs in the domain to which the group belongs. A user that is
a member of this group can edit and delete all GPOs that any other
group member has created. Linking the GPO to the domain and any
OUs hosted by the domain is also allowed.
Figure 29: Groups assigned GPO rights
2-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-23
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Following are the main characteristics of the GPCO (Group Policy Creator Owners)
group:
Members of the GPCO group cannot link GPOs to containers unless they have
been separately delegated the right to do so on a particular site, domain, or OU.
Being a member of the GPCO group gives the nonadministrator full control of
only those GPOs that the user creates.
Members of the GPCO group cannot link, or delete any GPOs, so this group is
not effective as the group for Group Policy management.
GPCO members do not have permissions for GPOs that they do not create.
2-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-25
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
2-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
GPO Delegation
z The right to link GPOs can be delegated separately from the right
to create and edit GPOs
z Be sure to delegate these rights to only the groups you want to be
able to create and link GPOs
z Creation of GPOs can be delegated to any group or user
Figure 31: GPO Delegation
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-27
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Notes
Note
Group Policy Modeling and Group Policy Results are not available
for sites.
2-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
To manually assign permissions to a Group Policy object, right-click the GPO object from
the Group Policy MMC, and from the GPOs properties click the Security tab.
In order to be able to edit, view, link, and delete a GPO, specific rights must be granted as
shown in Figure 33.
Rights Control
Full control Create, edit, view, and delete the GPO
Read View the GPO in the Group Policy Console
(opening the GPO to edit is not allowed)
Write View and edit the GPO (Note: The read permis-
sions must also be granted to even be able to
view the GPO)
Create all child objects Create and edit GPOs (deleting is not allowed)
Delete all child objects Delete a GPO
Figure 33: Rights for GPO Control
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-29
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
2-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Resolving Conflicts
If two administrators were to simultaneously edit the same GPO on different domain
controllers, you may think that the changes written by one of the administrators will be
overwritten.
If multiple administrators manage a common GPO, all administrators actually use the
same domain controller when editing a particular GPO in order to avoid collisions.
To avoid this situation from arising, the operations master token for the PDC emulator in
each domain is used as the default for editing GPOs. This ensures that all administrators
are using the same domain controller.
However, it might not always be desirable for an administrator to use the PDC to edit
GPOs. If the administrator is located in a remote site, or if the users or computers targeted
by the GPO are in a remote site, the administrator might want to choose to target a domain
controller in the site where they are located. The default location of editing GPOs on the
PDC emulator can be changed to any other domain controller in the domain, as shown in
Figure 34.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-31
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Notes For example, if you are an administrator in Canada and the PDC
emulator is in Denver, it might be inconvenient to rely on a WAN
link to access the PDC emulator in Denver.
Use the Change Domain Controller function to specify the
domain controller to be used for a given domain or for all sites in
a forest. You have four options:
The domain controller with the operations master
token for the PDC emulator (the default option)
Any available domain controller
Any available domain controller running Windows
Server 2003 or later
This domain controller: Select a specific domain
controller to be used
2-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Loopback Processing
The loopback processing mode policy setting applies the same user settings for any user
who logs onto the computer, based on the computer they log on to.
When you apply Group Policy objects to users, normally the same set of user policy
settings applies to those users when they log on to any computer.
By enabling the loopback processing policy setting in a GPO, you can configure user
policy settings based on the computer location that they log on to. Those settings are
applied regardless of which user logs on.
You set the loopback policy inside each GPO by using the User Group Policy loopback
processing mode policy setting under Computer Settings\Administrative
settings\System\Group Policy. Two options are available:
Merge: In this mode, the list of GPOs for the user is gathered during the logon
process. First the list of GPOs for the computer is gathered. Next, the list of
GPOs for the computer is added to the end of the GPOs for the user. As a
result, the GPOs of the computer have higher precedence than the GPOs of the
user.
Replace: In this mode, the list of GPOs for the user is not gathered. Instead,
only the list of GPOs based on the computer object is used. The user
configuration settings from this list are applied to the user.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-33
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Notes
Note
When you use the Replace option, you must ensure that both the
computer and user portions of the GPO are enabled.
2-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
An example of where defining a corporate standard GPO might be useful is: Only
authorized users can access the command prompt or the registry editor.
One way to do this is to set the policy settings Prevent access to the command prompt,
and Prevent access to registry editing Tools and link these settings to an OU, for
example Domain_User_Accounts OU. This action will result in these settings being
applied to all users in the Domain_User_Accounts OU. Then create a GPO, such as an
Administrator_Policy GPO, which explicitly allows administrators access to the
command prompt and registry editing through a security group filter applied to the
Administrator_Policy GPO. Therefore, the GPO linked to the Administrator_Policy GPO
will override the settings configured in the Standard User Policy GPO.
If another group of users requires access to the command prompt, but not the registry, you
can create another child GPO that allows access. Access to the registry editing tools is still
denied because the new GPO does not override the registry tools setting made in the
Domian_User_Accounts GPO.
When you set default values for security-related settings such as restricted group
membership and file system access and registry access permissions, remember that these
settings work on a last-write-wins principle; the settings in this case are not merged.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-35
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Notes
Note
2-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
If for some reason there is a problem with the changes to the GPOs and you cannot revert
back to the previous or initial states, you can use the dcgpofix.exe tool to re-create the
default policies in their initial state.
Dcgpofix is a command-line tool that completely restores the Default Domain Policy GPO
and Default Domain Controller GPO to their original states in the event of a disaster.
Dcgpofix restores only the policy settings that are contained in the default GPOs for the
domain at the time it was first created; the default settings are found in Security, RIS, and
EFS.
Dcgpofix does not restore other GPOs that administrators create; it is only intended for
disaster recovery of the default GPOs. Dcgpofix is included with Windows Server 2003
located in the c:\Windows\Repair folder and works only in a Windows Server 2003
domain. The syntax for dcgpofix.exe is listed below.
dcgpofix [/target: domain | dc | both]
Option Function
/target Description of option
domain Recreates the Default Domain Policy
dc Recreates the Default Domain Controllers Policy
both Recreates both the Default Domain Policy and the
Default Domain Controllers Policy
Figure 38: Options for dcgpofix
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-37
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
2-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
Knowledge
Check
Section Review
1. What are the four major stages in a successful Group Policy design?
2. What happens when a Windows 2003 Group Policy setting is applied to a Windows 2000
Professional client?
3. What replicates the contents of the Sysvol folder in a Windows 2003 domain?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-39
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
7. Which new utility allows us to specify where new user and computer accounts are created
in Windows 2003 Active Directory?
2-40 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Designing Group Policy Infrastructure
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 2-41
Global Knowledge Network, Inc.
2-42 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Section Topics
Group Policy Staging: Overview
Creating Lockdown Desktops
Comparison of Features Used in Each Scenario
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-1
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section lays out how to create a staging and planning network for testing Group
Policy settings. Using the RSoP logging and planning tool, the Group Policy Management
Console, and understanding the Common Desktop Management Scenarios are key
components to embrace and use.
3-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
The very first step in staging involves creating a test bed created out of similar clients and
servers used in your production environment. Figure 40 explores the possible staging
scenarios to consider.
Staging
Advantages Disadvantages
Options
Staging domain Can leverage existing production infrastructure services (for Might not be
within production example, DNS, DHCP). Less hardware resources may be sufficiently isolated
forest required to implement than a completely isolated environment from production
that requires supporting DNS, and DHCP infrastructure. Easier environment to
to synchronize with production environment because all test site GPOs
settings and services are in the same forest.
Staging Forest Completely isolated from production environment; provides Difficult to keep
with no trusts to maximum protection from test GPOs affecting production synchronized with
production forest computers and users. No security overlap between staging and production forest.
production. Experiment freely with settings and configurations
without affecting the production environment.
Staging Forest that Completely isolated from production environment. Can use
mirrors your future GPMC copy operation to move GPOs between staging and
production forest production environment when available. Experiment freely with
settings and configurations without affecting the production
environment.
Figure 40: Staging Options
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-3
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
VMware
VMware allows you to create software servers and workstations that can run together on
one computer system at the same time. A computer system with 2 GB of RAM and a large
hard drive could run multiple instances of Windows 2000 and Windows XP at the same
time, with the virtual sessions being bridged to the physical network adapter in the
computer system.
3-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Before deploying your Group Policy solution, it is critical that you assess it to determine
the effects of applying the various policy settings that you select, individually and in
combination.
Always stage Group Policy deployments using the following predeployment process:
1. Deploy new GPOs in a test environment modeled after your production
environment.
2. Use Group Policy RSoP to understand which GPO settings actually are applied
in your test environment.
3. Use Group Policy modeling to understand how a new GPO will mesh with any
existing GPOs.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-5
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
3-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-7
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
The tool to perform migration of GPOs from the staging environment to the production
environment is the Group Policy Management Console. It allows us to copy GPOs from
one network location to another and to import GPOs from one domain to another
untrusted forest.
3-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Copying GPOs
To deploy a new GPO using the copy method, follow these steps:
1. Running GPMC in the staging domain, right-click the GPO that you plan to
migrate and choose Copy from the context menu.
2. Running GPMC in the production domain, right-click Group Policy Objects
and choose Paste from the context menu.
3. On the Cross-Domain Copying Wizard dialog box, click Next and select the
option to Preserve or migrate the permissions from the original GPOs.
Click Next.
Note
If you choose the first option, Use the default permissions for new GPOs, this GPO will
receive the default permissions that would be applied to any new GPO in the production
domain.
The second option, Preserve or migrate the permissions from the original GPOs, lets
you use a migration table to map the DACL on the staging GPO to its production
equivalents.
4. When the wizard completes the copy operation, right-click the Active
Directory site, domain, or OU to which you want to link the copied GPO, and
select Link an Existing GPO from the context menu.
5. From the Select GPO dialog box, select the GPO that you just copied.
6. After you link the new GPO and replication is complete, the GPO is live in the
production.
Note
A migration table can be created using the Migration Table Editor, a bundled GPMC tool.
Migration tables are XML in format and are created and applied to the GPOs that you want
to migrate. The command-line Mtedit tool is found in the GPMC installation location. Users,
domain local, global, and universal groups, computers, and UNC paths can be mapped in a
migration table.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-9
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Microsoft has released a number of Group Policy scenarios for testing and modeling
purposes under the banners Change and Configuration Management, and IntelliMirror:
Lightly Managed Desktop: Users who are allowed a majority of control
over their computer system
Mobile User: Notebook clients that are always on the road or work from
home a lot
Multi User Desktop: Users who can change some of their user profile
settings but cannot change hardware or network settings
App Station: (Highly Managed Desktop) Highly restricted configurations with
only a few applications are required
Task Station: Dedicated to running a single software application.
Kiosk: Used in a public area
3-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-11
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
3-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Mobile User
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-13
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
3-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-15
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
3-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Task Station
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-17
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Kiosk
z A workstation that uses the Kiosk scenario is much the same as the
Task Station mode but users are anonymous, providing no personal
authentication credentials.
z No customizations are allowed and the user state is not saved.
Figure 50: Kiosk
Kiosk Details
A kiosk has the following controls:
The computer system is a public workstation.
Only one application is executed.
Only one user account is available and it is automatically logged on.
The identity of each user is unknown to the Kiosk computer system because
users do not provide any personal logon credentials.
Each kiosk workstation runs unattended and is always powered up.
The overall security profile of the computer system is highly secure.
Users cannot make changes to the default computer settings.
Data is not saved to the local hard disk.
3-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Figure 51 compares the Windows 2000 and Windows 2003 features that are used to create
each scenario.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-19
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
3-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
Knowledge
Check
Section Review
1. Which three staging options can be considered for testing Group Policy?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-21
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
5. Although a Multi User Desktop scenario has restricted write permissions applied, what
two areas can a user write data and settings to?
6. The App Station scenario deploys software applications based on _______ requirements?
3-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Testing and Piloting Group Policy
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 3-23
Global Knowledge Network, Inc.
3-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Section Topics
Security Architecture
The Secedit Database
Customizing Security Templates
Microsoft Baseline Security Analyzer
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-1
Global Knowledge Network, Inc.
Deploying Security Templates
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section defines the security model of Windows 2000, Windows 2003, and Windows
XP and details the security mechanisms and tools available to deploy security effectively
across your network to computer systems and users.
4-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Security Architecture
Starting with Windows 2000 Professional and continuing with Windows XP, and
Windows 2003 Server, the security subsystem of Windows uses several key security
components (listed in Figure 52). These security components are used to deploy and
enforce security for the computer system and the network user.
Security Principals
The operating system assigns a unique SID to every created user, group, or computer
object created on a standalone Windows computer system or a computer system that is a
member of a domain. The SID of a domain-based user, group, or computer system also
contains an RID that indicates what domain the security principal was created in and
belongs to.
Some security principals are created by default by the operating system; for example, the
user Administrator, and the Everyone system group are created by the operating system
and have a specific rather than a unique SID. These types of objects are called well-
known security principals and cannot be deleted.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-3
Global Knowledge Network, Inc.
Deploying Security Templates
Security Groups
Security groups are used to assign rights and permissions to processes and objects using
the ACLs, DACLs, and SACLs. For the purpose of this course, the assumption will be
made that you are a network client on a computer system that has joined a domain.
Therefore, your level of access will be controlled using a mixture of local groups that were
created on your local workstation and domain-based groups that reside on the domain that
you belong and logged on to.
If you log on to your computer system using local account information, security from your
local security components will be enforced until you log off.
If you log on to the domain, the domain security will take precedence over your local
security components and enforce the domain level of security until you log off.
The table in Figure 53 lists the local and domain-based security group types that can be
used in Windows 2000 or Windows 2003 domains running in Windows 2000 native mode
or later, and Windows 2000 or Windows XP local systems.
Windows 2000 Windows 2000 Windows Windows 2003
Groups
Server Pro XP Pro Server
Local Groups X X X X
Domain Local Groups X X
Global Groups X X
Universal Groups X X
Figure 53: Local and Domain Groups
4-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Part of each users user profile is hidden in the NTUSER.DAT user hive and loaded
when a user successfully logs into a Windows 2000, Windows 2003, or Windows XP
client. Many Group Policy settings that control the appearance and use of the Explorer
shell are applied to the user profile at logon.
A user profile as shown in Figure 54 is created from a Window 2000, Windows 2003, or
Windows XP registry hive plus a set of profile template directories. The user profile
registry hive is called NTUSER.DAT and is mapped immediately to the
HKEY_CURRENT_USER section of the registry after the user is logged on.
Each user must have a defined user profile combined with an active user account to be
able to use any Windows 2000, Windows 2003 or Windows XP computer system. User
profiles are stored locally by default in c:\Documents and Settings as shown in Figure
54. This directory stores the shortcut links, desktop icons, and startup applications for each
local user under two folders: All Users and Default User.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-5
Global Knowledge Network, Inc.
Deploying Security Templates
Note
A Windows NT 4.0 computer system that has been upgraded to either Windows 2000 or
Windows XP Professional will use the \WINNT\PROFILES location for user profiles.
4-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
The Registry
Many Group Policy settings update the registry database on the local computer shown in
Figure 55, even if the settings are deployed through Active Directory.
HKEY_CURRENT_USER
This hive holds custom settings of the current logged on user. We also know this section as
the User Profile stored in Documents and Settings\Username. This root key is also a
pointer to HKEY_USERS\Security ID (SID) of the loggod on user. Group Policy
settings for all users are found here.
HKEY_LOCAL_MACHINE
This hive is the main location for global hardware and software settings, Control Panel
and Network settings, as well as startup and shutdown settings. Group Policy settings for
computer systems are found here. Other hives present in HKLM are SAM, SECURITY,
SOFTWARE and SYSTEM.
The SAM hive contains existing security information for current local user and group
accounts installed on the local computer, including passwords and domain associations.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-7
Global Knowledge Network, Inc.
Deploying Security Templates
The SECURITY hive contains the user and group security settings. An example of the
type of security information would be user rights and file permissions. This information is
hidden by default when using Regedit, the Registry Editor. We normally access this
information when we set local file and folder permissions through the Explorer shell and
when we use the Local Users and Group MMC.
HKEY_CLASSES_ROOT
Whenever you use the Explorer shell and perform the task Tools, View, Folder Options,
File Types, you are directly accessing HKEY_CLASSES_ROOT. It is a pointer to
HKEY_LOCAL_MACHINE\SOFTWARE\Classes. Registered extensions and the
software applications that are registered to the extensions plus ActiveX, and DCOM
settings are also stored here.
HKEY_USERS
This hive contains the Default User hive profile that is running before you actually log on
to your PC, and the logged on User profile. When a user is successfully logged on to the
system, the default user profile is disabled. Note that the sub key of the current user is not
the user name but his or her SID. The settings of the active user will also be shown in
HKEY_CURRENT_USER.
HKEY_CURRENT_CONFIG
This is your computer hardware profile found in the System Icon\Hardware profile in
Control Panel. This is also a pointer to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles.
4-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-9
Global Knowledge Network, Inc.
Deploying Security Templates
Note
Next, any domain-based security settings that have been enabled through the domain
Group Policy that are different from the local security currently in effect will be
downloaded. These settings overwrite the local settings and become the effective security
setting for the computer system.
Keep in mind that this security process is completed before the user is given the
opportunity to log on as a client.
Changes to the default security settings can be performed using several built-in tools:
Locally using the Local Security Settings MMC located on the
Administrative Tools menu
At the domain, using the Group Policy console launched from the properties of
the domain
At the OU, using the Group Policy console launched from the properties of the
OU (with the exception of Password Policy and Account Lockout Policy,
which can be enforced only at the domain)
The Security and Analysis MMC, which can be loaded into a new MMC
The command-line utility secedit.exe used to analyze, configure, export,
validate, or roll back existing security settings for Windows 2000 systems
The command-line utility Gpupdate used to refresh security settings for
Windows XP and Windows 2003 computers
4-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Security Templates
Several default security templates shown in Figure 57 are bundled with the Windows
2000, Windows 2003, and Windows XP operating systems. The security settings that are
applied are based upon whether a clean installation or upgrade was performed. A clean
Windows 2000, Windows 2003, and Windows XP install has a more restrictive security
profile than an upgraded Windows NT 4.0 computer system.
Windows 2000, Windows 2003, and Windows XP security templates include settings for
the following security options:
Account policies: Both local and domain account polices can be configured. A
local account policy defines password and account lockout settings; domain
account policy also includes options for defining Kerberos settings.
Local policies: A local computer policy is local to the computer system
regardless of the type of computer system: workstation, domain controller, or
member server. Local policies include auditing policy, user rights and security
privileges on the specific system.
Event log: These settings allow the configuration of the application, security,
and system logs with regard to maximum log size, access restrictions, and
retention methods.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-11
Global Knowledge Network, Inc.
Deploying Security Templates
4-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
The available security template provided by Microsoft for modifying default security can
be easily viewed by loading the Security Templates MMC as shown in Figure 58. Clicking
the Action menu and selecting Set Description provides a summary of the selected
security template.
Compatible: The Compatws.inf template relaxes the default file (%System
Root%, Program Files) and local registry hive permissions and removes all
users from the Power Users group.
Secure: Both the Securedc.inf and Securews.inf templates enhance security
settings in the areas of stronger passwords, account lockout, authentication,
client-server SMB packet signing and audit policy settings for domain
controllers or workstations respectively.
Highly secure: The Hisews.inf, and Hisedc.inf templates further enhance
existing security levels with the addition of mandatory server SMB packet
signing and the disabling of NTLM authentication. In order to apply this
security template, all domain controllers must be Windows 2000, all Windows
NT 4.0 member servers must have SP4 or later applied, and all clients must be
Windows 2000 or Windows XP Professional.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-13
Global Knowledge Network, Inc.
Deploying Security Templates
4-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
You can easily create a new security template that can then be applied to a Windows 2000,
Windows 2003, or Windows XP computer system by using the Security Templates MMC:
Right-click the default security templates path and from the context menu select New
Template as shown in Figure 59.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-15
Global Knowledge Network, Inc.
Deploying Security Templates
4-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
A newly created security template is a blank template file with no defined settings.
For Account Polices, Local Policies, and Event Log options, select the desired options
and double-click each value in the details pane to assign the selected option to the
appropriate group or user.
To assign Restricted Groups, System Services, Registry, and File Permissions,
right-click the desired security option and from the context menu select Add.
To save your custom template after designing your security options, right-click the custom
template and select Save As, enter the desired name, and click OK.
To apply a custom security template to a computer, use either the local Group Policy editor
gpedit.msc, or the domain-based Group Policy tool. Open Computer Configuration,
Windows Settings, and right-click Security Settings. Select Import policy and navigate
to where your security template is located. The default location is
Windows\Security\Templates.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-17
Global Knowledge Network, Inc.
Deploying Security Templates
The Security Configuration and Analysis MMC shown in Figure 62 is an optional security
tool bundled with Windows 2000, Windows 2003, and Windows XP computer systems to
allow the analysis of current system security settings against an established security
baseline. Tasks that can be performed include:
Easily identifying any current security weaknesses
Discovering security changes from accepted company standards
Testing and analyzing potential security changes to see how they will affect
current security settings
4-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-19
Global Knowledge Network, Inc.
Deploying Security Templates
After the analysis has completed, you will be returned to the Security Configuration and
Analysis console as shown in Figure 64. As you scroll through the selected security
results, the baseline database setting and the actual setting will be displayed in the details
pane for each security option.
Any discrepancies from the established baseline will be flagged with a red X,
indicating that the default security settings and the tested baseline do not
match.
Green check marks indicate that the baseline security and the actual security
settings match.
A question mark (?) indicates that the setting was not analyzed.
If there is no marking, the setting was not enabled in the baseline.
An exclamation mark indicates that the setting is in the baseline but not on the
analyzed system.
4-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-21
Global Knowledge Network, Inc.
Deploying Security Templates
4-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Using Secedit
As a command-line tool, Secedit can be used to automatically analyze and apply security
and security templates.
Secedit is the command-line utility used for Windows 2000, Windows 2003 Server, and
Windows XP Professional to analyze, configure, export, validate, refresh, or roll back
existing security settings. (For Windows XP Professional and Windows 2003 Server the
command-line utility gpupdate.exe is used to refresh Group Policy settings immediately
without rebooting.)
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-23
Global Knowledge Network, Inc.
Deploying Security Templates
4-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
The security areas that can be exported separately, or in groups are listed in Figure 68.
Security Policy Includes account policies, audit policies, event log settings, and security options.
Group_Mgmt Restricted Group settings (Defined through domain group Policy)
User_Rights User rights assignment
Regkeys Registry permissions
Filestore File system permissions
Services System service settings
Figure 68: Security Areas
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-25
Global Knowledge Network, Inc.
Deploying Security Templates
4-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Using Gpupdate
Gpupdate is used to manually update any changes that are made to group policies.
Gpupdate.exe is used in Windows 2003 and Windows XP, replacing the /refreshpolicy
switch in the command-line tool that Secedit.exe used on Windows 2000 systems.
Usually after changes have been made to Group Policy, the changes need to be applied
immediately without waiting for the default Group Policy refresh interval of 90 minutes
on domain members and 5 minutes on domain controllers to take effect.
At a command prompt, run the Gpupdate.exe utility as shown in Figure 69. The
following information describes the utility and the different switches that can be used
with it:
GPUpdate [/Target:{Computer | User}] [/Force] [/Wait:value]
[/Logoff] [/Boot]
Useful switches for Gpupdate.exe are:
/Target:{Computer | User}: This switch is used to specify that only user or
computer policy settings that are updated will use this switch. Both user and
computer policy settings are updated if this switch is not used.
/Force: This switch results in all policy settings being reapplied. By default,
only the policy settings that have changed are applied.
/Logoff: This switch indicates that the user is logged off after policy settings
have been applied.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-27
Global Knowledge Network, Inc.
Deploying Security Templates
The security levels that are deployed on a Windows 2000, Windows 2003, and Windows
XP computer system should be viewed merely as a starting point in defining an acceptable
level of security.
Many administrators are not yet aware that most default security levels defined by the
installation can be easily changed.
Using either the Local Security Console on the local computer or the Group Policy Editor
through an Active Directory domain, security settings, account policies, and user rights
can be changed and applied with minimum effort.
In most cases, Microsoft recommends increasing the level of security whenever possible.
To that end, many guides have been published by Microsoft providing many sensible
recommendations for your considerations. Following are the highlights of Microsoft
recommendations for properly deploying security for domain-based network clients.
When viewing and analyzing existing security settings, the value Effective Default
Setting indicates that the current status of the selected setting is currently in effect.
The security guides for Windows 2000, Windows 2003, and Windows XP can be found by
following the links at www.microsoft.com/security and also at www.microsoft.com/
technet/treeview/default.asp?url=/technet/security/Default.asp
4-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-29
Global Knowledge Network, Inc.
Deploying Security Templates
The term hardening when applied to computer security means beefing up the default
levels of security to:
Resist unwanted intrusion
Avoid potentially damaging hacking of the company infrastructure
For Windows 2000, Windows 2003, and Windows XP, computer account security is
broken down into three subgroups:
Account policies
Account lockout policies
Kerberos policies
Increasing the default security levels of domain controllers, member servers, and
workstations is, by default, enabled at the domain level.
Although there are some default values already enabled in the domain controllers
policy, and the default domain policy, these are merely starting points.
The important concept to grasp about the deployment of security policy in Active
Directory domains is that only one domain account policy is allowed.
4-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-31
Global Knowledge Network, Inc.
Deploying Security Templates
Account policies are, by default, applied at the domain level unless local account policies
for current domain member computers have been defined at the OU level.
Password policy is defined at the following location within the Group Policy Editor shown
in Figure 72:
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
Following is a description of the settings:
Enforce password history 0 passwords remembered (Between 0 and 24)
This setting defines the number of unique and new passwords that must be
used before a previously used password can again be used. Microsoft
recommends that if this setting is enabled, then the Minimum password age
should also be set so users do not try to change their password several times at
once to immediately reuse their favorite password.
Maximum password age 42 days (Between 0 and 999)
This setting defines the length of time that passes before users must change
their password. This value should be set between 15 and 60 days. If the
password is to never expire, the value can be set to 0.
4-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-33
Global Knowledge Network, Inc.
Deploying Security Templates
Account lockout policies attempt to lock out user accounts when too many incorrect
attempts are made to log in. By default, these settings are not enabled, but should be. A
proper lockout policy must also be implemented with training and proper Administrator
and Help desk response when accounts become locked out.
As password policy becomes stricter, more account lockouts will occur.
Password policy is defined at the following location within the Group Policy Editor shown
in Figure 73:
Computer Configuration \Windows Settings\Security Settings\Account
Policies\Account Lockout Policy
Following is a description of the settings:
Account lockout duration (when enabled 1 to 99,999 minutes)
This setting, once enabled, is activated on a user account where the defined
number of invalid login attempts is exceeded. It is recommended that the
Account lockout duration be set to 30 minutes. A value of 0 specifies that
accounts will never be locked out.
Account lockout threshold (when enabled 0 to 999)
This setting, once enabled, sets the number of failed login attempts that
causes the user account to become locked out. If users use screen saver
passwords, or Task Manager to lock their user account, entering a password
to unlock their account incorrectly does not count against a defined account
lockout threshold unless the setting Interactive logon: Require Domain
Controller authentication to unlock workstation is also enabled. If the
Account lockout threshold is set to 0, this setting ensures that accounts will
4-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-35
Global Knowledge Network, Inc.
Deploying Security Templates
Kerberos Policy
The Kerberos version 5 authentication protocols are enforced at the domain through the
default domain policy GPO. It cannot be overridden by Group Policy settings in an OU as
these settings are not available at the OU level.
For most internal Active Directory networks, these settings do not need to be changed. For
public access across the Internet and other public paths, certain changes could be
considered.
Kerberos policy settings can be changed using the Group Policy Editor at the following
location:
Computer Configuration\Windows Settings\Security Settings\
Account Policies\Kerberos Policy
Following is a description of the settings:
Enforce user logon restrictions
This is the default setting and need not ever be changed, as every request for a
session ticket should be validated.
Maximum lifetime for service ticket (from 10 to 99,999 minutes)
This setting defines the amount of time in minutes that a session ticket, once
granted, can be used to access requested services. The minimum timeframe
is 10 minutes or greater and also less than or equal to the defined setting for
4-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-37
Global Knowledge Network, Inc.
Deploying Security Templates
Security Options
Security options are a mixture of security privileges and rights dealing with user accounts.
Options are divided into auditing, local hardware devices, domain controllers, domain
members, interactive logons, network access and security and the recovery console.
Certain settings are for specific computer systems; not every setting will be used. The
security settings that bear consideration are as follows:
Accounts: Administrator account status
The local Administrator account is a huge security risk due to its well-known
name, its well-known SID, and the fact that you are a password guess away
from getting in with Administrator privileges. It is a good idea to always
disable the local Administrator account and instead assign users to the
Administrators group.
Note
If you need this account in safe mode, it is always available, even if disabled.
4-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-39
Global Knowledge Network, Inc.
Deploying Security Templates
4-40 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-41
Global Knowledge Network, Inc.
Deploying Security Templates
4-42 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-43
Global Knowledge Network, Inc.
Deploying Security Templates
4-44 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
A user right is defined by Microsoft as a task that a user has been permitted to carry out on
a standalone computer system or at the domain.
User rights are further separated into logon rights and privileges.
A logon right defines just who can successfully log on to a computer system and the
acceptable method of logon.
A privilege controls the level of access to the system resources. The user rights for a
Windows 2000, Windows 2003, and Windows XP computer system are configured locally
with the Local Security Console and at the domain using the Group Policy Editor at the
following path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-45
Global Knowledge Network, Inc.
Deploying Security Templates
4-46 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-47
Global Knowledge Network, Inc.
Deploying Security Templates
The MBSA (Microsoft Baseline Security Analyzer) version 1.1 is a multithreaded security
scanner that analyzes an individual computer or a group of computers for missing security
patches and other security problems.
In addition to checking for easily guessed user passwords, autoadmin login, and
unnecessary services, MBSA also scans for unprotected IIS servers that have not yet run
the IIS lockdown tool.
It can also scan multiple instances of SQL server, evaluating the SQL authentication
mode, looking for blank SA passwords, and checking for any privilege escalation opportu-
nities exposed through the SQL Server service account.
You can specify hostnames, a range of IP addresses, and domain names that you would
like to scan by executing MBSA from the command line or graphical user interface.
Output is presented through an HTML interface, and data is saved in XML format.
4-48 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-49
Global Knowledge Network, Inc.
Deploying Security Templates
4-50 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
Knowledge
Check
Section Review
3. Which security template is used when a clean install of Windows 2000 or Windows XP is
carried out?
5. Which command-line tool is used to update Windows 2000 policy without rebooting?
6. Which command-line tool is used to update Windows 2003 and Windows XP policy
without rebooting?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-51
Global Knowledge Network, Inc.
Deploying Security Templates
4-52 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Deploying Security Templates
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 4-53
Global Knowledge Network, Inc.
Deploying Security Templates
4-54 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group
Policy
Section Topics
Deploying Member Server Security
Domain Security
Controlling Network Services with Group Policy
Enforcing an Audit Policy
Restricting Security Group Membership
Using Scripts
Managing Printers: Printer Pruning
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-1
Global Knowledge Network, Inc.
Network Security Using Group Policy
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section details effective security design using Active Directory logical components.
How to deploy security templates, effective audit policy, and registry and file security
deployment through Group Policy is also detailed.
5-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
When designing your network infrastructure, first make a list of your infrastructure
components that are to be managed with Active Directory and Group Policy.
Include in this list the following servers:
Domain controllers
Member servers
File servers
Print servers
Infrastructure servers
Web servers
Certificate servers
Bastion servers (Internet)
IAS servers
IIS servers
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-3
Global Knowledge Network, Inc.
Network Security Using Group Policy
5-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
OU Infrastructure Example
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-5
Global Knowledge Network, Inc.
Network Security Using Group Policy
OU Infrastructure Checklist
5-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-7
Global Knowledge Network, Inc.
Network Security Using Group Policy
Domain Security
After OUs are used, security can be deployed at several levels within the domain.
Microsoft recommends that three levels be used for applying security to servers within the
domain:
Domain: Common account security requirements, account lockout, and
password policies
Baseline: Common server security applied to all servers within the domain
Assigned server role: Additional security settings for specific server roles
The types of security that can be applied through Active Directory using Group Policy are:
File system permissions
Registry permissions
System services
Auditing and event logs
Account and password policies
User right assignments
5-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Final Checks
Verify in the Event Log that the policy downloaded successfully and that the server can
communicate with the other DCs in the domain. The event ID to search for is 1704:
Security policy in Group policy objects has been applied successfully.
By default, security settings are refreshed every 5 minutes on a domain controller, and
every 90 minutes on a workstation.
Make sure that this GPO has the highest priority by being the highest in the list, so that it
is deployed last.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-9
Global Knowledge Network, Inc.
Network Security Using Group Policy
5-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
File systems security applies to all NTFS hard drive volumes, allowing you to centrally
define permissions on domain controllers, member servers, and Windows 2000 and
Windows XP computer systems.
Note
File system policy requires that a drive letter, and if necessary, a folder be used to identify
the volume and location of the file as shown in Figure 85.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-11
Global Knowledge Network, Inc.
Network Security Using Group Policy
Have you ever wanted to control security permissions on the local computer registry of a
domain controller, member server, or user? With a registry policy you can.
One additional option that can be set after security has been modified on a selected
registry key is to select the checkbox Do not allow permissions on this key to be
replaced. This will protect the ACL set on this key from being modified by any other
GPO or process.
Registry settings are not modified by any of the optional security templates. The base
security level on the local registry is established during a clean installation of Windows
2000, Windows 2003, or Windows XP through the deployment of the setup security.inf.
Note
If the registry path is not in the domain controller where you want to push the registry
settings from, you will first have to add the registry path manually to the registry of the local
DC to provide a template to apply security to.
5-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Note
Another handy setting is to add the Help Desk to the security principals who can control the
print spooler and, therefore, provide assistance when this service needs to be reset.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-13
Global Knowledge Network, Inc.
Network Security Using Group Policy
Public key policy can be applied to both computer systems and users. Enabling policy
settings through a GPO allows you to specify the use of Microsoft certificate services in
relation to the computer and user components of a PKI implementation.
This policy is only effective if you are using Microsoft certificate services and structure;
otherwise it will not have any value for you at all.
Considering that the Microsoft certificate service is based on RSA security, it is too early
to say they will not succeed.
5-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-15
Global Knowledge Network, Inc.
Network Security Using Group Policy
5-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Note
After enabling auditing, make sure that your security log has been sized properly to
accommodate the additional entries.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-17
Global Knowledge Network, Inc.
Network Security Using Group Policy
Account Management
Once enabled, the creation, modification, and deletion of security principals (user
accounts, groups, and computer accounts, including associated settings) are monitored. It
is recommended that both success and failure be enabled to track users who attempt
actions that they are not allowed to perform but still try. Figure 90 below lists some of the
event IDs registered in the Security Event Log for account management.
Event ID Description
624 A user account was created.
627 A user password was changed.
628 A user password was set.
630 A user account was deleted.
631 A global group was created.
632 A member was added to a global group.
633 A member was removed from a global group.
634 A global group was deleted.
635 A new local group was created.
636 A member was added to a local group.
637 A member was removed from a local group.
638 A local group was deleted.
639 A local group account was changed.
641 A global group account was changed.
642 A user account was changed.
643 A domain policy was modified.
644 A user account was automatically locked.
645 A computer account was created.
646 A computer account was changed.
647 A computer account was deleted.
649 A local security group with security disabled was changed.
668 A group type was changed.
684 The security descriptor of administrative group members was set.
685 Name of an account was changed.
Figure 90: Account Management Event IDs
5-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Logon Events
Logon events track user logons to all computers in your enterprise. Do not confuse this
setting with the previous Account Logon events which tracked the domain account logon.
Logon events that can be tracked are listed in Figure 91.
Event ID Description
528 A user successfully logged on to a computer.
529 Logon failure. A logon attempt was made with an unknown user name or a known user name
with a bad password.
530 Logon failure. A logon attempt was made outside the allowed time.
531 Logon failure. A logon attempt was made using a disabled account.
532 Logon failure. A logon attempt was made using an expired account.
533 Logon failure. A logon attempt was made by a user who is not allowed to log on at the
specified computer.
535 Logon failure. The password for the specified account has expired.
536 Logon failure. The Net Logon service is not active.
538 The logoff process was completed for a user.
539 Logon failure. The account was locked out at the time the logon attempt was made.
540 A user successfully logged on to a network.
545 Main mode authentication failed because of a Kerberos failure or a password that is not valid.
548 Logon failure. The SID from a trusted domain does not match the account domain SID of the
client.
Figure 91: Logon Events
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-19
Global Knowledge Network, Inc.
Network Security Using Group Policy
5-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-21
Global Knowledge Network, Inc.
Network Security Using Group Policy
Note
Before enabling an audit trail, make sure that your event logs on
all servers are sized accordingly. This should be set at the default
domain GPO so as to apply to all computer systems in the
domain, including clients, member servers, and domain
controllers. Carefully examine size factors and overwrite times.
5-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Membership
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-23
Global Knowledge Network, Inc.
Network Security Using Group Policy
Restrictive Groups
The most common use of this feature is ensuring that the Administrators, Enterprise
Admin, and Schema Admin membership list remains static.
The less common, but still useful, method of using this feature is to determine which user
cannot be removed from another group or groups.
Suppose that you want to ensure that the selected Help Desk support members remain a
part of the Help Desk group. Adding the Help Desk support group to restricted groups
accomplishes this purpose.
Restrictive groups are modified automatically only when the compatws.inf or the
secure.inf templates are used; they both prohibit adding users to the Power Users group.
Note
A clean install of Windows 2000, Windows 2003, or Windows XP uses the setup
security.inf, which adds Authenticated Users and the Interactive user account to the Users
local group.
5-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Using Scripts
Legacy script support was MS-DOS based only; Windows 2000 and Windows 2003 now
support five types of scripts in many formats including .vbs and .js.
Scripts can be manually executed from the GUI or fully automated from a command
window.
Windows Scripting Host is built in to the OS and supports many other 32-bit third-party
languages.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-25
Global Knowledge Network, Inc.
Network Security Using Group Policy
Processing Order
Since scripts are supported at sites, domains, and OUs, a computer system could have
many scripts to process.
Figure 96 and Figure 97 list the Group Policy options that are available to control the
behavior of scripts.
Policy in Computer
Configuration\Administrative Description
Templates\System\Logon
Run logon scripts synchronously When this option is enabled, the system waits until the script
finishes running before it starts Windows Explorer. The
equivalent option for this is available under the User
Configuration node. The policy setting you specify in the
Computer Configuration node has precedence over that
set in the User Configuration node.
Run startup scripts asynchronously By default, startup scripts run synchronously and hidden,
which means that the user cannot log on until the scripts
complete. In some corporations, the administrator might want
the scripts to run asynchronously since they could take a
long time to complete. This policy allows the administrator to
change the default behavior.
Run startup scripts visible If this option is enabled, startup scripts run in a command
window.
Run shutdown scripts visible If this option is enabled, shutdown scripts run in a command
window.
Maximum wait time for Group Policy This policy setting lets you change the default script timeout
scripts period. (By default, scripts will time out after 600 seconds.)
The range is 0 to 32000 seconds.
Figure 96: Computer Scripting Control
5-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Policy in User
Configuration\Administrative Description
Templates\System\Logon\Logoff
Run logon scripts synchronously When you enable this option, Windows waits for the scripts to
finish running before it starts Windows Explorer.
Note that an equivalent option for this is available under the
Computer Configuration node. The policy setting you specify
in the Computer Configuration node has precedence over
that set in the User Configuration node.
Run legacy logon scripts hidden If this option is enabled, legacy logon scripts will run in
hidden mode.
Run logon scripts visible If this option is enabled, logon scripts run in a command
window.
Run logoff scripts visible If this option is enabled, logoff scripts run in a command
window.
Figure 97: User scripting control
Note
Enabling the setting Disable the Command prompt found in User Configuration\
Administrative Templates\System can stop legacy batch files from executing.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-27
Global Knowledge Network, Inc.
Network Security Using Group Policy
5-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-29
Global Knowledge Network, Inc.
Network Security Using Group Policy
Knowledge
Check
Section Review
2. Which event ID indicates that security policy has been applied successfully?
5-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Network Security Using Group Policy
6. List the four types of scripts that can be deployed through Group Policy.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 5-31
Global Knowledge Network, Inc.
Network Security Using Group Policy
ABC Acronyms
The following acronyms are used in this section:
5-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Section Topics
Scripts for Clients
Desktop, Start Menu, and Taskbar Control
Control Panel Control
Windows Components
Controlling User Profiles
Folder Redirection
Printer Management and Pruning
Computer Network Settings
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-1
Global Knowledge Network, Inc.
Explorer Shell Group Policy
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
Most people are familiar with Group Policy and its predecessor System Policies in
Windows NT, Windows 95, and Windows 98 as a way of locking down the desktop. In
fact, Group Policy is a great tool for controlling the user environment: to add functionality,
to provide consistency within OUs or domains, and to keep users out of utilities and
settings that they do not need.
6-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
A startup script runs when a Windows computer boots, using the Local System security
context. A shutdown script runs when a Windows computer is shut down (Start, Shut
Down), again using the Local System security context.
You can use Group Policy to specify which (if any) startup and shutdown scripts you want
to run. The scripting language can be any language supported by the WSH engine.
Common choices are:
VBScript (suffix .vbs)
JScript (suffix .js)
Batch files (suffix .cmd or .bat)
Startup and shutdown scripts are potentially useful tools for configuring the user
environment. You might use these scripts (as opposed to logon or logoff scripts) where
you need broader security capabilities than might be supplied by the User account type.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-3
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Notes Specify one or more scripts to run in the following Group Policy
console location: Computer Configuration, Windows Settings,
Scripts (Startup/Shutdown)
You can specify parameters for your scripts, as well, in the Group
Policy dialog box. The parameters would be the same as what
you would specify in a command window. You may also edit
your scripts from this dialog box.
6-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
You can use the same script languages for logon and logoff as you do for startup and
shutdown; for example, VBScript, Jscript, and batch files.
Logon scripts have many uses in configuring the user environment. For example, you may
wish to use a logon script to perform one or more of the following tasks:
Map drives (for example, with net use x: \\server\share)
Populate the Printers folder (for example, with
WshNetwork.AddWindowsPrinterConnection)
Set the default printer (for example, with WshNetwork.SetDefaultPrinter)
Specify one or more scripts to run in the following Group Policy console location:
User Configuration, Windows Settings, Scripts (Logon/Logoff)
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-5
Global Knowledge Network, Inc.
Explorer Shell Group Policy
6-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Note
If these settings are configured in both halves of the Group Policy console, then the
computer half takes precedence.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-7
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Desktop Restrictions
Most of the desktop restrictions are to be found in the User Configuration half:
User Configuration, Administrative Templates, Desktop
Restriction Description
Hide and disable all items on the desktop Removes icons, shortcuts, and other default and user-
defined items from the desktop, including Briefcase,
Recycle Bin, My Computer, and My Network Places
Remove My Documents icon on the desktop Self-explanatory
Remove My Computer icon on the desktop Self-explanatory
Remove Recycle Bin icon from the desktop Self-explanatory
Remove Properties from the My Documents Self-explanatory
context menu
Remove Properties from the My Computer Self-explanatory
context menu
Remove Properties from the Recycle Bin Self-explanatory
context menu
Hide My Network Places icon on desktop Self-explanatory
Hide Internet Explorer icon on desktop Self-explanatory
Do not add shares of recently opened Self-explanatory
documents to My Network Places
Prohibit user from changing My A good idea if you are using folder redirection
Documents path
Prevent adding, dragging, dropping, and Self-explanatory
closing the toolbars of the taskbar
Prohibit adjusting desktop toolbars Self-explanatory
Don't save settings at exit Only affects some changes to the desktop, such as the
position of open windows and the size and position of
the taskbar
Remove the Desktop Cleanup Wizard Denies users access and disables automatic 60-day
runs of the wizard
6-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Active Desktop Various settings under this node, including enabling
and disabling Active Desktop
Active Directory Various settings under this node, including enabling
and disabling the filter bar in Active Directory searches
Figure 102: Desktop Restrictions
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-9
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Remove user's folders from the Start menu Hides all folders on the user-specific (top) section
of the Start menu (other items appear though) to
avoid duplication when folder redirection is used
Remove links and access to Windows Update One of the most popular policies; helps prevent
users from applying patches and updates that the
organization has not tested; blocks user access to
the Windows Update Web site at http://window-
supdate.microsoft.com; also removes the
Windows Update hyperlink from the Start menu
and from the Tools menu in Internet Explorer.
Remove common program groups from Not common as in ordinary, but as in items in
Start menu the All Users profile
Remove My Documents icon from Start Menu Self-explanatory
Remove Documents menu from Start Menu Self-explanatory
Remove programs on Settings menu Prevents Control Panel, Printers, and Network
Connections from running, although users can
still get to certain control panels via context
menus
Remove Network Connections from Start menu Self-explanatory
Remove Favorites menu from Start menu Self-explanatory
Remove Search menu from Start menu Self-explanatory
Remove Help menu from Start menu But users can still run Help various other ways
Remove Run menu from Start menu Self-explanatory
Remove My Pictures icon from Start menu Self-explanatory
Remove My Music icon from Start menu Self-explanatory
Remove My Network Places icon from Self-explanatory
Start Menu
6-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Add Logoff to the Start Menu Note: also removes the user's ability to remove
the entry
Remove Logoff on the Start Menu Similarly, removes the entry and prevents the user
from re-adding it
Remove and prevent access to the Shut Down Removes the Shut Down option from the Start
command menu and disables the Shut Down button on the
Windows Security dialog box; useful for kiosk
situations, for example
Remove drag-and-drop context menus on the Start Prevents users from using drag-and-drop to
menu reorder or remove items on the Start menu;
removes context menus
Do not keep history of recently opened documents Prevents the OS and installed programs from
creating and displaying shortcuts to recently
opened documents, but does not clear all MRU
lists
Clear history of recently opened documents Ensures that the Documents menu on the Start
on exit menu is always empty right after logon
Turn off personalized menus An important restriction (those automatic
disappearing menu items have confused more
than their share of novice users) but does not
affect individual applications
Turn off user tracking Prevents the system from tracking the programs
that users run, the paths that they navigate, and
the documents that they open, for example, to
allow creation of personalized menus
Add Run in Separate Memory Space checkbox Allows users to specify that a 16-bit application
to Run dialog box should run in its VDM
Gray unavailable Windows Installer programs Forces partially-installed applications, such as
Start menu shortcuts those assigned via Group Policy but not yet
installed, to show up in gray; performance issues
with this setting have been observed, so testing is
advisable
Force classic Start menu Displays the classic Start menu in the Windows
2000 style and displays the standard desktop
icons
Remove Balloon Tips on Start menu items Disables the hover messages, not just on the
Start menu but also in the system tray
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-11
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Remove frequent programs list from the Useful if you want to simplify the rather bloated
Start menu Windows XP-style Start menu
Remove All Programs list from the Start menu Windows XP only
Remove user name from Start menu Self-explanatory
Figure 103: Start Menu Restrictions
Taskbar Restrictions
Technically, the Start menu is part of the taskbar, but the following text covers taskbar
restrictions that do not involve the Start menu directly.
Location: User Configuration, Administrative Templates, Start Menu, Taskbar
Restriction Description
Prevent changes to Taskbar and Start Menu Removes the Taskbar & Start Menu item from
settings Settings on the Start menu and prevents the user
from opening Taskbar Properties
Remove access to the context menus for the Hides the menus that appear when you right-click the
Taskbar taskbar and items on the taskbar
Prevent grouping of Taskbar items Disables the consolidation of multiple program
instances into a single taskbar entry with a number (n)
after it
Turn off notification area cleanup Removes the automatic collapsing of inactive system
tray icons
Lock the Taskbar Prevents the user from moving or resizing the taskbar
(auto-hide and other taskbar options are still available)
Remove clock from the system notification That is, the system tray. Seemingly straightforward,
area but watch out, the clock sometimes does not want to
come back if this policy is later reversed.
Hide the notification area Again, what we called the system tray before Windows
XP
Do not display any custom toolbars in the If enabled, the taskbar does not display any custom
taskbar toolbars, and the user cannot add any custom toolbars
to the taskbar; plus, the Toolbars menu and submenu
are removed from the context menu
Figure 104: Taskbar Restrictions
6-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Top-Level Controls
Location: User Configuration, Administrative Templates, Control Panel
Restriction Description
Prohibit access to the Control Panel Prevents control.exe from starting; users cannot start
Control Panel or run any Control Panel items. Also
removes Control Panel from the Start menu and
removes the Control Panel folder from Windows
Explorer
Hide specified Control Panel applets To find the file name of a Control Panel item, search
for files with the .cpl file name extension in
%Systemroot%\System32; does not affect the
categories that are displayed in the new Control Panel
Category view in Windows XP
Show only specified Control Panel applets The inverse of the previous setting; which setting you
use depends on whether your organization operates
on a need to know basis or need to withhold
Force Classic Control Panel Style That is, Windows 2000-style, as opposed to the newer
Windows XP-style, which Microsoft says is simpler but
which takes more clicks to get anything done
Figure 105: Top-Level Controls
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-13
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Add/Remove Programs
Location: User Configuration, Administrative Templates, Control Panel,
Add/Remove Programs
Restriction Description
Remove Add/Remove Programs Programs Disables user access to the Add/Remove
Programs wizard, but does not prevent users from
installing applications in other ways
Hide Change or Remove Programs Page Removes the Change or Remove Programs
button from the Add or Remove Programs bar,
so users cannot view or change the attached
page, for example, to uninstall, repair, add, or
remove features of installed programs
Hide Add New Programs Page Removes the Add New Programs button from the
Add or Remove Programs bar, so users cannot
view or change the attached page, for example, to
install programs published or assigned by a
system administrator
Hide Add/Remove Windows Components Page Self-explanatory
Hide the Add a Program from CD-ROM or floppy Removes the specified section from the Add New
disk option Programs page. This prevents users from using
Add or Remove Programs to install programs
from removable media
Hide the Add Programs from Microsoft option Self-explanatory
Hide the Add Programs from Your Network Self-explanatory
option
Go directly to Components Wizard Removes the Set up services section of the Add/
Remove Windows Components page, which
section lists system services that have not been
configured and offers users easy access to config-
uration tools
Remove Support Information Removes links to the Support Info dialog box from
programs on the Change or Remove Programs
page; you may consider this if you want all support
to come from an internal helpdesk, for example
Specify default category for Add New Programs Specifies the category of programs that appears
when users open the Add New Programs page;
only the programs in the category you specify are
displayed when this page opens
Figure 106: Add/Remove Programs
6-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Display Control
Location: User Configuration, Administrative Templates, Control Panel, Display
Restriction Description
Remove Display in Control Panel Self-explanatory
Hide Desktop tab Users cannot use Control Panel to change the pattern
and wallpaper on the desktop, nor can they customize
the desktop by changing icons or adding new Web
content
Prevent changing wallpaper Self-explanatory
Hide Appearance and Themes tab Self-explanatory
Hide Settings tab Users cannot change settings such as display size,
color bit depth, refresh rate, etc.
Hide Screen Saver tab Users cannot change the screen saver setting
Screen Saver Enable this and Windows runs the screen saver
specified in the following policy; disable it, and no
screen saver runs
Screen saver executable name The name (including the .scr suffix) of the screen
saver you want to run on the user machine, and which
disables all other user choices
Password protect the screen saver Only applies if you have chosen to specify a particular
screen saver in the preceding policy
Screen saver timeout Length of time before the screen saver kicks in
Desktop Themes Subnode containing options to control the display and
behavior of the Themes tab in Windows XP
Figure 107: Display Control
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-15
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Printer Control
Location: User Configuration, Administrative Templates, Control Panel, Printers
Restriction Description
Browse a common Web site to find printers Adds a Browse button on the Locate Your Printer
page of the Add Printer Wizard, pointing to a Web
page that you build to centralize printer locations
Browse the network to find printers Lets users search for printers; disabling forces users
to specify exact printer name
Default Active Directory path when searching The Active Directory container where user searches
for printers for printers begins
Point and Print restrictions Specifies where users can download printer drivers
automatically: specific servers, or anywhere in the
forest
Prevent addition of printers Restricts users to the environment that you define
Prevent deletion of printers Restricts users to the environment that you define
Figure 108: Printer Control
6-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Windows Components
Windows Explorer
Microsoft has put many desktop restrictions in the nodes you already examined, to be
sure, but many more exist under a sort of umbrella node called Windows Components,
which appears in both the User Configuration and Computer Configuration nodes (see
Figure 109).
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-17
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Helpful Hint
Exactly how Microsoft decided to put certain settings in Windows Components and others
in, say, Desktop is cloaked in a certain amount of mystery. The My Computer settings in
Windows Components\Windows Explorer, for example, are arguably as much desktop
settings as anything in the Desktop subnode. So, do not to try and make sense of the
organization (or lack thereof). Instead, just remember that Windows
Components\Windows Explorer has a lot of settings that affect the desktop shell.
6-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Hide these specified drives in My Computer Removes the icons representing selected hard drives
from My Computer and Windows Explorer and
removes the drive letters representing the selected
drives from the standard Open dialog box
Prevent access to drives from My Computer Prevents users from viewing the contents of the
selected drives in My Computer or Windows Explorer;
also prevents them from using the Run dialog box, the
Map Network Drive dialog box, or the dir command to
view the directories on these drives
Remove Hardware tab Removes the Hardware tab from Mouse, Keyboard,
and Sounds and Audio Devices in Control Panel,
and from the Properties dialog box for all local drives,
including hard drives, floppy disk drives, and CD-ROM
drives
Remove DFS tab Removes the tab from Windows Explorer and My
Computer, restricting access to the Distributed file
system
Remove Security tab Removes the tab from files, folders, drives, and
shortcuts, restricting access (for example) to NTFS
access control lists
Remove UI to change menu animation setting Prevents users from accessing the transitional effects
for menus and tool tips
No Computers Near Me in My Network Self-explanatory
Places
No Entire Network in My Network Places Self-explanatory
Maximum number of recent documents Limits the number of documents that will appear in the
Documents MRU list
Do not request alternate credentials This means when installing programs onto a system
where the user is not logged on as the local
administrator
Request credentials for network installations This means when installing programs over the network
Remove CD burning features That is, from Windows Explorer, but not from other
applications that the user may have installed on the
computer
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-19
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Do not move deleted files to the Recycle Bin Very risky setting but one that some organizations with
high security requirements might use: when you delete
something, and this setting is enabled, there's no
turning back
Display confirmation dialog when deleting Self-explanatory
files
Maximum allowed Recycle Bin size Self-explanatory
Remove Shared Documents from My Self-explanatory
Computer
Turn off caching of thumbnail pictures Another security-related setting; thumbnail caches are
available to other users, even if the pictures that they
cache are not
Common Open File Dialog A subnode that lets you customize a few features of
the standard Open window
Figure 110: Windows Explorer Settings
6-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Internet Explorer
The sheer volume of Internet Explorer settings in the Group Policy console is impressive.
The Computer Configuration node contains a few settings dealing with security zones
(see Figure 111) and other per-computer policies.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-21
Global Knowledge Network, Inc.
Explorer Shell Group Policy
6-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
As you can see, most of the settings immediately under the Internet Explorer node have
to do with disabling various capabilities, such as customizing the search capability,
importing favorites, changing the home page, changing browser cache settings, history
settings, content ratings, and so forth.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-23
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Pay particular attention to the AutoComplete policies: Disable AutoComplete for forms
and Do not allow AutoComplete to save passwords. Security-conscious shops should be
aware of these settings.
6-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
You will notice several subnodes beneath Internet Explorer. The Internet Control Panel
node allows you to selectively disable individual control panel pages (see Figure 115).
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-25
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Offline Pages
The Offline Pages subnode (see Figure 116) allows you to set policies for channels
(formerly known as active channels) and offline pages, including the ability to
download sites at specified schedules for viewing later when (possibly) disconnected from
the Internet.
6-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Browser Menus
The Browser menus subnode (see Figure 117) lets you disable various commands from
the File, View, Tools, and Help menus within the browser window.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-27
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Toolbars
The Toolbars subnode lets you disable reconfiguring of the browser toolbars or specify
just which buttons users can see (see Figure 118).
6-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Persistence Behavior
The Persistence Behavior subnode lets you specify a maximum size for sites using
persistence, broken out by zone.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-29
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Finally, the Administrator Approved Controls subnode (see Figure 120) lets you
designate specific ActiveX controls as administrator-approved for purposes of the Run
ActiveX Controls and Plug-ins area in the definition of your security zones.
6-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
IEAK Settings
Some years back, Microsoft introduced its Internet Explorer Administration Kit, or
IEAK. The company has folded the IEAK settings into the Group Policy interface but
not into either of the Windows Components nodes. These settings reside under User
Configuration/Windows Settings/Internet Explorer Maintenance. You will notice
some overlap between some of these settings and the ones previously described.
Browser User Interface: Contains settings for title, logo, and toolbar,
including the ability to remove specific toolbar buttons if desired.
Connection: Allows you to prepopulate most of the fields in the Connections
tab of the Internet Explorer control panel.
URLs: Provides a way for you to preselect favorites, links, the search page, the
home page, and the online support URL in the help system.
Security: Lets you predetermine Security Zones and Content Ratings
settings as well as locking down the ability of the user to add trusted sources.
Programs: Lets you prepopulate most of the fields in the Programs tab of the
Internet Explorer control panel, where for example you can specify a preferred
e-mail client, newsreader, etc.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-31
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Terminal Services
The bulk of the Terminal Services policies appear in the Computer Configuration node,
although you can set a few timeouts in the User Configuration node (which will be
overridden if they are also set in the computer half). In addition to the policies shown in
Figure 122, various subnodes provide access to specific restrictions, as follows:
Client/Server data redirection: You can control redirection of COM ports,
LPT ports, drives, etc.
Encryption and Security: You can set the default client encryption level.
Licensing: You can prevent a license upgrade.
Temporary folders: You can turn per-session temp folders off, so that the
Local Settings\Temp folder is always used instead.
Session Directory: You can designate a server to be used as a session logger
for reestablishing user connections.
Sessions: You can set limits for active, idle, and disconnected sessions.
6-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-33
Global Knowledge Network, Inc.
Explorer Shell Group Policy
6-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Size (Quotas)
Location: User Configuration/Administrative Templates/System/User Profiles
Policy: Limit Profile Size
Details: You can specify a custom message to display to users who have exceeded their
(roaming) profile size allocation what that size is, whether it should include the registry,
whether to notify users who exceed their allocation, and how often to remind users to trim
their profile size (see Figure 123).
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-35
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Folders
6-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Slow Links
How roaming profiles behave over slow links (for example, dialup connections) can be
controlled via the following policy settings.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-37
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Restriction Description
Delete cached copies of roaming profiles You might enable this for security purposes or to
conserve disk space on local drives, but do not enable
it if you plan to use slow link detection.
Do not detect slow network connections This setting tells Windows to treat all connections
equally, effectively turning off the slow-link detection
features and their related policies.
Slow network connection timeout for user This setting lets you specify a connection speed (kbps)
profiles other than the default of 500 to use as a slow or fast
boundary for IP connections, or a server response
time (ms) other than the default of 120 to use as a
slow or fast boundary for non-IP connections (see
Figure 125)
Wait for remote user profile This setting tells Windows to wait for the server-based
copy of the user profile to load, even if the connection
is slow, rather than decide to use the most recently
saved local copy of that user profile.
Prompt user when slow link is detected Enable this if you want users to be able to decide
whether to use a server-based profile or a locally-
cached profile when a slow link is detected.
Timeout for dialog boxes This setting indicates how long Windows waits (the
default is 30 seconds) before making a default choice
after notifying the user of a slow link or unavailable
server.
Figure 126: Policy Settings for Slow Links
6-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Folder Redirection
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-39
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Helpful Hint
When redirecting folders, you typically use UNC paths, which may need to be converted via
a migration table if and when you migrate a policy object from one domain to another.
The special folders that you can redirect via Group Policy are all in the user profile under
Documents and Settings, and include the following:
My Documents (including My Pictures)
Desktop
Start Menu (although Microsoft would rather you control this via other
policies)
Application Data
Note
6-40 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Finally, you may make several configuration choices on the Settings tab (see
Figure 128).
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-41
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Most of the system-related printer settings in Group Policy are to be found in Computer
Configuration/Administrative Templates/Printers, although some User Configuration
client-side printer settings exist in the Control Panel.
Pruning
One of the terms that comes up frequently in this list of policies is pruning. The pruning
service on the domain controller prunes (removes) printer objects from Active Directory if
the computer that published them does not respond to contact requests. When the
computer that published the printers restarts, it republishes any deleted printer objects
(assuming that this computer is running Windows 2000 or higher OS).
6-42 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Note
The idea behind pruning is to make sure that users do not print to a printer associated with
a print server that is unavailable for some reason.
If you notice that printers are being pruned incorrectly, you may want to disallow printer
pruning by disabling the Allow pruning of published printers policy and specifying
Never in the Prune printers that are not automatically republished policy.
Alternately, you could make the pruning service a little more tolerant by using one of the
following methods:
Increasing the number of times that the pruning service tries to contact the
print server before deleting a printer, using the policy Directory pruning retry
Increasing the default 60-minute period for pruning checks using the policy
Directory pruning interval.
Publishing
What is a published printer? It is a printer that has been published in Active Directory,
that is, one that can be searched by its attributes when a user performs an Active Directory
search.
Note that it is possible to install a printer onto a domain controller, and even share it, but
not publish it in the directory. If you would like to publish only those printers that you
explicitly select for publication, you may want to disable the policy Automatically
publish new printers in Active Directory.
By default, any printer that you install on a DC is automatically published in the directory,
a behavior that varies from file sharing, incidentally, in that shared folders are not
automatically published in Active Directory.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-43
Global Knowledge Network, Inc.
Explorer Shell Group Policy
In the Computer Configuration half of the policy console, you can preset a number of
values that control the functioning of DNS, including dynamic update, DNS suffixes,
Time-to-Live values, and so forth.
6-44 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Offline Files
Many of the Offline Files settings are duplicated in both Computer Configuration and
User Configuration. As usual, in the event of a conflict, the Computer Configuration
settings win.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-45
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Network Connections
The User Configuration half offers a variety of restrictions to control what users can and
cannot do in the Network and Dial-Up Connections folder.
6-46 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-47
Global Knowledge Network, Inc.
Explorer Shell Group Policy
Knowledge
Check
Section Review
2. If you wanted to hide My Network Places from users in a particular OU, what is the
minimum number of Policy settings that you would need to make?
3. Internet Explorer settings exist in three primary locations in the Group Policy console.
Name them.
4. In which half of the policy console (computer configuration or user configuration) would
you expect to find DNS settings? Why?
6-48 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Explorer Shell Group Policy
5. If your organization uses roaming user profiles, what additional advantage would Folder
Redirection have for the My Documents folder, beyond the security of regular backups?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 6-49
Global Knowledge Network, Inc.
Explorer Shell Group Policy
ABC Acronyms
The following acronyms are used in this section
CD compact disc
CD-ROM compact disc read-only memory
COM Component Object Model
DC domain controller
DNS Domain Name System
DVD digital versatile disc
FRS File Replication Service
IEAK Internet Explorer Administration Kit
IP Internet Protocol
kbps kilobits per second
MMC Microsoft Management Console
MRU most recently used
ms milliseconds
OS operating system
OU organizational unit
PC personal computer
UI user interface
UNC Universal Naming Convention
URL Uniform Resource Locator
VBScript Visual BASIC Scripting Edition
VDM Virtual DOS Machine
WSH Windows Scripting Host
6-50 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Section Topics
Remote Access Policy: The Same, Only Different
Creating a Custom Remote Access Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-1
Global Knowledge Network, Inc.
Group Policy and Remote Access
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section covers two subjects. First, remote access policies, which technically are not
part of the Group Policy mechanism but which share some core features of Group Policy,
and which you are likely to use if your organization supports telecommuting or remote
access for traveling workers. Second, and related, is a discussion of how you can tweak
Group Policy to perform better (that is, faster) over slow links.
7-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-3
Global Knowledge Network, Inc.
Group Policy and Remote Access
Remote access profiles that you set up on the specific RRAS server and that
determine the type of access that RRAS grants if a connection is permitted
Dial-In Permissions
Set dial-in permissions for a user via the Active Directory Users and Computers
administrative tool in a domain environment. The procedure is as follows:
Open the Users node in the tree pane.
Right-click the user in the details pane.
Choose Properties.
Click the Dial-In tab to see the dialog box shown in Figure 133.
7-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
What you see in this dialog box depends on whether your Windows network runs in native
mode (all domain controllers run Windows 2000) or mixed mode (one or more domain
controllers run Windows NT Server). In native mode, or on a standalone server, all options
are available; in mixed mode, only the Remote Access Permission and Callback
Options areas are available.
Under Remote Access Permission (Dial-in Or VPN), you can make one of two or three
choices:
Allow access: Means that the user passes the first hurdle, but may face other
hurdles in the form of remote access policy conditions and profile restrictions.
Deny access: Means that the user cannot connect to an RRAS server, no matter
what other conditions might be satisfied in a remote access policy.
Control access through Remote Access Policy: Means that whether the user
passes the first hurdle or not depends on the grant-or-deny permission setting
in a remote access policy. This option is only available for a standalone server
or for a domain server in native mode.
The Callback Options let you add security in that the RRAS server authenticates the user,
hangs up, and then dials the user back at a predetermined phone number. This feature is
handy for employees who telecommute.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-5
Global Knowledge Network, Inc.
Group Policy and Remote Access
Real-World Application
The last point bears elaborating. For example, if you want to grant access at any time of
the day to everyone except members of the Temps group, who can only log on from 9:00 to
5:00, put the policy restricting the Temps group first and the policy granting access to the
Everyone group second. Otherwise, members of Temps (who are also members of
Everyone) could gain access at any time of day.
7-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Near the top of the dialog box, you see a list named Specify the conditions to match. The
default remote access profile has only one condition, a day-and-time condition, that covers
the entire time span of 24 hours a day, 7 days a week. Every attempted RRAS connection
meets that condition. So, this policy applies to everyone who tries to dial up this RRAS
server.
Other conditions that you can set include:
Remote access protocol used by client (PPP, SLIP, and so on)
Caller ID of remote user
Membership in one or more Windows groups (the Windows-Groups
condition)
Below the condition list is an area labeled If a user matches the conditions. Here, you
tell the policy what it should do if all the conditions in the condition list are satisfied. The
default remote access policy says Deny remote access permission, but you must
remember that this denial occurs only if the dial-in permission of the user account is set to
Control access through Remote Access Policy. If the dial-in permission for the user
account is either Allow access or Deny Access, this policy permission is irrelevant.
Real-World Application
Microsoft recommends that you delete the default policy, then add custom policies of
your own.
Remote access policies are stored on the local RRAS server (the file is ias.mdb in the
folder c:\Winnt\System32\Ias), not in Active Directory. This makes sense in that some
organizations want to use RRAS but do not use Active Directory. As a result, you can set
different policies on different RRAS computers.
You can set up remote access policies from RRAS or from IAS if you are using Internet
Authentication Server. If you set them up on an IAS server, and point all your RRAS
servers to IAS for authentication, you have to create only one set of remote access
policies.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-7
Global Knowledge Network, Inc.
Group Policy and Remote Access
Via the Edit Profile button on the Settings property sheet of the remote access policy, you
can create a set of constraints that determines what sort of access the user experiences,
after RRAS has already decided to permit a connection based on:
Policy conditions
Dial-in permission of the user
For example, you can make settings on the Dial-in Constraints tab (seeFigure 135) that:
Kill a connection after a predefined idle period
Restrict the duration of a session
Restrict access to particular days and times
Permit a connection only if it comes in over a particular media type
7-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
On the IP tab, you can set IP packet filters for the connection.
The Multilink tab lets you explicitly allow or disallow multilink for the specific
policy, or use the global default setting of the server. The ability to control the
multilink setting is handy if you want to permit multilink operation for some groups
but not others.
Similarly, the Authentication tab lets you specify which authentication protocols to
use for the policy (but be sure that the global settings of the server also include the
authentication methods that you choose here).
The Encryption tab offers three choices:
No encryption: Means that clients do not have to use any encryption
method in order to connect to the RRAS server.
Basic: Means that RRAS supports 40-bit encryption for IPSec or MPPE.
! Caution
If you use Windows 2000, be careful. The online help is incorrect on this point.
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-9
Global Knowledge Network, Inc.
Group Policy and Remote Access
7-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
3. Is the users property sheet in Active Directory Users and Computers set to
deny access?
If so, access is denied. (You could argue that this should be checked first.)
If not, go to 4.
4. Is the users property sheet in Active Directory Users and Computers set to
grant access?
If so, go to 5.
If not, go to 6.
5. Does the connection attempt match settings for the user object and the remote
access profile?
If so, access is granted.
If not, access is denied. Other matching policies may exist, but Windows will
not try them.
6. If you get here, then the users property sheet is set to Control access through
Remote Access Policy. Is the remote access policy set to Deny remote access
permission?
If so, access is denied.
If not, go to 5.
Considering this process, it is something of a minor miracle that anyone ever connects
at all.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-11
Global Knowledge Network, Inc.
Group Policy and Remote Access
The procedure for creating a custom remote access policy is fairly straightforward,
whether you are using the RRAS console or the IAS console. Here are the steps for a
Windows 2000 server (slight variations may exist between RRAS and IAS scenarios):
1. Open the RRAS or IAS management console.
2. Expand the nodes in the tree pane until you see the node labeled Remote
Access Policies.
3. Right-click that node, and choose New Remote Access Policy.
4. Specify a friendly name for the policy, such as Temporary Employees.
5. Click the Add button to add a condition for the policy.
6. Choose an attribute from the list that appears (see Figure 136).
7-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-13
Global Knowledge Network, Inc.
Group Policy and Remote Access
7-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
The default behavior is for registry-based policies, security policies, and (in Windows
2003 Server) wireless and software restriction policies to apply over slow connections, but
for other types of policies not to apply over such connections. You have nearly complete
control over how you want to balance speed versus functionality when Windows applies
Group Policy over slow links.
Note
The thing to remember here is that Windows determines whether a connection is slow or
not completely independently from the physical connection type. A dial-up link could be
fast and a LAN link could be slow in specific circumstances.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-15
Global Knowledge Network, Inc.
Group Policy and Remote Access
7-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
The technique is first to enable the policy, then either check or Notes
leave unchecked the option that says Allow processing across a
slow network connection, as you see fit.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-17
Global Knowledge Network, Inc.
Group Policy and Remote Access
Helpful Hint
7-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Part of the IntelliMirror strategy is to allow users to work on network-based files even
when those users are not connected to the network. That is the idea behind offline files
and folders, an area of special interest to remote and laptop users.
Files and folders that have been set for working offline seem to the user to be
in the same location at all times, whether the user is connected to the network
or not.
If a user has been working offline, the synchronization manager uploads any
modified files to the server when the user reconnects.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-19
Global Knowledge Network, Inc.
Group Policy and Remote Access
Notes Group Policy can be used to control the behavior of the offline
files and folders feature. You will find settings in both the
Computer Configuration node and the User Configuration
node, but many are duplicated (see Figure 139).
The location for this feature is:
Computer Configuration/Administrative Templates/
Network/Offline Files
7-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-21
Global Knowledge Network, Inc.
Group Policy and Remote Access
Setting Description
At logoff, delete local copy of user's offline Risky, considering that the offline files are not
files synchronized before they are deleted. Take care
before implementing this setting.
Encrypt the Offline Files cache Use this setting to increase security on the
workstation; however, be aware that there is no
mechanism for the user to decrypt the files if this policy
is enabled.
Prohibit 'Make Available Offline' for these files Removes the ability of the user to manually cache files
and folders and folders in the list, but has no effect on automatic
caching.
Configure slow link speed When a connection is considered slow, Offline Files
will not automatically reconnect to a server when the
presence of a server is detected. The value to enter is
bps divided by 100.
Figure 140: Settings for Offline Files
7-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-23
Global Knowledge Network, Inc.
Group Policy and Remote Access
Knowledge
Check
Section Review
1. Name two ways in which remote access policies are similar to Group Policy, and two
ways in which they are different.
2. What are the three conditions that must be satisfied for a user to gain access to a dial-in
server running RRAS?
3. In a domain environment, what must be true about the domain for Control access
through Remote Access Policy to be an available choice in Active Directory Users and
Computers?
7-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Group Policy and Remote Access
6. Name two types of policies that will process over a slow link by default.
8. Can you set a separate slow link threshold for Offline Files and folders?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 7-25
Global Knowledge Network, Inc.
Group Policy and Remote Access
ABC Acronyms
The following acronyms are used in this section:
7-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software
Packages
Section Topics
What Is an MSI Package?
MSI Package Architecture
Group Policy as a Software Deployment Method
Assigning Software
Publishing Software to Users
Upgrading Packages
Removing Packages
Using WinInstall to Create MSI Packages
Setting up Distribution Points
SMS and RIS
Using the Software Update Service
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-1
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
Microsoft has done a nice job extending the Group Policy concept to include software
distribution. Deploying software has become more and more of an administrative chore as
the frequency of new applications, patches, and upgrades has increased. For many organi-
zations, the expense of a more sophisticated (and expensive) program like Systems
Management Server has been the only alternative to a lot of manual work. The software
distribution features of Group Policy strike a balance that will work well for many
organizations.
8-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-3
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
8-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Elements of a Solution
An ideal software distribution method would exhibit the following features:
Hide the complexity of installation from end users
Correctly perform all the various operations necessary (registry, files, icons,
DLLs, etc.)
Present a consistent user interface for both users and administrators
Offer the ability for installations to be scripted and managed centrally
Provide for the subsequent removal of the application
Provide for convenient repair of damaged installations
These were the goals that Microsoft had in mind when it produced the specification for the
MSI package.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-5
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
The MSI (Microsoft Software Installer) file format is used (and required) by the Windows
Installer service (see Figure 141), a system service that handles the following aspects of
applications and certain Windows components:
Installation (including rollback if aborted)
Modification (including updating)
Repair
Removal
8-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
(Version 1.1 of the service, which ships with Windows 2000, deals with 32-bit software,
while version 2 can handle 64-bit software.)
Note that the command-line executable is msiexec.exe. You can invoke the Windows
Installer from the command line to install MSI packages with the /I qualifier, for example:
msiexec /i myapp.exe
Additional information on command-line qualifiers for Windows Installer appears below:
/i: Install
/a: Administrative install
/f: Fix (repair), with the following additional qualifiers:
- p: Reinstalls only if file is missing
- o: Reinstalls if file is missing or if an older version is installed
- e: Reinstalls if file is missing or an equal or older version is installed
- d: Reinstalls if file is missing or a different version is installed
- c: Reinstalls if file is missing or the stored checksum does not match the
calculated value
- a: Forces all files to be reinstalled
- u: Rewrites all required user-specific registry entries
- m: Rewrites all required computer-specific registry entries
- s: Overwrites all existing shortcuts
- v: Runs from source and recaches the local package
/x: Remove (uninstall)
/ju: Advertise the package to the current user
/jm: Advertise the package to the current machine
/p: Apply a patch
Helpful Hint
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-7
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Elements of a Package
While not all MSI packages contain every category listed in Figure 142, these are the
possibilities.
When you are deploying an MSI-packaged application, the MSI file should reside in a
shared folder on a network server. If the MSI file lives in a nonshared folder, the
deployment will not work, because users will not have access to the source MSI file.
8-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-9
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
After you have created a transform, you can associate it with an application that you are
publishing or assigning by right-clicking the application in the Software Settings node
of the Group Policy console, choosing Properties, and clicking the Modifications tab
(see Figure 143). You can assign more than one transform to a given application
package.
If you need to modify a transform later, remove it from the Modifications tab, then re-add
the modified MST file.
8-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-11
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
8-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
If you use Group Policy for software deployment, you have three
main options for a given application:
Assign the application to computers (Computer
Configuration, Software Settings)
Assign the application to users (User Configuration,
Software Settings)
Publish the application to users (User Configuration,
Software Settings)
The difference between assigning and publishing is not immedi-
ately obvious. In Microspeak, assigning generally means that
users are going to get this program, and publishing means that the
program appears on the Add/Remove Programs list so users can
get it if and when they want.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-13
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Assigning Software
Assigning software via Group Policy is the best option when you really want users to have
the software, and when you may even want to force it on them, for example as part of a
plan to ensure a minimum level of security or user-interface consistency. Most essential
software (for example, antivirus) would be assigned rather than published.
Assigning software does the following:
The software appears on the Start menu following activation of the policy.
You can specify that the application will be installed automatically, for
example at the next startup (if assigning to computers) or next logon (if
assigning to users).
If a user removes the application via the Add/Remove Programs wizard, the
application will again appear on the Start menu at the next reboot.
If you choose to assign software, you can follow one of three scenarios:
Assign the software to computers: This forces the install at the next reboot
and makes the software available to all users of the PC.
Assign the software to users: This forces the install at the next logon if the
user is in the Active Directory structure (for example, OU) to which the policy
applies.
Assign the software to users, but on demand: Install occurs on a per-user
basis but only when the user selects the program via the Start menu or a
desktop shortcut. Frankly, this is not a whole lot different from publishing.
8-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-15
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
5. If a policy already exists, click Edit; otherwise, create one and then click Edit.
6. Display the Computer Configuration, Software Settings node.
7. Right-click that node and choose New, Package (see Figure 144).
8. Navigate through a network path (that is, go through My Network Places) to
the MSI package location specified in step 1, and choose the MSI package.
9. In the Deploy Software dialog box, choose Assigned (or Advanced published
or assigned if you want to specify a transform in addition to the MSI package).
8-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
10. The entry is created in the console. Right-click it and choose Properties to
configure additional options, for example, on the Deployment tab. (The
checkbox Uninstall this application when it falls out of the scope of
management simply means that if the computer account is moved to an OU
where the policy no longer applies, Windows should uninstall the program
rather than leave it on the user machine.)
After you have assigned an application to computers, the next time computers under the
scope of this policy restart, the user will see a succession of informational messages, such
as the following, at boot time:
Applying computer settings
Applying software installation settings
Installing managed software name of program
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-17
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Notes Assigning a large new application for an entire domain can bring
a network to its knees when all those machines boot up on
Monday morning. If you are selecting the automatic installation
option, it is a good idea to leverage the power of Group Policy so
that this does not happen. For example, if you have a number of
OUs defined within your domain, consider creating GPOs for
those OUs and assigning the software one OU at a time. You
could do likewise with sites, depending on their size.
Note
8-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Think of this third option, which is the default behavior for assigning applications to users
(and the only way you can assign an application to users in Windows 2000 Server), as the
most polite way of assigning software. This method puts a link on the Start menu or the
desktop (or both).
Important Terms
The act of putting an application shortcut on the Start menu or the desktop, or putting an
entry for it in Add/Remove Programs, is referred to as advertising the application.
When a user chooses a program entry on the Start menu, or double-clicks its icon on the
desktop, the application will install at that time.
Assigning software to users on demand is actually very similar to publishing an
application. About the only significant difference is that the program shows up on the
Start menu, and possibly a desktop shortcut, whereas when you publish an application, it
merely shows up on the Add/Remove Programs list.
This method of software deployment is less likely to overburden your network than
assigning an application to computers, because the user must take an action to initiate the
actual installation and all users are not likely to do so at the same moment.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-19
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Notes In Windows 2003 Server, when you assign software in the User
Configuration half of the Group Policy console, you assign it on
demand simply by not checking the Install this application at
logon box.
8-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Note
Group Policy does not provide the option to publish software to computers, although you
can assign software to computers.
The procedure for publishing is analogous to the procedure for assigning, with the
exception that you would choose Published or Advanced published or assigned.
If you choose the Auto-install this application by file extension activation box, then the
user can also initiate installation by double-clicking a file whose suffix has a file type
association with the advertised application.
Real-World Application
If a computer belongs to a domain, but a user usually logs on to that computer as the local
administrator, what type of Group Policy deployment would you choose to ensure that the
user gets an application as soon as possible?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-21
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
8-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-23
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
8-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Wise and InstallShield both offer fully-featured tools for creating MSI packages from
scratch. You can also use Microsoft Visual Studio Installer to create MSI packages, or
Veritas Install Exec for MSI. You can tell which tool was used to create a given MSI file
by checking its property sheet and referring to the Origin Application on the Summary
tab (see Figure 150).
Windows 2000 came with a scaled-down version of an application called WinInstall. The
name of the provided product is actually WinInstall LE (the LE stands for Limited
Edition) and the vendor is Veritas (formerly Seagate Software).
With some exceptions and caveats, you can use WinInstall LE to create an MSI package
from a program that did not originally come packaged that way.
WinInstall LE does not run on Windows XP, although the MSI packages it creates can
install on Windows XP client machines.
Install WinInstall LE from the Windows 2000 Professional CD. The MSI file
swiadmle.msi is located in \Valueadd\3rdparty\Mgmt\Winstle.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-25
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
You must copy the swiadmle.msi file from the CD to the local hard drive of a Windows
2000 Professional PC and then clear its read-only check box in order to install it. This
program will not install from CD.
You can use WinInstall LE to build an MSI file, but before you do so, it may be wise to
open some existing MSI files to get a feel for how they are constructed. The figure below
shows the internal implementation of adminpak.msi, a package that includes various
server administrator tools that can run on a Windows 2000 or Windows XP workstation.
8-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Repackaging an Application
What if you do not have access to the setup logic of a given application, and you have not
been successful in obtaining it? All is not lost. You may consider using a tool (such as
WinInstall Discover module) that can take a snapshot of a PC just before installing the
application, another snapshot just afterwards, and calculate what changed (the delta,
after the Greek letter used in mathematics to mean a difference or change). The tool can
then figure out what needs to go into the MSI package based on the succession of deltas it
recorded in the file system and registry.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-27
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Notes When you produce an MSI file by using a tool to take snapshots,
figure the deltas, and build the MSI package by inference, you
are said to be repackaging the application, as distinct from
authoring or building it. Some of the characteristics of
repackaging are:
Repackaging is less than completely reliable, so set
your expectations accordingly.
Repackaging works better for simpler applications.
You can often improve upon a repackaging session by
manually editing the MSI package, using repackaging
to get you most of the way there.
Improve your odds for success by performing
snapshots on a clean PC with no other applications
on it.
Microsoft will not support any applications that you
repackage.
You cannot use transforms on repackaged
applications.
8-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-29
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
If you do make this mistake, despite the warning, you will get a clue on the workstation
when you check the Application log of the event viewer after the next reboot or logon,
depending on whether you are deploying to computers or users (see Figure 154).
Also, make sure that the network path you specify is shared with appropriate share and
NTFS permissions for the intended target community.
8-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-31
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Dfs Shares
Dfs (Distributed File System) is a mechanism for presenting a folder hierarchy in a logical
structure that differs from the underlying physical structure. You can choose to set up Dfs
for structural replication or structural-plus-data replication. Dfs is well suited for read-
only files such as MSI packages.
Under Dfs, you can define a single root share that contains subfolders pointing to shares
on different servers. (As Microsoft puts it, Dfs does for the network what a file system
does for a hard drive.) Folder A can reside on server A, and folder B on server B.
However, with Dfs, you can create a network share that contains both folder A and
folder B. Users do not have to know that the two folders are on different physical
machines.
In an Active Directory environment, the Dfs structure can be created to be Active
Directory-integrated, so that all domain controllers know about the structure. That
increases performance and reliability versus having a single, standalone Dfs server on the
network.
How does this fit in with Group Policy and software deployment? You can tell Dfs that
there is more than one read-only copy of folder A on the network: one on server A, and
also one on server 1. That way, if a user tries to access folder A through Dfs, and server A
is down, Dfs knows to point the user to the replicated read-only copy of folder A on server
1, which is not down. You accomplish this by telling Dfs that a specific target in its
namespace has more than one volume associated with it.
Setting up a Dfs share with multiple targets is one way of creating multiple distribution
points and ensuring that no single server becomes overtaxed by servicing policy-based
installation requests. It also adds a measure of fault-tolerance to your software deployment
architecture. On top of that, it can convey some performance benefits. For example, three
options exist for targets when using Dfs:
Default behavior: Use a server in the same site if possible; otherwise, use a
random server.
Enforced same-site behavior: Use a server in the same site; otherwise, deny
the installation.
Least-cost behavior: Use a server in the same site; otherwise, use the server
whose path has the least cost, as defined in Active Directory Sites and
Services.
Details about Dfs are well documented by Microsoft. For more on Dfs, see Designing
and Deploying File Servers, in the Planning Server Deployments book of the Windows
Server 2003 Resource Kit.
8-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Coexistence
There is no reason that a given organization cannot use both SMS and Group Policy at the
same time. For example, some parts of an organization may be using Active Directory
while others have not yet migrated to Active Directory. Individual divisions, departments,
or branches may be responsible for their own IT infrastructure and may make different
decisions.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-33
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
8-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-35
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
8-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Server Setup
Figure 155: Server Setup: The SUS Installer with a Client Configuration Reminder
You can download the SUS server software from the following URL:
www.microsoft.com/windows/reskits/webresources
Figure 156: Server Setup: Completion of Installation with a Note on the Administration Page
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-37
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
After the software is downloaded, you will see a new entry in the Administrative Tools
folder, Software Update Services. Click this, and then choose Set Options, to perform
the following configuration tasks:
Make proxy server settings.
Specify the name of the SUS server (either NetBIOS or DNS).
Select the server to receive updates from (for example, the Microsoft public
Windows Update site). One SUS server can point to another SUS server for its
updates.
Choose the folder where you want to save the retrieved updates.
Specify the locales (languages) you want to support (the more you choose, the
more space your SUS server will need).
Decide whether you want to automatically approve for deployment updates to
updates you have already tested (No recommended).
Figure 157: Server Setup: The SUS Administration Screen in a Browser Interface
You can perform certain administrative tasks from any PC with Internet Explorer by
connecting to the following URL:
http://servername/SUSAdmin
where servername is the name of the SUS server.
8-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Notes
Real-World Application
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-39
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Client Setup
After you have set up the server, you may (depending on the client OS) need to distribute
the update to Automatic Updates. The file of interest is wuau22.msi and it may be
deployed via Group Policy in the usual way (assigned, published, etc.).
Next, you must configure the behavior of the Automatic Updates client. Here is the
procedure for doing so via Group Policy (it is assumed that the ADM template wuau.adm
is present and loaded):
1. Create a new GPO or edit an existing GPO, as desired.
2. Expand Computer Configuration, Administrative Templates, and
Windows Components. Then click Windows Update.
3. On the Windows Update template, click Configure Automatic Updates.
4. Choose one of the following options:
Notify for download and notify for install: This option notifies a
logged-on administrative user prior to the download and prior to the
installation of the updates.
Auto download and notify for install: This option automatically begins
downloading updates and then notifies a logged-on administrative user
prior to installing the updates.
Auto download and schedule the install: Typically, if Automatic
Updates is configured to perform a scheduled installation, the recurring
scheduled installation day and time are also set.
5. The next step is to tell the Windows Update client where to look for its patches.
Click Specify Windows Update Server and type the name of your SUS
server.
You may want additional details about SUS if and when you implement it in your
environment. For example, the configuration of a multi-tiered SUS server hierarchy can
be somewhat complex and beyond the scope of this course. Visit www.microsoft.com and
search SUS for more information about this service.
8-40 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-41
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
Knowledge
Check
Section Review
2. List two scenarios in which Group Policy-based software deployment would not meet the
needs of an organization.
3. What practical issue should you consider before assigning an application to all the
computers in a given domain?
8-42 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
4. How could the Distributed File System improve the performance of a policy-based
deployment architecture?
5. In general, if your organization uses RIS, how would you divide up the labor of software
deployment between RIS and Group Policy? That is, what would you use RIS for, and
what would you use Group Policy for?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 8-43
Global Knowledge Network, Inc.
Assigning and Publishing Software Packages
ABC Acronyms
The following acronyms are used in this section:
8-44 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM
Templates
Section Topics
Overview of ADM Templates
Standard ADM Templates
Registry Structure Used by ADM Templates
ADM Template Syntax
Creating Custom ADM Templates
Loading Additional ADM Templates
Using the Policy Template Editor
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-1
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
One of the most important functions of Group Policy is to modify the registry, and
registry-based policy is implemented via something called administrative templates.
These templates are really nothing more than specially formatted text files. This section
explains the logic behind administrative templates, when to use them, and even the basics
of how to write them.
9-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
The answer to this apparent contradiction may help you understand the way the Group
Policy console is organized. In a nutshell:
The Administrative Templates node contains settings that may be
implemented solely through the registry and that are specified by files having
the extension .adm. Microsoft calls these settings registry-based policy.
The other nodes, Software Settings and Windows Settings, contain settings
that are likely to involve files outside the registry (such as scripts, software
packages, etc.) and these settings are not specified by *.adm files.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-3
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Notes So do not worry too much if you see settings in different console
nodes that appear to belong together thematically, but do not. The
fact is that, for example, settings related to security appear both
under Administrative Templates and Windows Settings.
Note
9-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
What is included in the ADM files? Put simply, each ADM file is a Unicode text file that
contains the following information:
A list of related Group Policy settings
Where those settings should appear in the MMC
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-5
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Helpful Hint
Note
9-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
It may seem complicated that Microsoft chose to implement such a big chunk of the
Group Policy console via ADM files. What could they have been thinking? Why not
hardwire all the settings into a monolithic database that would serve as the foundation for
every Group Policy console?
The main reason is extensibility. The Group Policy console is extensible through the
mechanism of ADM files. If your organization buys a new application program for
deployment to your user community, assuming that the application developers saw fit to
create an ADM file for you, you may be able to centrally manage features of that
application within the Group Policy console. That has benefits for:
Application users: For example, say Acme Cognac, Inc. deploys Microsoft
Office 2000. However, a number of users have laptops that still run Office 97.
To ensure compatibility when users exchange documents, Acme installs the
Word 2000 ADM template into the Group Policy console. Now, it is possible to
specify that Word 2000 users will automatically save their documents in Word
97 format, by default.
Operating system users: Of course, the extensibility feature is handy for the
operating system, too. When Windows 2003 Server was released, Microsoft
did not have to redo completely the existing Group Policy structure; instead, it
created some new templates (ADM files) that could feed the old Group Policy
console information about the new settings available in Windows 2003 Server.
Software developers: If your are a software developer, the ADM file
methodology gives you a structured, predefined way of giving your customers
the ability to manage software settings centrally, through a console that they
are already using to manage the Active Directory environment.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-7
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
The standard ADM templates vary according to the version of Windows you install.
9-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-9
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Notes Windows XP
The following standard templates are installed into the Group
Policy console by default:
System.adm: core settings
Inetres.adm: Internet Explorer settings
Wmplayer.adm: Media Player settings, versions 8
and 9
The following standard templates are not installed into the
console by default:
Conf.adm: NetMeeting settings
If you install Windows XP Service Pack 1, you will have the
following ADM file:
Wuau.adm: Service Pack 1; Windows Update
Automatic Update
Note that Microsoft recommends that all Active Directory
administrators be running Windows XP with the updated
ADM files. If you run Windows XP and administer a GPO that
has an outdated ADM file, your computer will automatically
update the ADM file, or files, of the GPO as long as the new
files are resident in the server. Therefore, if you have Windows
2000 Server, you should manually update the ADM files in the
Windows 2000 Server Inf folder by copying them up from a
Windows XP box and then using the Add/Remove Template
command to remove the old and add the new.
9-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-11
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Poledit Templates
The standard ADM files for use with Poledit, the System Policy Editor, in Windows
NT 4 are:
Common.adm: settings common to Windows NT and Windows 95 or
Windows 98
Winnt.adm: Windows NT policy settings
The standard ADM file for use with System Policy Editor in Windows 95 is:
Windows.adm
! Caution
Microsoft does not recommend using Windows NT 4 , Windows 95-, or Windows 98-style
ADM files with Windows 2000, Windows XP, or Windows 2003 Server.
If you do use these older templates, or if you create your own custom ADM files that make
registry settings outside the four approved registry keys for Group Policy, the default
MMC behavior is for them not to appear. You can force them to show up with the
procedures described below.
Windows 2000
1. Select the Administrative Templates node that you wish to modify.
2. Right-click and choose View to display the cascading menu.
3. Clear the Show Policies Only setting by selecting it.
Windows XP
1. Select the Administrative Templates node that you wish to modify.
2. Right-click and choose View to display the cascading menu.
3. Choose Filtering.
4. Clear the Only show policy settings that can be fully managed checkbox.
If you force Windows NT 4-style policies to appear in the console, they will appear in red
icons. Windows 2000 and later Group Policy settings will appear in blue.
9-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Access
Default database folder
Trust all installed add-ins and templates
Path to shared Workgroup information file for secured MDB files
List of error messages to customize
Disable command bar buttons and menu items (many choices here)
Disable shortcut keys
Do not prompt to convert older databases
Custom Answer Wizard database path
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-13
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Excel
Startup Task Pane Enable AutoComplete for cell
Show Formula bar in Normal values
View Extend list formats and formulas
Show Status bar in Normal Enable automatic percent entry
View Show Insert Options buttons
Show Formula bar in Full R1C1 reference style
View
Function tooltips
Show Status bar in Full View
Recently used file list
Windows in Taskbar
Zoom on roll with IntelliMouse
Comments
Font
Edit directly in cell
Default file location
Allow cell drag and drop
Save Excel files as (various options)
Alert before overwriting cells
Save AutoRecover info
Move selection after Enter
AutoRecover time
Fixed decimal to 2 places
AutoRecover save location
Cut, copy, and sort objects
with cells Customizable error messages
Disable command bar buttons and
Ask to update automatic
menu items (many choices)
links
Provide feedback with
Animation
9-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Office Notes
Disable VBA for Office applications
Always show full menus
Large icons
Show ScreenTips on toolbars
Menu animations
Smart Tags
Correct TWo INitial Capitals
Correct accidental use of cAPS LOCK key
Update links on save
Target monitor (various sizes)
Make sounds
Display menus and dialog boxes in (language)
Collaboration Settings
Corporate Error Reporting
Do not track document editing time
Do not emulate tabs with spaces when exporting
HTML
Disable web view in the Office file dialogs
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-15
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Word
Status bar Adjust sentence and word
Horizontal scroll bar spacing automatically
Adjust formatting when pasting
Picture placeholders
from Microsoft Excel
Field shading
Drag-and-drop text editing
Formatting marks (for
Picture editor
example, paragraph marks,
spaces, etc.) When selecting, automatically
select entire word
White space between pages
(Print view only) Background printing
Wrap to window Options for Duplex Printing
Draft font Always create backup copy
Rely on CSS for font Allow fast saves
formatting Save Word files as (many format
Blue background, white text options)
Provide feedback with Check spelling as you type
animation Check grammar as you type
Confirm conversion at Open File Locations (various)
Help for WordPerfect users AutoFormat as you type (various
Navigation keys for suboptions)
WordPerfect users Trust all installed add-ins and
Measurement units templates
Disable features not supported List of error messages to
by specified browsers customize
Disable command bar buttons
and menu items (many)
9-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Helpful Hint
You can cause preferences to display in the Group Policy console, as explained in Poledit
Templates.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-17
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
ADM files use a limited number of predefined keywords for structure and function
(see Figure 162). Following is a summary of these keywords and the syntax that
accompanies them.
Helpful Hint
ADM files are Unicode text files. If you use Notepad, be sure to save the files in
Unicode format, otherwise the double-quotes that show up in your ADM file will
also show up in your MMC.
Also make sure you save your files with the .adm extension (not .adm.txt that
is). You can put the file name in quotation marks to be sure Notepad does not
append the .txt to the file name.
9-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
CLASS
The value for the CLASS entry can be either MACHINE or USER, depending on which
half of the policy console the setting should apply to. This value also defines whether the
affected registry entries should appear in HKEY_LOCAL_MACHINE or
HKEY_CURRENT_USER.
Example:
CLASS MACHINE
You can have both CLASS MACHINE and CLASS USER statements in a
single ADM file. The settings that appear underneath each statement will apply
to the specified console node.
(This data type was also used in Windows NT 4 system policy ADM files.)
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-19
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
CATEGORY
The value for the CATEGORY entry is typically a metastring beginning with two
exclamation marks. The metastring refers to an actual string of text that appears later in
the ADM file, under the STRINGS entry.
Helpful Hint
Using metastrings makes it easier to change your strings later on, because the actual
strings are all grouped together in one place. It also makes it easier to translate your
ADM file to a different language. However, they are not mandatory. Wherever you use
metastring notation, you may also use the direct literal string, preferably enclosed by
double quotation marks.
The string is what console users will see under the Administrative Templates node in the
tree pane of the Group Policy console. It acts as a container for individual policy settings.
Example:
CATEGORY !!StartMenu
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer"
POLICY !!NoStartMenuSubFolders
EXPLAIN !!NoStartMenuSubFolders_Help
VALUENAME "NoStartMenuSubFolders"
END POLICY
POLICY !!NoWindowsUpdate
EXPLAIN !!NoWindowsUpdate_Help
VALUENAME "NoWindowsUpdate"
END POLICY
END CATEGORY ; Start Menu
You can have multiple categories in a single ADM file. The settings that appear
underneath each CATEGORY statement will appear inside that category
container.
You can have nested categories as well. For example, Active Desktop is a
subcategory under the Desktop category.
At the end of each CATEGORY section, include an END CATEGORY line.
9-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
POLICY
The value for the POLICY entry is a metastring beginning with two exclamation marks.
The metastring refers to an actual string of text that appears later in the ADM file, under
the STRINGS entry.
The string is what console users will see under the Category node under the
Administrative Templates node in the tree pane of the Group Policy console. It
names an individual policy setting.
Underneath the POLICY line typically appears an entry for VALUENAME, although
other entries that can appear include EXPLAIN, KEYNAME, ITEMLIST, and PART.
Example:
POLICY !!NoWindowsUpdate
EXPLAIN !!NoWindowsUpdate_Help
VALUENAME "NoWindowsUpdate"
END POLICY
At the end of each POLICY section, include an END POLICY line.
KEYNAME
The KEYNAME specifies the precise registry key that contains one or more values to be
modified by the policy. Typically, KEYNAME uses a literal string rather than a
metastring.
Example:
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer"
Note
The KEYNAME stays in effect for subsequent child policies until explicitly
overriden by a separate KEYNAME entry.
(This data type was also used in Windows NT 4 system policy ADM files.)
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-21
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
VALUENAME
The VALUENAME item inside of a POLICY item is the name of the registry value to be
modified. (The precise location of the value is specified by KEYNAME.) Typically,
VALUENAME uses a literal string rather than a metastring.
Example:
VALUENAME "NoWindowsUpdate"
The type of the registry value is presumed to be REG_SZ (single string) unless specified
otherwise, with the NUMERIC designator.
(This data type was also used in Windows NT 4 system policy ADM files.)
PART
A policy part is a component of a policy in a particular input format. The major parts
include the following:
CHECKBOX
COMBOBOX
DROPDOWNLIST
EDITTEXT
LISTBOX
NUMERIC
Each of these PART types has specific associated keywords that amplify or detail its
function. Here are a few examples:
With CHECKBOX:
Use VALUEON to change the ON entry of the registry value to be other than
1, the default.
Use VALUEOFF to change the OFF entry of the registry value to be other
than 0, the default.
With EDITTEXT:
You can use DEFAULT to specify a string or metastring with which to
prepopulate the edit dialog box, which is helpful to the administrator by
showing an example of correct notation.
You can use MAXLEN to specify the maximum length of the string to be
entered or edited.
9-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
With NUMERIC:
Use MIN, MAX, and DEFAULT to specify those three values.
Use REQUIRED to tell the console not to add the policy unless the value is
specified.
Helpful Hint
For details about the keywords associated with all the various PART types in ADM
templates, visit msdn.microsoft.com and specify part types in the search box.
EXPLAIN
New for Windows 2000, the EXPLAIN keyword allows the ADM template author to
define some explanatory help text for the policy setting. It is strongly recommended that
you take advantage of this feature so that other network administrators will know the
following:
Exactly what your policy change does
When to use it
When not to use it
Which other policy settings, if any, are related to and/or interdependent from,
this one
Example:
POLICY !!NoWindowsUpdate
EXPLAIN !!NoWindowsUpdate_Help
VALUENAME "NoWindowsUpdate"
END POLICY
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-23
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
SUPPORTED
New in Windows XP, the SUPPORTED keyword displays the minimum version of
Windows that the subject policy works under. The SUPPORTED keyword has no
meaning to the Windows 2000 console, therefore it is always surrounded by an
#if...#endif structure limiting its processing to the Windows XP version of the console
(version 4).
Example:
#if version >= 4
SUPPORTED !!Supported_in_Win2000
#endif
STRINGS
Rather than bog down the main body of the ADM file with lengthy strings (the EXPLAIN
strings can run into several paragraphs), the ADM file uses metastrings (with a leading
double exclamation point) to refer to a STRINGS section that you typically find at the end
of an ADM template.
The STRINGS section is really a lookup table that matches up the concise metastrings
with the verbose actual strings. The string name appears, followed by an equals sign, then
the literal string in double quotation marks. (The quotation marks are really only
mandatory if the string contains spaces; however, it is good programming practice to use
them.)
Example:
NoWindowsUpdate_Help="Prevents users from connecting to the Windows
Update Web site.\n\nThis policy blocks user access to the Windows
Update Web site at http://windowsupdate.microsoft.com. Also, the
policy removes the Windows Update hyperlink from the Start Menu and
from the Tools menu in Internet Explorer.\n\nWindows Update, the
online extension of Windows, offers software updates to keep a
user's system up-to-date. The Windows Update Product Catalog
determines any system files, security fixes, and Microsoft updates
that users need and shows the newest versions available for
download.\n\nAlso, see the "Hide the "Add programs from Microsoft"
option" policy."
Notice the use of \n\n in the above example to create a paragraph break.
When you have multiple metastrings, list them in alphabetical order. This is not required,
but is simply good programming practice.
9-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Programming Tips
Helpful Hint
Document your custom ADM files. Use the semicolon character (;) at the start of a line to
indicate a comment. Other people are likely to read your files and edit them for their own
purposes. It is good programming practice to make that as convenient as possible.
Prevent Windows NT systems from accidentally loading your Windows 2000, Windows
2003, or Windows XP ADM files by including a section beginning with #if version <= 2 and
ending with #endif that merely displays explanatory text advising the administrator that this
policy file requires Windows 2000 (or another OS). Version 2 signifies the Windows NT
policy editor, version 3 signifies the Windows 2000 console, and version 4 signifies the
Windows XP console.
A Simple Example
Here is an example of a custom ADM template that contains a single policy entry, the
SourcePath value in the registry that indicates where Windows 2000 was originally
installed from. You may want to be able to modify this value from time to time, as for
example if the distribution server that was used to install client operating systems is
renamed. The reason is that Windows 2000 and Windows XP use the SourcePath value
after installation. For example:
You install a device driver that is not contained in driver.cab.
Windows File Protection needs to reinstall an operating system file that is in
neither dllcache nor driver.cab.
The registry value of interest here is:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current-
Version\Setup\SourcePath (REG_SZ). As the value is a string, you need to create an
ADM file that lets the administrator enter whatever path contains the Windows source
path (for example, \\Dist_Srv\Winxp).
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-25
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Note
Normally, you would not create an ADM file that contains only one entry. This is just an
example.
The first part of the ADM file will refer to the half of the console (and registry) that this
setting applies to, namely, the machine:
CLASS MACHINE
Say we want to add this entry to the System node under Administrative Templates. So,
the category is a metastring referring to the literal string Acme System Settings, as
follows:
CATEGORY !!Administrative
Now we have to give the policy itself a metastring name:
POLICY !!SetupSourcePath
Next, we specify the registry key to be modified, as follows:
KEYNAME "Software\Microsoft\Windows\
currentVersion\Setup"
And then the value to edit:
PART !!SourcePathBox EDITTEXT
VALUENAME "SourcePath"
END PART
In this example, the EDITTEXT indicates that the administrator is to edit a text box,
rather than click a checkbox, for example.
Including the following line provides explanatory text:
EXPLAIN !!SourcePathExplain
9-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Dotting the is and crossing the ts, you end up with the following:
; Filename: SOURCE.ADM
; Example of a simple custom ADM template
; Glenn Weadock, August 2003
CLASS MACHINE
CATEGORY !!Administrative
POLICY !!SetupSourcePath
KEYNAME "Software\Microsoft\Windows\
CurrentVersion\Setup"
PART !!SourcePathBox EDITTEXT
VALUENAME "SourcePath"
END PART
EXPLAIN !!SourcePathExplain
END POLICY
END CATEGORY
[STRINGS]
; This section is typically alphabetized for convenience.
Administrative="Acme System Settings"
SetupSourcePath="Change Setup Source Path"
SourcePathBox="Enter the path to the Windows distribution share:"
SourcePathExplain= "Change this value if you rename the distri-
bution server on the network that contains the \I386
folder.\n\nThis server location must be available in certain
situations, such as when installing a new device driver that is not
contained in DRIVER.CAB, or when Windows File Protection attempts
to restore a file that is not contained in DLLCACHE or DRIVER.CAB."
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-27
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
To view the new setting, you need to turn on the ability of the MMC to view preferences
as opposed to true policies.
9-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
The procedure for loading an additional ADM template into the Group Policy console is
as follows:
1. Open the GPO you wish to edit.
2. Right-click the Administrative Templates node in the tree pane (either in
Computer Configuration or in User Configuration. The software vendor
will typically advise as to the correct procedure.)
3. Choose Add/Remove Templates. A list of installed templates appears (see
Figure 164).
4. Click Add.
5. Browse to the template you wish to add, highlight it, and click Open.
6. Click Close in the Add/Remove Templates dialog box.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-29
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Notes
Helpful Hint
9-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-31
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
9-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
Knowledge
Check
Section Review
1. List the kinds of information that must be present in an ADM file, at a minimum.
2. What is the procedure for importing a new ADM file so that the settings it contains
become available in the Group Policy console?
3. What ADM files get installed by Service Pack 3 for Windows 2000, and what do they do?
4. What are the possible values for the CLASS entry in an ADM file?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-33
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
5. Name four different Parts of an ADM file and describe when you would use them.
9-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Creating and Deploying ADM Templates
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 9-35
Global Knowledge Network, Inc.
9-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Section Topics
What Is a Software Restriction Policy?
How to Create a Software Restriction Policy
Software Restriction Policy Options
Additional Rules to Identify Software
Software Rules Precedence
Creating an Effective Software Restriction Policy
Deployment Summary
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-1
Global Knowledge Network, Inc.
Software Restriction Policies
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section details the deployment of software restriction policies including the essential
components, rules, and the order of precedence of such policy.
10-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Software restriction policies monitor and control what is called hostile code that is
introduced through e-mail or scripts on, or downloaded from, Web pages that are visited
by the client. It also controls unauthorized software applications that are installed and
downloaded by users. Software policies have the following characteristics:
Software policies specify which programs can or cannot be run.
Software policies can be applied to local machines, sites, domains, or OUs.
Software policies are created using the Group Policy MMC. A properly
deployed software restriction policy defines the rules of your company
regarding which software applications and components that are used on a daily
basis are to be trusted.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-3
Global Knowledge Network, Inc.
Software Restriction Policies
10-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Policy is
downloaded by
Group Policy to
machine
Define policy for
domain using
Group Policy editor
System
Policy
Enforced by operating
system when software
is run
Figure 167: Software Restriction Policy Architecture
The software restriction policy uses a default rule, which decides what software applica-
tions can execute.
The default rule can be set to Unrestricted or Disallowed, that is, run or do not run.
There are three main components of a software restriction policy:
First an administrator would create the policy using the Group Policy editor.
The policy could be created at the standard Group Policy divisions; at the site,
domain or organizational unit level.
After the policy has been saved and replicated through Active Directory, it is
applied to the computer systems at the next machine reboot or to the user at the
next logon.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-5
Global Knowledge Network, Inc.
Software Restriction Policies
10-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-7
Global Knowledge Network, Inc.
Software Restriction Policies
10-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-9
Global Knowledge Network, Inc.
Software Restriction Policies
The All users except local administrators option can be used only on
machine-level software restriction policies.
Groups can also be used to filter which policies are enforced.
DLL Checking
Most software programs start from an executable file (EXE), followed by loading of
several DLL files.
The default option is to not enforce any restrictions on DLLs, and this makes sense; if the
EXE is disallowed, the DLLs will not load.
Note
Restricting all DLLs for a particular process could involve rerunning the software restriction
policy many times. For example, the launching of Microsoft Excel causes many DLLs to
load, and, therefore, would cause the software restriction policy to run many times as well.
If you are in an environment where known DLLs are targeted with viruses, you can
protect a software program that has not been infected by a virus by enabling a number
of hash rules that identify the executable and all of its linked DLLs. To turn on DLL
checking, select the following option in the Enforcement Properties dialog box, as
shown in Figure 169: All software files except libraries (such as DLL).
Skip Administrators
An administrator may want to disallow the running of programs for most users but allow
local administrators to run all software.
To turn on Skip Administrators, select the following option in the Enforcement
Properties dialog box shown in Figure 169: All users except local administrators.
10-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
The Designated File Types Properties dialog box lists the default file types that the
software restriction policy applies.
The designated file types are file types that can be executed by users and the operating
system.
The rules in a software restriction policy apply only to the file types listed in the
Designated File Types Properties dialog box.
If your environment uses a file type that you want to be able to set rules on to control its
execution, add it to the list using the Add button.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-11
Global Knowledge Network, Inc.
Software Restriction Policies
Trusted Publishers
The trusted publishers options shown in Figure 171 allow you to configure settings related
to ActiveX controls and certificates.
Figure 172 below shows the trusted publishers options for the use of ActiveX controls and
certificates.
Trusted Publishers Options Applied Policy Setting
Allow domain administrators to make decisions regarding signed Enterprise administrators
active content
Allow local machine administrators to make decisions regarding Local computer administrators
signed active content
Allow any user to make decisions regarding signed active content End users
Ensure that the certificate used by the software publisher has not Publisher
been revoked.
Ensure that the certificate used by the organization is time-stamped Timestamp
Figure 172: Trusted Publisher Options for ActiveX Controls and Certificates
10-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Modes of Operation
The two conditional modes of operation used by software restriction policies are:
Unrestricted: With this defined as the default, all software programs will run
except those that are specifically listed to not run using the Group Policy
setting: Dont run specified Windows Applications found in User
Configuration\Administrative Templates\System.
This feature is available for Windows 2000, Windows 2003, and Windows XP
computer systems
Disallowed: All programs will be blocked from running unless they are on the
list of programs that are allowed to run.
Therefore, if an administrator has a master list of the software that is allowed to
run, then a policy can be applied controlling the execution of trusted
applications.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-13
Global Knowledge Network, Inc.
Software Restriction Policies
10-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Rules are used to identify a list of software applications and their execution status:
whether they can or cannot run. Additional rules can be created to help identify software
and its components.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-15
Global Knowledge Network, Inc.
Software Restriction Policies
Each rule is assigned a unique GUID, so every rule will have a different GUID, making it
useful for troubleshooting. The following table details when to use each rule for the most
effective security solutions.
Desired Software Security Use This Rule
Allow or disallow a particular software application. Hash rule: select the hash rule and select the file to
create a hash.
Identify a software application with a generic Path rule using variables:
system path. %ProgramFiles%\Kaza\kaza.exe
Identify a software application installed locally. Registry path rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\
ComputerAssociates\Inoculate\5.0\Path\HOME%
Identify scripts stored at a particular network Path rule:
location. \\Servername\share
Identify scripts stored at multiple network Path rule using wildcards:
locations. \\Servername??\share
Disallow all Visual Basic scripts. Path rule:
*.vbs set to Disallowed
Disallow all Visual Basic scripts with the exception Path rule using wildcards:
of a particular folder location used for login scripts. *.vbs set to Disallowed;
\\LOGON_SRV1\Share\*.vbs set to Unrestricted
Disallow a particular file installed by a known Path rule:
virus. *.exe set to Disallowed
Identify scripts for global use. Certificate rule: all scripts signed by digital certificates
Allow software packages (MSI) to be installed Zone rule: set desired trusted site to unrestricted
from trusted Internet zone types.
Figure 175: Rules for Effective Security
10-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
A hash rule used with a software restriction policy is a cryptographic fingerprint that is a
mathematical calculation of the file contents that uniquely identify a file without regard to
its location or current name. So if a file is moved from a default location, or renamed, it
will not avoid the defined hash rule. A hash rule has the following components:
The MD5 or SHA-1 hash value
The file length
The hash algorithm ID
The following format is used:
[MD5 or SHA-1 hash value]: [file length]: [hash algorithm ID]
MD5 was developed by Professor Ronald L. Rivest of MIT. MD5 accepts a file of any
length and produces a 128-bit message digest of the input file. Two files cannot be passed
through the MD5 algorithm, producing the same message digest.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-17
Global Knowledge Network, Inc.
Software Restriction Policies
Notes SHA-1 was developed by NIST, along with the NSA, for use
with the DSS. SHA-1 accepts as input a file of any length and
produces as output a 160-bit message digest of the input.
Note
10-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
The certificate rule specifies that the selected software application is protected by a
code-signing, software publisher certificate.
A certificate can be issued from a third-party certificate authority such as RSA, or
VeriSign, from a Microsoft Certificate Authority using a Windows 2000 or Windows 2003
domain controller and the Microsoft Certificate Server service, or it can be a self-signed
certificate.
Software applications, ActiveX controls, and scripts can be signed by a certificate issued
by the software publisher.
A certificate uses multiple hashes contained in the signature of the signed file to verify the
authenticity of the file, regardless of its location and name.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-19
Global Knowledge Network, Inc.
Software Restriction Policies
10-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Environment Variables
Environment variables can also be used in paths. Typing Set at the command prompt lists
the current system and user environment variables in use. Standard environment variables
that can be used include:
COMPUTERNAME
HOMEDRIVE
HOMEPATH
LOGONSERVER
TEMP
TMP
USERDOMAIN
USERNAME
USERPROFILE
WINDIR
Wild Cards
The wild cards ? and * can also be used in path rules. *.vbs could be used to refer to all
Visual Basic scripts. For example:
\\CORP-??\login$ matches \\CORP-01\login$, \\CORP-02\login$
*\Windows matches c:\Windows, e:\Windows, f:\Windows
c:\win* matches c:\winnt, c:\windows, c:\winxp
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-21
Global Knowledge Network, Inc.
Software Restriction Policies
Most software applications store the path to their installation directories in the local
registry. A path rule can be created that checks these registry keys as shown in Figure 179.
The registry path is used to locate the software application on the local hard drive.
Registry paths are written in the following format and with the following rule: the entire
path must be enclosed in % at the start and end.
%[registry hive]\[registry key name]\[value name]%
To make it easier to cut and paste a registry path into a path rule, use the Copy Key Name
option found on the Edit menu. Registry path statements written to a path rule use either a
text string REG_SZ or REG_EXPAND_SZ. In addition, the full name of the registry
hive must be used, as in HKEY_LOCAL_MACHINE, or HKEY_CURRENT_USER
and not short form names, for example HKLM or HKCU.
When using multiple matching path rules, there is an order of precedence: the path having
the closest or exact path is processed last.
1. Drive:\Folder1\Folder2\FileName.Extension
2. Drive:\Folder1\Folder2\*.Extension
3. *.Extension
4. Drive:\Folder1\Folder2\
5. Drive:\Folder1\
10-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
The zone rule is used to identify Windows Installer MSI packages that are downloaded
from a specified Internet Explorer zone.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-23
Global Knowledge Network, Inc.
Software Restriction Policies
Software rules are reviewed and applied in a specific order. A specific rule will win out
over a generic rule.
Following is an example of how the filtering of rules is reviewed and then applied.
Default security level: Unrestricted
Hash rules
Rule 1 Hash of pagefileconfig.vbs Disallowed
Path rules
Rule 2 %WINDIR%\System32\*.vbs Unrestricted
Rule 3 *.vbs Disallowed
Rule 4 %WINDIR% Unrestricted
Figure 182: Filtering of Rules
10-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Process 1
A Visual Basic program attempts to start in the local location:
c:\WINDOWS\SYSTEM32\EventQuery.vbs
This program matches the following rules currently in force:
Rule 2: It is a .vbs file in the System32 folder.
Rule 3: It has a .vbs extension.
Rule 4: It is stored in a subfolder under the Windows root directory.
Outcome
After reviewing the current rules, the most specific match is rule 2. Since rule 2 has a
security level of Unrestricted, the program is allowed to run.
Process 2
A Visual Basic program is being start in the following local location:
c:\WINDOWS\SYSTEM32\pagefileconfig.vbs
This program matches the following rules currently in force:
Rule 1: The hash in the rule matches the hash of the file.
Rule 2: It is a .vbs file in the System32 folder.
Rule 3: It has a .vbs extension.
Rule 4: It is stored in a subfolder under the Windows root directory.
Outcome
After reviewing the current rules, the most specific match is rule 1. Since rule 1 has a
security level of Disallowed, the program is disallowed.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-25
Global Knowledge Network, Inc.
Software Restriction Policies
10-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-27
Global Knowledge Network, Inc.
Software Restriction Policies
Deployment Summary
After the software restriction policy has been enabled, it has to be monitored and
analyzed for problems; otherwise, inconsistencies may crop up.
Always create a separate GPO for a software restriction policy. Do not add policy
restrictions to the default domain GPO; it would then apply to every computer and user
account in the domain.
If linking is to be used, be aware that a linked policy is read every time the computer
restarts or the user logs in. Link only to root OUs, and preferably, do not link at all
unless you are aware of both the logical and physical design of your Active Directory
hierarchy.
Be aware of the potential for conflicts when using both Group Policy settings and software
restriction policy.
10-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
Software restriction policies and the how, why, where, and when
of deployment was discussed in detail.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-29
Global Knowledge Network, Inc.
Software Restriction Policies
Knowledge
Check
Section Review
5. The two conditional modes of operation used by a software restriction policy are:
10-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Software Restriction Policies
6. What are the four additional rules used to identify software components?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 10-31
Global Knowledge Network, Inc.
Software Restriction Policies
ABC Acronyms
The following acronyms are used in this section:
10-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Section Topics
Group Policy Infrastructure Enabling Group Policy
Logging: the userenv.log File
FRS Replication
Tips for Troubleshooting Group
Client-Side Extensions
Policy
GPO Structure
Custom Views of
Group Policy Deployment Order Administration Templates
Using Command-Line Tools Using the Event Logs
Analyzing Policy Deployment Using Gpmonitor
Using the Windows XP Help Why Is My Policy Still Not
and Support Center Working?
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-1
Global Knowledge Network, Inc.
Troubleshooting Group Policy
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
The internal architecture of the Group Policy components and their operation are detailed
in this section. Numerous command-line and GUI tools are available for troubleshooting
Group Policy and these are discussed in detail.
11-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Within each Active Directory domain are a number of components that all domain
controllers and computers that are members of the domain use to deploy Group Policy
settings.
Finding out where an unwelcome Group Policy setting came from can be hard if you are
not aware of the tools and utilities available for Windows 2000 and Windows XP
computer systems.
In addition to the tools, it is prudent to have handy, the physical and logical network
diagrams of your Active Network infrastructure.
Many Group Policy troubleshooting tools can be found in the support tools that are
bundled on the Windows 2000, Windows 2003, and Windows XP operating system CD in
the Support\Tools folder. In addition, the Windows 2003 Resource Kit has additional
tools for Group Policy troubleshooting.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-3
Global Knowledge Network, Inc.
Troubleshooting Group Policy
The Sysvol folder is located on the NTFS file system on every Active Directory domain
controller in %System Root%\ Sysvol.
Administrative templates, security settings, applied scripts, and details on MSI packages
that are to be installed are found here.
11-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
The domain where the user account is located also contains the
Group Policy settings of the authenticating user. These settings
are stored in a system folder called Sysvol. Most likely there will
be several Sysvol folders because each domain controller that
hosts a domain has a local Sysvol, which in turn is linked to all
other Sysvol folders throughout the domain using the FRS.
The FRS monitors and updates the changes to Group Policy,
startup and shutdown scripts, logon and logoff scripts. If your
Active Directory is made up of multiple sites (subnets), the
location of your Sysvol folders will be separated by WAN links.
If you have multiple sites, and each site contains multiple domain
controllers, your network map can get very complicated and
much more dependent on the replication process.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-5
Global Knowledge Network, Inc.
Troubleshooting Group Policy
One domain controller per domain has a domain controller assigned the role of a PDC
(primary domain controller) emulator.
The PDC emulator role is automatically assigned to the first domain controller in an
Active Directory domain and there is, and can be, only one domain controller that has this
role per domain.
When Group Policy settings are first created or modified using the Active Directory Users
and Computers console, the current live Group Policy settings are pulled from the
domain controller in the domain that is the PDC emulator. Many tools and utilities can be
used to find out which domain controller is currently the PDC emulator.
One of the handiest methods to try is using the support tool Netdom with the following
syntax at the command prompt:
c\> netdom query fsmo
11-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-7
Global Knowledge Network, Inc.
Troubleshooting Group Policy
FRS Replication
The process of replication is usually thought to dictate the movement of all changes in
Active Directory.
However the changes to Group Policy are replicated to the other domain controllers within
the domain using the FRS (File Replication Service). The process goes like this:
1. When changes are made to Group Policy, the PDC emulator is located and the
settings are read from its Sysvol folder into cache.
2. After changes have been made, the Group Policy settings are saved back to the
Sysvol folder on the PDC emulator.
3. These changes signal the FRS to replicate the changes.
4. At the allotted replication time (up to 15 minutes), the FRS replicates the
settings to the other domain controllers throughout the domain.
11-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Client-Side Extensions
While the components of each GPO are stored in Active Directory, the actual client
(Windows XP, Windows 2000, or Windows 2003) does the processing of each linked GPO
using what is called client-side extension or, in English, a collection of local DLLs that
have one specific job task: to process all enabled GPOs found on the server at logon or at
a specific processing time.
The available policy settings are grouped into specific categories including administrative
templates, security, folder redirection, wireless, IPSec, EFS, and software installation.
After the client determines what GPOs are to be applied, each GPO is passed to the client
side extensions, a collection of DLLs that actually do the DLL processing.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-9
Global Knowledge Network, Inc.
Troubleshooting Group Policy
GPO Structure
The details of every created GPO are stored in Active Directory in the GPC. The GPC
contains the version number of each GPO, its current status, and the installed components.
The GPT stores the files created by the GPO in the Sysvol folder on the PDC emulator for
each domain.
A portion of the GPO is stored in Active Directory and can be viewed using the Active
Directory Users and Computers console. The GPC Active Directory object is created from
an Active Directory class called the groupPolicyContainer.
Each created GPO creates a separate GPC and corresponding component in Active
Directory. And every GPO created must be stored in a domain. However, every GPO can
also be linked to other objects, specifically OUs and sites, that may be in the same domain
where the GPO was created or linked to objects outside its domain.
11-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
The GPC is used by users and computer accounts within the Active Directory database for
processing the GPO policies to be applied.
Each GPO is assigned a unique 128-bit GUID. So you can reference the GUID string in
the Policies folder with the GUID string on each GPO.
ADSI Edit can be used to find out the friendly name (English) of the GPO from its
assigned GUID by opening the CN=Policies folder, referencing the properties of the
selected GPO, and selecting the DisplayName property as shown in Figure 191.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-11
Global Knowledge Network, Inc.
Troubleshooting Group Policy
11-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
GPO Versioning
The number displayed on the properties of a GPO is not a version number; it is instead a
revision number listing the number of changes to the user or computer sections.
The version number of the GPO is calculated based on the total user and computer
changes, and it is applied to both the GPC and the GPT.
If the version numbers of the GPT and GPC for a particular GPO are not the same, the
GPO will not be processed until the version numbers match or are in sync. For the GPO to
be in sync, the version numbers of both the GPT and the GPC must be identical on each
domain controller in the domain.
Note
The Replication Monitor can be used to display the sync status of all GPOs using the
context menu option Show Group Policy Object Status.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-13
Global Knowledge Network, Inc.
Troubleshooting Group Policy
11-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-15
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Site GPOs
A GPO created within a site will apply to all users and computers
in the site. A site is one or multiple subnets joined together under
an Active Directory site name.
Any Group Policy settings deployed at the Active Directory site
level that are different from any previously applied local Group
Policy will overwrite the previously applied local settings.
For example, if a local setting has been enabled that removes the
Settings tab from the properties of the Display icon in Control
Panel, it will be deployed first.
If the very same setting at the site level GPO is set to Not
Configured, the end result at this point of the deployment cycle
is that the Setting tab is now available.
11-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Organizational Unit
The OU settings are deployed next, potentially overwriting the
local, site, and domain settings if a conflict occurs with a
previously applied setting.
Child OU
If you use multiple OUs in your Active Directory design, any
Group Policy settings deployed at the top of an OU tree will
flow down through the OU child domains, similar to the
enforcement of permissions on a NTFS partition.
If you have multiple Group Policy settings applied from multiple
sources, you will have an effective Group Policy built from the
multiple GPOs applied to your network.
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-17
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Note
11-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Microsoft supplies several command-line tools that can be used to troubleshoot Group
Policy deployment and the health of the existing GPOs:
Windows 2000 command-line tools are the most limiting.
Windows XP and Windows 2003 have better GUI and command-line tools.
The Resource Kit has additional troubleshooting tools.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-19
Global Knowledge Network, Inc.
Troubleshooting Group Policy
11-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Helpful Hint
The output from gpresult using the super-verbose option will overload the command
prompt window. Use the redirect (>) option and direct the output to a file.
C:\gpresult /Z > gpsettings.txt
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-21
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Using Gpotool
When your Active Directory domains have more than one domain controller, (and every
domain should have more than one domain controller) the command-line tool Gpotool can
be used to ensure that the contents of all the linked Sysvol folders in the domain contain
valid and up-to-date GPOs.
Version mismatches between the GPT stored in the Sysvol folder and the GPC in Active
Directory can be checked using Gpotool.
If errors occur, check the System and Directory Services event logs on the listed domain
controller showing the problem.
If you wanted to verify if a GPO called Corporate Desktop Settings on a certain domain
called BigDaddy is in sync, type the following at a command prompt window:
Gpotool/gpo:Corporate Desktop Settings/dc:bigdaddy
When using the Gpotool, you can also check these Group Policy components:
Group Policy object consistency: Gpotool checks the GUID of each GPO and
all Sysvol data.
Group Policy object replication: Gpotool checks the times and instances of
when replication has occurred.
Friendly-name searching: Your GPOs can be searched by the given English
name of each GPO.
Selective search: You can specify which domain controllers Gpotool
will query.
11-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-23
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Using Gpupdate
For Windows 2000 computer systems, a command-line utility secedit.exe was used to
refresh Group Policy settings without rebooting.
For Windows XP and Windows 2003, a new command-line utility, gpupdate.exe is used.
11-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Note
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-25
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Using ReplMon
11-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
After 1 minute, and for every minute thereafter, an updated status Notes
on the current GPOs is displayed as shown in Figure 199.
Real-World Application
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-27
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Additional details on the replication status can be found by right-clicking the server icon
and from the context menu, selecting Show Group Policy Replication.
Any differences between the GPC and the GPT will result in different version numbers:
the Version column corresponds to the GPC status, and the SysVol Version represents the
GPT.
Additional DCs can be added to the view of Replmon for comparison purposes.
11-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
With so many Group Policy options available, it can be tedious to determine exactly
which effective Group Policy settings have been applied.
The RSoP (Resultant Set of Policy) tool is installed by adding the MMC snap-in to a new
or existing custom console. The tool can be executed in either of the following two modes:
Planning mode: Running RSoP in logging mode lists all the GPOs that are
currently applied to a computer or user account. Choosing the computer and
user, the tool then calculates the Group Policy settings that are currently
applied and also details which GPO setting is the effective setting.
Logging mode: Running RSop in planning mode allows you to determine the
effect that changing the current Group Policy configuration will have on the
computer or user account. Selecting the user and/or computer, you then can
select a scenario to have the RSoP tool analyze. Moving the user to a different
OU, or adding a security group, the tool then calculates the effective Group
Policy settings that would be applied, based on the selected scenario.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-29
Global Knowledge Network, Inc.
Troubleshooting Group Policy
11-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-31
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Complete details on the users logon process can be enabled through the local registry
A log file called userenv.log is populated with a detailed verbose log of the login process
To turn on debug logging, modify the registry on the computer on which the logging
occurs.
Use Regedit and add the following registry value at the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\
CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
The following values can be entered for UserEnvDebugLevel:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The above values can be combined; for example you can combine VERBOSE
0x00000002 and LOGFILE 0x00010000 to get 0x00010002. This turns on both
LOGFILE and VERBOSE.
11-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Notes
Real-World Application
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-33
Global Knowledge Network, Inc.
Troubleshooting Group Policy
11-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Note
The last policy that runs always wins. Policies are cumulative, and
the last one that runs will win. Remember that policies are
refreshed, by default, every 5 minutes for domain controllers and
every 90 minutes for workstations. These intervals are config-
urable via Group Policy itself.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-35
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Both the Computer and User Administrative Templates have a hidden feature that allows
you to quickly see what is configured.
Other areas of the GPO Template cannot be shown in this method.
This feature is available for Windows 2000, Windows 2003, and Windows XP Profes-
sional clients.
Windows 2003 and Windows XP have the excellent Resultant Set of Policy and Help and
Support Center tools to show what Group Policy settings have been enabled. However, the
filtering feature shown in Figure 204 can be useful when using Active Directory Users and
Computers and Active Directory Sites and Services to troubleshoot current policy settings.
11-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-37
Global Knowledge Network, Inc.
Troubleshooting Group Policy
All GPO events are logged to the Application event log in a minimum amount of detail. To
get verbose results for troubleshooting, the registry must be edited. Once edited, the
Application log will provide additional details about which GPO is being applied.
11-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Using Gpmonitor
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-39
Global Knowledge Network, Inc.
Troubleshooting Group Policy
11-40 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-41
Global Knowledge Network, Inc.
Troubleshooting Group Policy
Knowledge
Check
Section Review
6. Which local security tool shows both local and effective settings applied?
7. Which syntax used with Gpresult shows the most detail possible?
11-42 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Troubleshooting Group Policy
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 11-43
Global Knowledge Network, Inc.
11-44 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy
Management Console
Section Topics
What Is the GPMC?
Installing the GPMC
Backing Up and Restoring GPOs
Importing GPOs
Copying GPOs
Searching for Existing GPOs
Integration of RSoP Functionality
WMI Filters
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-1
Global Knowledge Network, Inc.
Using the Group Policy Management Console
N Knowledge
Guide
W E
Section Objectives
S
Section Overview
This section covers a downloadable console from Microsoft that was released after
Windows 2003 Server went to market. The Group Policy Management Console is
intended as a one-stop shop for Group Policy administration, and may be the most
useful tool a Group Policy administrator can have.
12-2 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
The Problem
Think about the various actions you occasionally need to perform with Group Policy and
the tools that you need to carry them out:
Action Tool
Create or modify site-based policy Active Directory Sites and Services
Create or modify domain-based policy Active Directory Users and Computers
Create or modify OU-based policy Active Directory Users and Computers
Create or modify local policy Local Group Policy
Predict policy effects Resultant Set of Policy
Report policy effects Resultant Set of Policy
Print GPO settings Resultant Set of Policy
Perform security group filtering DACL editor for the specific GPO
Delegate Group Policy links Delegation of Control wizard
Figure 207: Actions and Tools Used with Group Policy
Consider that you must generally navigate several menus, submenus, property sheets, and
dialog boxes in any of the above tools and you begin to appreciate that working with
Group Policy is something of a chore.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-3
Global Knowledge Network, Inc.
Using the Group Policy Management Console
12-4 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
The Group Policy Management Console is a free download from Microsoft. As of this
writing, you can obtain the installation package at the following URL:
www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=F39E9D60-
7E41-4947-82F5-3330F37ADFEB
Alternatively, you may open www.microsoft.com and search for GPMC to get there.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-5
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Installation Requirements
The GPMC requires either Windows 2003 Server (member server or domain controller) or
Windows XP Professional to run.
GPMC does not run on a Windows 2000 Professional or Windows 2000 Server
machine of any kind, even though GPMC can administer a Windows 2000
network.
GPMC does not run on any 64-bit version of Windows.
Other features of GPMC include:
Licensing: You do not need a separate software license to run GPMC, and at
this writing, you can run it on as many computers as you like, so long as you
have at least one Windows 2003 Server license. It is not clear what your
permitted uses are if your network has only Windows 2000 Servers.
Domain member: The computer on which you run GPMC must be a member
of a domain in the forest that you wish to administer, or a domain that has a
trust with that forest. That is, you cannot run GPMC on a computer that
belongs to a workgroup.
Domain controllers: In order to support the signed-and-encrypted LDAP
communications that GPMC uses, GPMC requires that any Windows 2000
Server domain controllers be running SP2 or higher, and that any Windows
2000 Server domain controllers in a separate forest to which you connect be
running SP3 or higher.
Notes for XP: If you want to run the console on Windows XP, you need to
fulfill additional requirements:
- You must have SP1.
- You must have the Microsoft .NET Framework.
- GPMC requires hotfix Q326469 (which updates gpedit.dll to version
5.1.2600.1186), but the GPMC installer will offer to install this for you if
you do not already have it.
12-6 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Figure 209: Group Policy Tab of Active Directory Users and Computers
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-7
Global Knowledge Network, Inc.
Using the Group Policy Management Console
The first time you open the GPMC after installing it, you will see a top-level node
corresponding to the forest that your computer account resides in. Under the forest node
will appear the following subnodes:
Domains
Sites
Group Policy Results
Group Policy Modeling (Windows 2003 Server only)
Right-click the Domains node, choose Show Domains, and select the domain or domains
that you wish to view by checking the appropriate boxes. You can show multiple domains
in the console pane at the same time, although their DNS structure will not affect their
placement in the console.
You can connect to a different forest, if desired, by right-clicking the top node (Group
Policy Management) and choosing Add Forest. However, the forest you add must be
trusted by the forest you are already in.
As usual with MMCs, the Action menu mirrors the context menu for each node. The
contents of the details pane change depending on what is selected in the console pane. And
you can expand nodes by clicking the plus (+) sign next to them (whether anything is there
or not).
12-8 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
This problem crops up when you are administering a Windows 2000 Server that is acting
as a domain controller. Due to a bug in the dcpromo code, the Sysvol component of
Group Policy objects is flagged to inherit permissions, triggering the warning message.
Microsoft advises that if you see this, you should let the GPMC fix the problem, at which
time it will remove the inheritance flag and you will not see the error message again.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-9
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Domain A
Live GPO
Backup
Restore
Copy
(creates new GPO)
Folder
Domain B
Import
Live GPO
Considering the importance of Group Policy objects, having backups is highly desirable.
Yes, the GPOs do exist in Active Directory and the Sysvol shares, so if you have multiple
domain controllers, you already have redundancy. What you do not have, without the
GPMC, is a convenient way of restoring individual GPOs and importing GPO settings into
other GPOs, both of which are capabilities that are enabled by the GPMC backup facility.
Backing up refers to the process of copying the contents of a live GPO into any
specified folder location on the PC or network where you have write
permissions (see Figure 212).
You can back up multiple policy objects to the same folder.
You can back up multiple versions of the same policy object to the same folder.
Backed-up GPOs may be restored or imported.
The GPMC includes a user interface for managing backed-up policy objects
(right-click the Group Policy Objects node and choose Manage Backups).
12-10 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-11
Global Knowledge Network, Inc.
Using the Group Policy Management Console
12-12 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
You can manage the backups that you have created by right-
clicking the Group Policy Objects node and choosing Manage
Backups. In the dialog box that then appears, you will see the
following information:
Backup location
List of backed up GPOs, including domain, name,
timestamp, description, and GPO ID
A checkbox to Show only the latest version of
each GPO
A Restore button, which restores the selected GPO to
its original domain
A Delete button
A View Settings button, which generates an HTML
report listing the settings in the selected GPO (a
convenient feature)
A Close button
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-13
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Restoring
Domain A
Backup
Live GPO
Restore
Copy
(creates new GPO)
Folder
Domain B
Import
Live GPO
When you are restoring backed up files, keep in mind the following:
Restoring refers to the process of putting a backed-up GPO back into its
original location (that is, domain) with all its original settings intact (including
security settings).
Even if you are restoring a deleted GPO, it will have the same GUID it had
originally.
You cannot restore a GPO to a domain other than the one from which it was
backed up.
You would generally restore a GPO when you have deleted it and want it back, or when
you have modified it (either its contents or its ACL) and want to return it to some prior
condition; in these aspects, restoring a GPO is much the same as restoring a file or folder.
12-14 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Caveats of Restoring
If you restore a deleted GPO, the links it had are not automatically restored.
You have to restore them manually.
If you restore a deleted GPO that includes software deployment settings, and
those settings included the option to uninstall when the application falls
outside the scope of management, users may see those assigned or published
applications uninstall and then reinstall, after the restoration of the GPO. This
is because Windows thinks the applications are new because they get a new
deployment object GUID after the restore (even though the GUID of the actual
GPO remains the same as it was).
If you rename a domain, you cannot restore a GPO that was backed up before
the rename operation.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-15
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Domain A
Backup
Live GPO
Restore
Copy
(creates new GPO)
Folder
Domain B
Live GPO
Import
12-16 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-17
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Copying GPOs
Domain A
Backup
Live GPO
Restore
Copy
(creates new GPO)
Folder
Domain B
Import
Live GPO
You can use the GPMC to copy and paste GPOs, either via the context menu of the GPO
or by dragging and dropping. How is this different from importing GPOs?
A copy operation always creates a new GPO at the destination location; an
import operation never does.
A copy operation always starts with an active GPO; an import operation starts
with a backed-up GPO.
Requirements
In order to copy a GPO from one location to another, the source and target locations must
have physical connectivity as well as a trust relationship. If you are copying a GPO from
one domain to another within the same forest, then this is usually not a problem. However,
if you are copying a GPO from one domain to another in a different forest, then you must
either have a forest trust in place (Windows 2003 Server only), or you must perform a
backup-and-import operation rather than a copy operation.
12-18 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Migration Tables
Active Directory was not created with the idea in mind that administrators would be
copying a lot of objects between domains. Rather, the idea is that if a domain needs
something, it should generally find it within the domain.
Therefore, it is no great surprise that copying a GPO from one domain to another is not
normally a simple matter of dragging-and-dropping. You might get away with that if all
you have in a particular GPO is Administrative Templates settings, that is, registry-based
policies, but if your GPO goes further afield than that, you could have some migration
conflicts to consider.
SID Conflicts
For one thing, GPOs tend to contain domain-specific SIDs. For example, user rights (part
of the Security Settings node of a Group Policy Object) typically include references to
domain groups, such as Backup Operators.
The SID for the Backup Operators group in Domain A is not the same as the SID for the
Backup Operators group in Domain B. This is a problem, so you would need, in this case,
the ability to map the migration of SIDs. There may also be explicit, user-specific access
controls set forth in the origin domain; these, too, would need to map over to different
SIDs in the destination domain.
The types of policies that could include SID information, and therefore possibly need
remapping, include the following:
File system permissions (NTFS)
Folder redirection
Software settings (specifically, ACLs on software deployment objects)
User rights assignments
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-19
Global Knowledge Network, Inc.
Using the Group Policy Management Console
UNC Conflicts
Another potential migration problem arises from the fact that some GPOs contain settings
that reference specific network paths, using UNC notation. For example, an assigned
application may specify a distribution point within the domain; in fact, it is likely to do so.
When that policy moves to a new domain, the distribution point may no longer be
available due to permissions issues. Even if it is available, there may be performance
problems associated with the cross-domain traffic, and administration problems as well
(Your domains distribution point is too slow, Is not, Is too).
The types of policies that could include UNC information, and therefore possibly need
remapping, include the following:
Folder redirection
Software settings
Logon, logoff, startup, and shutdown scripts
12-20 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
The sample migration table included by Microsoft with the GPMC appears in Figure 218
and illustrates many of the possible combinations of format for each of the three columns.
Note especially the <Map by Relative name> entry in the Destination Name column.
This is shorthand for replace the original domain name with the destination domain
name, but keep everything else the same. That is, testdomain1\Group02 would become
testdomain2\Group02.
Note also the <Same As Source> entry in the Destination Name column. This is
shorthand for dont change a thing, in fact, this entry doesnt even need to be here except
perhaps to clarify that we know this entry doesnt need to change.
Note
You can use migration tables when copying and when importing.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-21
Global Knowledge Network, Inc.
Using the Group Policy Management Console
In a large Active Directory environment, you may find it convenient to be able to search
for GPOs by several different criteria. The GPMC has a fairly advanced search facility to
satisfy this need. You can activate the search feature on a per-domain or per-forest basis,
as follows:
Right-click a specific domain and choose Search.
Right-click a specific forest and choose Search.
You can specify a specific condition to search by, or, to create a more complex and precise
search, you can create a list of conditions. For example, in Figure 219, the first search
criterion (already defined) is User Configuration Contains Software Installation, and
the next search criterion (about to be added with the click of the Add button) is GPO
Links Exist in corphq.i-sw.com.
12-22 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
When creating a search criterion, specify a search item, a condition, and a value.
The Search Item specifies what kind of item you are looking for; for example,
a GPO name, a user configuration setting, or a GPO GUID.
The Condition is really more correctly referred to as an operator and relates
the search item to the value. Example conditions are Contains, Exist in, Has
This Explicit Permission, Is, Is Not, and so on. The available conditions
depend on what you choose for your search item.
The Value is the syntactical object of the operator, specifying the precise
details of what your search is to find. It might be a specific domain or OU
name, a particular kind of policy setting, or a certain security permission.
Here is a list of choices you can select from the Search Item drop-down list:
GPO Name: You can specify the exact name, or a substring.
GPO Link: You can specify links that exist, or do not exist, in specific
domains or sites. This setting is useful for finding GPOs with cross-domain
links, as well as GPOs with no links at all.
Security Group: You can specify to search for GPOs where security groups
have or do not have apply, edit, and read permissions, either explicitly or
effectively.
Linked WMI Filter: You specify the name of the filter.
User Configuration: You can specify to search for GPOs where the User
Configuration half of the policy object contains, or does not contain, Folder
Redirection, IE Branding, Registry, Scripts, or Software Installation
settings.
Computer Configuration: You can specify to search for GPOs where the
Computer Configuration half of the policy object contains, or does not
contain, EFS Recovery, IP Security, Disk Quota, QoS Packet Scheduler,
Registry, Scripts, Security, Software Installation, or Wireless Group Policy
settings.
GPO GUID: You specify the globally unique identifier for the GPO.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-23
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Notes
! Caution
The search facility has a known bug in that it can return false
positives when settings in the following categories are made, then
later removed:
EFS
Folder Redirection
IE Maintenance
Security Settings
Software Installation
12-24 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-25
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Group Policy Results in the GPMC corresponds to RSoP logging mode and presents
real information reflecting actual policy applications. It is available in Active Directory
forests running either Windows 2000 Server or Windows 2003 Server.
To instigate a modeling run, right-click the Group Policy Results node in the console
pane of the GPMC window and choose Group Policy Results Wizard.
The wizard prompts you to make the following choices:
Specify which computer you want to process: the local computer or a different
computer that you specify.
Display policy settings for the user object only, not the computer object. (This
is a checkbox.)
Specify which user account you want to process: the current logged-on user or
a different user that you specify. (You are limited to users who have logged on
to your PC and whose accounts you have read access for.)
12-26 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
When the run is complete, the details pane of the GPMC fills up Notes
with three tabs:
Summary: An HTML report of the GPO list, security
group memberships, and WMI filters
Settings: An HTML report of the policy settings that
would be applied in the scenario
Events: A pull of policy-related events from the event
log of the target computer and a useful
troubleshooting resource
These three tabs correlate with a new subnode in the console
pane under the Group Policy Results node. These subnodes will
continue to accumulate with every new run of the wizard. By
right-clicking the subnode corresponding to a specific modeling
session, you can:
Save the results to disk
Run the query again
Run a new query with this one as a template
Choose Advanced View to invoke the RSoP console
and view precedence information that does not appear
in the HTML Settings report. (The latter reports only
the winning GPO.)
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-27
Global Knowledge Network, Inc.
Using the Group Policy Management Console
12-28 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Note
Even though they are not always complete, the GPMC finally provides the ability to
generate HTML-format reports that you can save and print.
Any user with read access to a given GPO can open GPMC and view or report its settings,
which is a boon to IT support personnel and OU administrators.
You even have a modicum of control over what appears on the report, via the Show and
Hide links at each section header. You can also click Show All at the top of the report to
fully expand all sections.
The GPMC allows you to report on the settings contained in any
particular GPO.
- Right-click on an entry under Group Policy Objects, and choose Save
Report to create an HTML file with the settings (see Figure 221). The
report contains the full contents of the Settings tab, plus information from
the Scope, Details, and Delegation tabs.
- Right-click anywhere in the Settings tab and choose Print to print the
report as it appears on the screen.
The GPMC also allows you to report on the results of an RSoP session (that is,
Group Policy Results or Group Policy Modeling).
- Right-click a saved session under Group Policy Results or Group Policy
Modeling and choose Save Report to create an HTML file with the
settings.
- Right-click anywhere in the Settings tab and choose Print to print the
report as it appears on the screen.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-29
Global Knowledge Network, Inc.
Using the Group Policy Management Console
12-30 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
WMI Filters
Although we have the ability to filter the application of Group Policy objects by
modifying the ACLs for the policy links (security group filtering), it might be nice to
control policy application based on specific attributes of an individual client computer.
That is what WMI filtering is all about.
WMI stands for Windows Management Instrumentation, and it provides a mechanism to
glean various details of a computers configuration through a programmatic interface. In
many respects, WMI is similar to SNMP.
WMI runs on Windows 2000, Windows XP, and Windows 2003 platforms. Figure 222
shows some of the data that WMI manages, in this case on a Windows 2000 Professional
machine. You can access this data by choosing Properties for the WMI Control object in
the Computer Management console.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-31
Global Knowledge Network, Inc.
Using the Group Policy Management Console
A WMI filter is a collection of one or more queries (really conditions) written in WQL. A
query might specify, for example, that a computer be running at least a Pentium III
processor, or have a minimum OS version number. When you build a WMI filter and
apply it to a GPO, the GPO will apply only if the queries in the filter are all satisfied.
So, for example, you could create a GPO that would apply only to computers with at least
a Pentium III CPU. That sort of capability could come in handy, for example, when you
are thinking of deploying a processor-intensive application.
Restrictions
WMI filtering has a raft of conditions associated with it, making it unsuitable at present
for deployment in mixed-mode networks. Here is what you should know:
Only Windows XP Professional clients support WMI filters. Windows 2000
Professional clients (and earlier) will ignore them and will always apply
policies just as if the WMI filter did not exist.
Only Windows 2003 Server networks and Windows 2000 Server networks that
have been prepped for Windows 2003 Server via the adprep /domainprep
command on the Windows 2003 Server CD support WMI filters.
WMI filters are domain-local in scope. That is, you cannot link a WMI filter to
a GPO in a different domain.
Any given GPO may have only one associated WMI filter. (That is not too
much of a restriction when you consider that a filter may have a long list of
queries contained within it.)
If these restrictions do not rule out WMI filters for your network environment, then you
need to know how to implement them. Doing so comprises two steps:
Creating the filter
Linking the filter to a GPO
12-32 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Real-World Application
WQL is similar to SQL, so if you are familiar with SQL, all you need are the specifics for the
WMI data classes.
One good way to get familiar with the WMI classes is to use the graphical tool
wbemtest.exe, which you can run from a command prompt (see Figure 223).
Note the namespace, which you need to specify via the Open Namespace button if it is
anything other than root\cimv2.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-33
Global Knowledge Network, Inc.
Using the Group Policy Management Console
If you click the Enum Classes button, then choose Recursive and click OK, you will see
a dialog box like the one shown in Figure 224.
Then, if you double-click the item and choose the Instances button, you can see the
instances of objects of that class on the machine. For example, you would learn that the
Name property of the Win32_BIOS class on this machine is PhoenixBIOS 4.0 Release
6.0.3. Another way to express this is:
Win32_BIOS.Name = "PhoenixBIOS 4.0 Release 6.0.3"
You can continue to explore the wbemtest.exe utility until you become familiar with the
wide range of classes and properties available. Then, read the examples of WQL provided
in the GPMC help system. You may also get some good information on WMI scripting at
the following URL:
www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/scrguide/
sas_wmi_overview.asp
12-34 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
After you have built a WMI filter, you need to link it to a GPO
for it to become useful. In the GPMC, this is as simple as
dragging the WMI filter object onto the GPO of interest. Other
ways to accomplish the same thing include:
Pulling down the WMI filtering menu on a GPO
Scope tab in the GPMC.
Right-clicking GPOs that use this WMI filter on the
General tab of the filter in the GPMC.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-35
Global Knowledge Network, Inc.
Using the Group Policy Management Console
12-36 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
Knowledge
Check
Section Review
2. What type of software license do you need to use the GPMC in your network?
3. Name the four major nodes that appear under the forest icon in the console.
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-37
Global Knowledge Network, Inc.
Using the Group Policy Management Console
9. What is the tool that you can use to learn about WMI classes and properties?
12-38 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.
Using the Group Policy Management Console
ABC Acronyms
The following acronyms are used in this section:
Deploying Group Policy for Windows 2000, 2003, and XP Clients 12-39
Global Knowledge Network, Inc.
Using the Group Policy Management Console
12-40 Deploying Group Policy for Windows 2000, 2003, and XP Clients
Global Knowledge Network, Inc.