Microsoft Press working group policy guide phần 1 pptx

About the Authors Darren Mar-Elia http://www.gpoguy.com is Quest Software’s CTO for Windows Management and a Microsoft MVP for Group Policy.. A Microsoft MVP with 15 years of experience

PUBLISHED BY

Microsoft Press

A Division of Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052-6399

Copyright © 2005 by Darren Mar-Elia, Derek Melber, and William Stanek

All rights reserved No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher

Library of Congress Control Number: 2005922203

Printed and bound in the United States of America

to rkinput@microsoft.com.

Microsoft, Active Desktop, Active Directory, ActiveX, Authenticode, FrontPage, Hotmail, InfoPath, IntelliMouse, JScript, Microsoft Press, MSDN, MS-DOS, MSN, NetMeeting, OneNote, Outlook, PivotTable, PowerPoint, SharePoint, Visio, Visual Basic, Win32, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred

This book expresses the author’s views and opinions The information contained in this book is provided out any express, statutory, or implied warranties Neither the authors, Microsoft Corporation, nor its resellers,

with-or distributwith-ors will be held liable fwith-or any damages caused with-or alleged to be caused either directly with-or indirectly

by this book

Acquisitions Editor: Martin DelRe

Project Editor: Karen Szall

Copy Editor: Ina Chang

Technical Editor: Mitch Tulloch

Indexer: Julie Bess

Compositor: Dan Latimer

Body Part No X11-06980

“The Microsoft® Windows® Group Policy Guide is a “must have” for any IT Professional

looking to actively manage their desktops and servers! It contains a comprehensive collection of guidance on all aspects of Group Policy.”

Michael Dennis

Lead Program Manager, Group Policy at Microsoft

Thanks to Karen for keeping me motivated and to Sid for walking

on top of my keyboard repeatedly as I tried to work.

— Darren Mar-Elia Thanks to my family for being there in the

hard times and the good times.

— Derek Melber

To my wife and children, keeping

the dream alive.

— William R Stanek

Thanks to Karen for keeping me motivated and to Sid for walking

on top of my keyboard repeatedly as I tried to work.

— Darren Mar-Elia Thanks to my family for being there in the

hard times and the good times.

— Derek Melber

To my wife and children, keeping

the dream alive.

— William R Stanek

About the Authors

Darren Mar-Elia (http://www.gpoguy.com) is Quest Software’s CTO for Windows

Management and a Microsoft MVP for Group Policy Darren has more than 18 years of experience in systems and network administration, design, and architecture Darren is

a contributing editor for Windows IT Pro Magazine He has written and contributed to ten books on Windows NT and Windows 2000, including Upgrading and Repairing Networks (Que, 1996), The Definitive Guide to Windows 2000 Group Policy (NetIQ, FullArmor, and Realtimepublishers.com), and Tips and Tricks Guide to Group Policy (NetIQ, FullArmor, and Realtimepublishers.com) You can reach Darren by sending

him e-mail at darren@gpoguy.com

Derek Melber is a technical instructor, consultant, and author Derek holds a Masters

degree from the University of Kansas He also has Microsoft Certified Systems Engineer (MCSE) certification and Certified Information Security Manager (CISM) certification A Microsoft MVP with 15 years of experience in solution development, training, public speaking, and consulting, Derek has used his experience and knowl-edge to write numerous books on Windows Active Directory, Group Policy, security, auditing, and certifications Derek offers both training and consulting on Group Pol-icy, and he has developed and trained over 100,000 technical professionals around the world To contact Derek for training, consulting, or questions, e-mail him at derekm@braincore.net

William R Stanek (http://www.williamstanek.com) has 20 years of hands-on

experi-ence with advanced programming and development He is a leading technology expert, an award-winning author, and an exceptional instructor who teaches courses

in Microsoft Windows, SQL Server, Exchange Server, and IIS administration Over the years, his practical advice has helped millions of programmers, developers, and net-work engineers all over the world His 50+ books have more than three million copies

in print Current and forthcoming books include Microsoft Windows Server 2003 Inside Out (Microsoft Press, 2004), Microsoft Windows XP Professional Administrator’s Pocket Consultant, Second Edition (Microsoft Press, 2004), Microsoft Windows Server 2003 Administrator’s Pocket Consultant (Microsoft Press, 2003), and Microsoft IIS 6.0 Admin- istrator’s Pocket Consultant (Microsoft Press, 2003) To contact William, visit his Web site (http://www.williamstanek.com) and send him an e-mail.

Thank you to those who contributed to the Microsoft Windows Group Policy Guide Group Policy Lead Program Manager: Michael Dennis

Technical Contributors: John Kaiser, Anshul Rawat, Mark Williams, Dan Fritch,

Kurt Dillard, Adam Edwards, Stacia Snapp, Tim Thompson, Scott Cousins, Jennifer Hendrix, Gary Ericson, John Hrvatin, Drew Leaumont, Michael Surkan, Joseph Davies, David Beder, Mohammed Samji, Bill Gruber, Patanjali Venkatacharya, Mike Stephens, Michael Dennis, Paul Barr, Mike Jorden, Tarek Kamel, Mike Treit, Judith Herman, Rhynier Myburgh, Colin Torretta

From the Microsoft Press editorial team, the following individuals contributed to the

Microsoft Windows Group Policy Guide:

Product Planner: Martin DelRe

Project Editor: Karen Szall

Technical Reviewer: Mitch Tulloch

Copy Editor: Ina Chang

Production Leads: Dan Latimer and Elizabeth Hansford

Indexer: Julie Bess

Art production: Joel Panchot and William Teel

Contents at a Glance

1 Overview of Group Policy 3

2 Working with Group Policy 21

3 Advanced Group Policy Management 53

Part II Group Policy Implementation and Scenarios 4 Deploying Group Policy 99

5 Hardening Clients and Servers 135

6 Managing and Maintaining Essential Windows Components 217

7 Managing User Settings and Data 253

8 Maintaining Internet Explorer Configurations 289

9 Deploying and Maintaining Software Through Group Policy 317

10 Managing Microsoft Office Configurations 369

11 Maintaining Secure Network Communications 397

12 Creating Custom Environments 439

Part III Group Policy Customization 13 Group Policy Structure and Processing 473

14 Customizing Administrative Templates 515

15 Security Templates 553

Part IV Group Policy Troubleshooting 16 Troubleshooting Group Policy 581

17 Resolving Common Group Policy Problems 625

Part V Appendixes A Group Policy Reference 661

B New Features in Windows Server 2003 Service Pack 1 669

C GPMC Scripting 687

D Office 2003 Administrative Template Highlights 705

What do you think of this book?

We want to hear from you!

Microsoft is interested in hearing your feedback about this publication so we can continually improve our books and learning resources for you To participate in a brief

online survey, please visit: www.microsoft.com/learning/booksurvey/

Contents

Foreword xxvii

Introduction xxix

Part I Getting Started with Group Policy 1 Overview of Group Policy 3

Understanding Group Policy 4

What It Does 4

How It Works 5

Using and Implementing Group Policy 6

Using Group Policy in Workgroups and Domains 6

Working with Group Policy Objects 6

Getting Started with Group Policy 7

Understanding Group Policy Settings and Options 7

Using Group Policy for Administration 8

Understanding the Required Infrastructure for Group Policy 10

DNS and Active Directory 10

Applying Active Directory Structure to Inheritance 11

Examining GPO Links and Default GPOs 12

Understanding GPO Links 12

Working with Linked GPOs and Default Policy 13

Summary 19

2 Working with Group Policy 21

Navigating Group Policy Objects and Settings 22

Connecting to and Working with GPOs 22

Applying Group Policy and Using Resultant Set of Policy 23

RSoP Walkthrough 27

Managing Group Policy Objects 28

Managing Local Group Policy 29

Managing Active Directory–Based Group Policy 32

Creating and Linking GPOs 39

Creating and Linking GPOs for Sites 39

Creating and Linking GPOs for Domains 41

Creating and Linking GPOs for OUs 43

Delegating Privileges for Group Policy Management 45

Determining and Assigning GPO Creation Rights 45

Determining Group Policy Management Privileges 47

Delegating Control for Working with GPOs 49

Delegating Authority for Managing Links and RSoP 50

Removing Links and Deleting GPOs 51

Removing a Link to a GPO 51

Deleting a GPO Permanently 51

Summary 52

3 Advanced Group Policy Management 53

Searching and Filtering Group Policy 54

Filtering Policy Settings 54

Searching Policy Objects, Links, and Settings 56

Filtering by Security Group, User, or Computer 59

Managing Group Policy Inheritance 61

Changing Link Order and Precedence 62

Overriding Inheritance 64

Blocking Inheritance 65

Enforcing Inheritance 66

Managing Group Policy Processing and Refresh 68

Changing the Refresh Interval 70

Enabling or Disabling GPO Processing 72

Changing Policy Processing Preferences 73

Configuring Slow Link Detection 75

Refreshing Group Policy Manually 80

Modeling and Maintaining Group Policy 80

Modeling Group Policy for Planning Purposes 81

Copying and Importing Policy Objects 85

Backing Up GPOs 89

Restoring Policy Objects 91

Determining the Effective Group Policy Settings and Last Refresh 93

Summary 96

Contents xv

4 Deploying Group Policy 99

Group Policy Design Considerations 100

Active Directory Design Considerations 100

Physical Design Considerations 104

Remote Access Connection Design Considerations 105

GPO Application Design Considerations 106

Additional GPO Design Considerations 113

Controlling GPO Processing Performance 115

Common Performance Issues 115

Performance Tips 117

Best Practices for Deploying GPOs 121

Choosing the Best Level to Link GPOs 121

Resources Used by GPOs 124

Software Installation 124

Designing GPOs Based on GPO Categories 125

Limit Enforced and Block Policy Inheritance Options 125

When to Use Security Filtering 126

When to Use WMI Filters 126

Network Topology Considerations 127

Limiting Administrative Privileges 128

Naming GPOs 129

Testing GPOs Before Deployment 129

Migrating GPOs from Test to Production 130

Migrating GPOs from Production to Production 130

Using Migration Tables 130

Summary 134

5 Hardening Clients and Servers 135

Understanding Security Templates 136

Default Security Templates 136

Sections of the Security Template 142

Tools for Accessing, Creating, and Modifying Security Templates 150

Using the Security Configuration Wizard 152

Deploying Security Templates 161

Importing Security Templates into GPOs 161

Using the Security Configuration and Analysis Tool 162

Using the Secedit.exe Command-Line Tool 162

Using the Security Configuration Wizard and the scwcmd Command 163

General Hardening Techniques 164

Closing Unnecessary Ports 164

Disabling Unnecessary Services 165

Tools Used in Hardening Computers 166

Server Hardening 168

Member Servers 168

Domain Controllers 187

File and Print Servers 190

Web Servers 191

Client Hardening 192

Ports Required for Clients 205

Restricted Groups for Clients 206

Client Computers for IT Staff and Administrators 206

Client Computers for Help Desk Staff 208

Troubleshooting 210

Security Areas and Potential Problems 210

Tools 213

Summary 215

6 Managing and Maintaining Essential Windows Components 217

Configuring Application Compatibility Settings 218

Optimizing Application Compatibility Through Group Policy 218

Configuring Additional Application Compatibility Settings 219

Configuring Attachment Manager Settings 220

Working with Attachment Manager 220

Configuring Risk Levels and Trust Logic in Group Policy 221

Configuring Event Viewer Information Requests 224

Using Event Viewer Information Requests 224

Customizing Event Details Through Group Policy 225

Controlling IIS Installation 225

Configuring Access to and Use of Microsoft Management Console 226

Blocking Author Mode for MMC 227

Designating Prohibited and Permitted Snap-Ins 227

Requiring Explicit Permission for All Snap-Ins 228

Optimizing NetMeeting Security and Features 228

Configuring NetMeeting Through Group Policy 229

Contents xvii

Enabling Security Center for Use in Domains 230

Managing Access to Scheduled Tasks and Task Scheduler 230

Managing File System, Drive, and Windows Explorer Access Options 231

Hiding Drives in Windows Explorer and Related Views 232

Preventing Access to Drives in Windows Explorer and Related Views 233

Removing CD-Burning and DVD-Burning Features in Windows Explorer and Related Views 234

Removing the Security Tab in Windows Explorer and Related Views 235

Limiting the Maximum Size of the Recycle Bin 235

Optimizing the Windows Installer Configuration 236

Controlling System Restore Checkpoints for Program Installations 237

Configuring Baseline File Cache Usage 237

Controlling Rollback File Creation 238

Elevating User Privileges for Installation 239

Controlling Per-User Installation and Program Operation 240

Preventing Installation from Floppy Disk, CD, DVD, and Other Removable Media 241

Configuring Windows Installer Logging 241

Optimizing Automatic Updates with Windows Update 243

Enabling and Configuring Automatic Updates 243

Controlling Auto Download and Notify for Install 246

Blocking Access to Automatic Updates 249

Designating an Update Server 249

Summary 251

7 Managing User Settings and Data 253

Understanding User Profiles and Group Policy 254

Configuring Roaming Profiles 257

Configuring the Network Share for Roaming Profiles 258

Configuring User Accounts to Use Roaming Profiles 258

Optimizing User Profile Configurations 260

Modifying the Way Local and Roaming Profiles Are Used 260

Modifying the Way Profile Data Is Updated and Changed 265

Modifying the Way Profile Data Can Be Accessed 266

Limiting Profile Size and Included Folders 269

Redirecting User Profile Folders and Data 271

Understanding Folder Redirection 272

Configuring Folder Redirection 274

Managing Computer and User Scripts 281

Working with Computer and User Scripts 282

Configuring Computer Startup and Shutdown Scripts 283

Configuring User Logon and Logoff Scripts 284

Controlling Script Visibility 285

Controlling Script Timeout 286

Controlling Script Execution and Run Technique 287

Summary 287

8 Maintaining Internet Explorer Configurations 289

Customizing the Internet Explorer Interface 290

Customizing the Title Bar Text 290

Customizing Logos 291

Customizing Buttons and Toolbars 292

Customizing URLs, Favorites, and Links 295

Customizing Home, Search, and Support URLs 295

Customizing Favorites and Links 296

Configuring Global Default Programs 299

Optimizing Connection and Proxy Settings 301

Deploying Connection Settings Through Group Policy 301

Deploying Proxy Settings Through Group Policy 303

Enhancing Internet Explorer Security 306

Working with Security Zones and Settings 306

Restricting Security Zone Configuration 308

Deploying Security Zone Configurations 309

Importing and Deploying the Security Zone Settings 313

Configuring Additional Policies for Internet Options 313

Summary 316

9 Deploying and Maintaining Software Through Group Policy 317

Understanding Group Policy Software Installation 318

How Software Installation Works 318

What You Need to Know to Prepare 319

How to Set Up the Installation Location 320

What Limitations Apply 321

Planning the Software Deployment 322

Creating Software Deployment GPOs 322

Configuring the Software Deployment 324

Contents xix

Deploying Software Through Group Policy 326

Deploying Software with Windows Installer Packages 326

Deploying Software with Non–Windows Installer Packages 330

Configuring Advanced and Global Software Installation Options 334

Viewing and Setting General Deployment Properties 334

Changing the Deployment Type and Installation Options 335

Defining Application Categories 338

Adding, Modifying, and Removing Application Categories 339

Adding an Application to a Category 340

Performing Upgrades 340

Customizing the Installation Package with Transforms 344

Controlling Deployment by Security Group 344

Setting Global Deployment Defaults 346

Deploying Microsoft Office and Service Packs 349

Deploying Office Through Policy 349

Deploying Windows Service Packs Through Policy 354

Maintaining Deployed Applications 354

Removing Deployed Applications 355

Redeploying Applications 356

Configuring Software Restriction Policies 356

Troubleshooting Software Installation Policy 365

Summary 368

10 Managing Microsoft Office Configurations 369

Introducing Office Configuration Management 370

Customizing Office Configurations 371

Downloading and Installing the Tools 371

Working with the Custom Installation Wizard 372

Working with the Custom Maintenance Wizard 375

Preparing the Policy Environment 377

Deploying Office Administrative Template Files 377

Creating Office Configuration GPOs 380

Managing Multiple Office Configuration Versions 381

Managing Office-Related Policy 383

Working with Office-Related Policy 383

Examining Global and Application-Specific Settings 384

Configuring Office-related Policy Settings 385

Preventing Users from Changing Office Configurations 386

Controlling Default File and Folder Locations 391

Configuring Outlook Security Options 393

Controlling Office Language Settings 394

Troubleshooting Office Administrative Template Policy 394

Summary 396

11 Maintaining Secure Network Communications 397

Understanding IPSec Policy 398

How IPSec Works 398

How IPSec Policy Is Deployed 399

When to Use IPSec and IPSec Policy 399

Managing and Maintaining IPSec Policy 401

Activating and Deactivating IPSec Policies 401

Create Additional IPSec Policies 402

Monitoring IPSec Policy 414

Deploying Public Key Policies 415

How Public Key Certificates Work 415

How Public Key Policies Are Used 416

Managing Public Key Policy 418

Understanding Windows Firewall Policy 420

How Windows Firewall Works 420

How Windows Firewall Policy Is Used 421

Managing Windows Firewall Policy 424

Configuring IPSec Bypass 425

Enabling and Disabling Windows Firewall with Group Policy 425

Managing Firewall Exceptions with Group Policy 426

Configuring Firewall Notification, Logging, and Response Requests 437

Summary 438

12 Creating Custom Environments 439

Loopback Processing 440

Replace Mode 441

Merge Mode 442

Troubleshooting Loopback 443

Terminal Services 444

Contents xxi

Controlling Terminal Services Through Group Policy

on an Individual Computer 444

Controlling Terminal Services Through Group Policy in a Domain 445

Configuring Order of Precedence 446

Configuring Terminal Services User Properties 446

Configuring License Server Using Group Policy Settings 447

Configuring Terminal Services Connections 448

Managing Drive, Printer, and Device Mappings for Clients 456

Controlling Terminal Services Profiles 459

Group Policy over Slow Links 461

Default Policy Application over Slow Links 462

Slow Link Behavior for RAS Connections 463

Slow Link Detection Group Policy Settings 463

Additional Slow Link Detection Settings for Client-Side Extensions 467

Summary 469

Part III Group Policy Customization 13 Group Policy Structure and Processing 473

Navigating Group Policy Logical Structure 474

Working with Group Policy Containers 474

Examining Attributes of groupPolicyContainer Objects 476

Examining the Security of groupPolicyContainer Objects 477

Examining GPO Creation Permissions 478

Viewing and Setting Default Security for New GPOs 479

Navigating Group Policy Physical Structure 483

Working with Group Policy Templates 483

Understanding Group Policy Versioning 486

Understanding Group Policy Template Security 488

Navigating Group Policy Link Structure 488

Examining Group Policy Linking 488

Examining Inheritance Blocking on Links 491

Understanding Group Policy Security and Links 491

Understanding Group Policy Processing 492

Examining Client-Side Extension Processing 492

Examining Server-Side Extension Processing 494

Understanding Policy Processing Events 501

Asynchronous vs Synchronous Policy Processing 502Tracking Policy Application 503Tracking Slow Link Detection 505Modifying Security Policy Processing 507Group Policy History and State Data 507Navigating Local GPO Structure 511Understanding LGPO Creation and Application 511Understanding LGPO Structure 512Managing and Maintaining LGPOs 512Controlling Access to the LGPO 513Summary 514

14 Customizing Administrative Templates 515

What Is an Administrative Template? 516Default adm Files 516Working with adm Files 518Default Installed adm Files 518Tips for Importing adm Files 519Adding adm Files 520Removing adm Files 521Managing adm Files 522Policies vs Preferences 524Creating Custom adm Files 525

A Simple adm File 526Using adm File Language 527Structure of an adm File 527

#if version 529

Syntax for Updating the Registry 530Syntax for Updating the Group Policy Object Editor Interface 534Additional Statements in the adm Template 546.adm File String and Tab Limits 549Best Practices 550Summary 552

15 Security Templates 553

Understanding the Security Template Structure 554Account Policies 554Local Policies 555

Contents xxiii

Event Log 556Restricted Groups 557System Services 558Registry 559File System 560Where Security Template Settings Overlap with GPO Settings 561Working With Security Templates 562Security Templates Snap-in 562Raw Security Template INF Files 563Customizing Security Templates 563Copying Templates 563Creating New Security Templates 564Customizing Security Options 564Structure of the Sceregvl.inf File 564Customizing the Sceregvl.inf File 570Getting the Custom Entry to Show Up 571Customizing Services in the Security Templates 572Getting the Correct Service to Automatically Display 572Acquiring the Service Syntax for the Security Template File 572Manually Updating Services in the Security Template File 573Microsoft Solutions for Security Settings 574Summary 577

16 Troubleshooting Group Policy 581

Group Policy Troubleshooting Essentials 582Verifying the Core Configuration 582Verifying Key Infrastructure Components 586Verifying the Scope of Management 587Essential Troubleshooting Tools 593Working with Resultant Set Of Policy 593Viewing RSoP from the Command Line 599Verifying Server-Side GPO Health 600Managing RSoP Logs Centrally 604Group Policy Logging 609Navigating the Application Event Logs 610

Contents xxiii

Managing Userenv Logging 613Managing Logging for Specific CSEs 617Summary 623

17 Resolving Common Group Policy Problems 625

Solving GPO Administration Problems 626Domain Controller Running the PDC Emulator Is Not Available 626Not All Settings Show Up in the Group Policy Editor 627Delegation Restrictions Within the GPMC 631Group Policy Settings Are Not Being Applied Due to Infrastructure Problems 638Domain Controllers Are Not Available 639Active Directory Database Is Corrupt 640Local Logon vs Active Directory Logon 641SYSVOL Files Are Causing GPO Application Failure 642Problems with Replication and Convergence

of Active Directory and SYSVOL 643DNS Problems Causing GPO Application Problems 645Solving Implementation Problems 647Tracking Down Incorrect GPO Settings 647GPO Links Causing GPO Application Problems 650Accounts Are Not Located in the Correct OU 651Trying to Apply Group Policy Settings to Groups 652Conflicting Settings in Two GPOs 653Modifying Default GPO Inheritance 654Summary 657

A Group Policy Reference 661

Computer Configuration Reference 661User Configuration Reference 664

B New Features in Windows Server 2003 Service Pack 1 669

Adprep 670Administrative Tools 671Internet Explorer Feature Control Settings 672Managing Feature Control Settings 673

Contents xxv

Configuring Policies and Preferences 673Internet Explorer Administration Kit/Internet Explorer Maintenance 673Internet Explorer URL Action Security Settings 674Changes to Internet Explorer URL Action Security Settings 675Resultant Set of Policy 676Changes to RSoP in SP1 676Administering Remote RSoP with GPMC SP1 677Delegating Access to Group Policy Results 678Post-Setup Security Updates 678Security Configuration Wizard 679Windows Firewall 681Changes to Windows Firewall 681Changes for Audit Logging 681Changes for Netsh Helper 682Windows Firewall New Group Policy Support 682

C GPMC Scripting 687

GPMC Scripting Interface Essentials 687Understanding the GPMC Scripting Object Model 687

Creating the Initial GPM Object 689

Referencing the Domain to Manage 689Creating and Linking GPOs 689Automating Group Policy Security Management 693Using the GPMC’s Prebuilt Scripts 695Creating GPOs 696Deleting GPOs 696Finding Disabled GPOs 696Finding GPOs by Security Group 697Finding GPOs Without Active Links 697Setting GPO Creation Permissions 697Setting Other GPO Permissions 698Backing Up All GPOs 698Backing Up Individual GPOs 699Copying GPOs 699Importing GPOs 700Generating RSoP Reports 700Mirroring Your Production Environment 701GPMC Prebuilt Script Review 702

Contents xxv

D Office 2003 Administrative Template Highlights 705

Microsoft Access 2003 706Microsoft Excel 2003 706Microsoft FrontPage 2003 708Microsoft Clip Organizer 2003 708Microsoft InfoPath 2003 709Microsoft Office 2003 709Microsoft OneNote 2003 713Microsoft Outlook 2003 715Microsoft PowerPoint 2003 718Microsoft Project 2003 719Microsoft Publisher 2003 720Microsoft Visio 2003 721Microsoft Word 2003 722

Index 725

What do you think of this book?

We want to hear from you!

Microsoft is interested in hearing your feedback about this publication so we can continually improve our books and learning resources for you To participate in a brief

Foreword

The collection of writers for this book all have years of experience in using Group icy, and, to write this book, they have all worked closely with those responsible for delivering the entire Group Policy feature set in Microsoft Windows Their experience, coupled with their ability to explain complex concepts clearly, makes this book an invaluable resource for anyone looking to actively manage their desktops and servers

It starts by taking a scenario-based approach, introducing the concepts of Group icy–based management and how it leverages the Active Directory It then explores the various areas of Windows that are controllable via Group Policy, such as security, the Windows desktop, Microsoft Internet Explorer, networking components (like the Windows Firewall), and Microsoft Office But it doesn’t stop there; it also explores the more powerful capabilities of Group Policy, like using Group Policy–based Software Installation and how Group Policy can be extended to do even more

Pol-Implementation of Group Policy can be done in a simple manner, and this book will make it even easier to get up and running in that regard Group Policy is also very flexible and can be used in complex environments to solve complex management problems This book is structured in a way that makes these more complex issues easier to understand It also covers troubleshooting on multiple levels—from the com-mon issues to the more complex to diagnose—and does so in a concise yet complete manner The book rounds off by giving you pointers and links to those places where you can stay up-to-date on the latest information on Group Policy, from both Microsoft and others

In these days of heightened security awareness and regulatory oversight, we all need

to be more proactive about managing Windows desktops and servers Group Policy gives you the power to do so, and this book makes using Group Policy a straightfor-ward experience So, whether you have rolled out Microsoft Active Directory or are thinking about it, this book is a must-have for you!

—Michael Dennis, Lead Program Manager, Group Policy at Microsoft

Introduction

Welcome to the Microsoft® Windows® Group Policy Guide The Microsoft Windows Group

Policy Guide covers the topic of Group Policy—quite possibly the most misunderstood

product that Microsoft has ever introduced Many system administrators, network engineers, and IT managers think of Group Policy as a complex behemoth within Active Directory® that they will never truly understand, and yet Group Policy is widely implemented because its benefits are well-known in areas of security, software distri-bution, and desktop lockdown When you’ve widely implemented a product that you don’t understand, you have a real problem and a frustrating experience for everyone involved, but it doesn’t have to be that way Group Policy is less complex, more con-figurable, and more manageable than you might have imagined—and step by step, chapter by chapter, you’ll learn why as you read this book

About This Book

Microsoft Windows Group Policy Guide covers Group Policy administration for

Microsoft Windows Server™ 2003, Windows XP Professional, and Windows 2000 The book is designed for Windows system administrators, network engineers, and any-one else who wants to learn the ins and outs of Group Policy If you currently support Active Directory or you want to learn more about Group Policy, this book is for you.This book zeroes in on the essential information that you need to effectively deploy, manage, and troubleshoot Group Policy To pack in as much information as possible, we’re assuming that you have basic system administration skills and are familiar with Windows Server 2003 network environments With this in mind, we don’t devote entire chapters to understanding Active Directory, DNS, or Windows Server 2003 Other books cover those topics in depth and better than we ever could; they include

Microsoft Windows Server 2003 Inside Out (Microsoft Press, 2004), Microsoft Windows Server 2003 Administrator’s Companion (Microsoft Press, 2004), and Microsoft Windows Server 2003 Administrator’s Pocket Consultant (Microsoft Press, 2003) What is this

book, then? It is a guide to Group Policy, which explains everything you need to know

to successfully deploy, manage, and troubleshoot Group Policy

xxx Introduction

The book has five parts:

■ Part 1, “Getting Started with Group Policy,” covers the fundamental tasks that

you need for Group Policy administration Chapter 1 provides an overview of Group Policy, discussing how it works, how it fits into a Windows network, and how you can use it Chapters 3 and 4 examine techniques for managing Group Policy

■ Part 2, “Group Policy Implementation and Scenarios,” explains the essential

tasks for deploying and using Group Policy Chapter 4 discusses how you can deploy Group Policy in a wide variety of scenarios Chapter 5 details how you can improve security through Group Policy Chapter 6 shows how you can cus-tomize the Windows desktop and user interface using Group Policy Chapter 7 shows how to manage user settings and data You’ll also learn about folder redi-rection, scripts, and profiles as they pertain to Group Policy Chapter 8 discusses how to maintain Microsoft Internet Explorer configurations and how to customize browser security settings through Group Policy Chapter 9 covers deploying software through Group Policy Chapter 10 shows how to manage Microsoft Office configurations using Group Policy Chapter 11 details how to use Group Policy to maintain network security and network communications settings Chapter 12 examines techniques for creating custom environments for com-puter labs, kiosks, special-use computers, and more

■ Part 3, “Group Policy Customization,” digs into advanced customization of

Group Policy Chapter 13 examines Group Policy structure You’ll learn about Group Policy architecture, including how Group Policy is stored and processed

In Chapter 14, you learn about customizing administrative templates Chapter

15 covers how to customize security templates As you’ll discover in these ters, Group Policy is highly customizable, and you can do a lot to optimize your Active Directory environment

chap-■ Part 4, “Group Policy Troubleshooting,” examines what to do when things go

wrong Chapter 16 covers troubleshooting tools and techniques Chapter 17 provides solutions for common problems with Group Policy

■ Part 5, “Appendixes,” provides essential references and resources Appendix A

provides a quick lookup resource, which can be used in addition to the book’s extensive table of contents and index Appendix B looks at the new features of Windows Server 2003 Service Pack 1 Appendix C examines techniques for scripting Group Policy Appendix D provides a reference for Office 2003 Admin-istrative Templates

Introduction xxxiDocument Conventions

Reader alerts are used throughout the book to point out useful information

The following style conventions are used in documenting command-line tasks throughout this guide

Reader Alert Meaning

Tip Provides a helpful bit of inside information about specific tasks or functions

More info Points to other sources of information on the topic

Note Alerts you to supplementary information

Caution Contains important information about possible data loss, breaches of

security, or other serious problems

On the CD Identifies tools or additional information available on the CD that

accom-panies the book

Bold font Characters that you type exactly as shown, including commands

and parameters User interface elements also appear in boldface type

Italic font Variables for which you supply a specific value For example,

File-name.ext can refer to any valid file name.

Monospace font Code samples

%SystemRoot% Environment variables

xxxii Introduction

Companion CD

The companion CD includes a variety of tools and scripts to help you work more efficiently with Group Policy on computers running Windows 2000, Windows XP Professional, and Windows Server 2003 Several of these tools are discussed in the book; many others are not You can find documentation for each tool in the

GroupPolicyGuideTools folder Some of these tools are from the Microsoft Windows Server 2003 Resource Kit, so they are designed to be implemented with Windows

Server 2003 operating systems

Note The tools on the CD are designed to be used on Windows Server 2003 or Windows XP (or as specified in the documentation of the tool)

Support Policy

Microsoft does not support the tools supplied on the Microsoft Windows Group Policy Guide CD Microsoft does not guarantee the performance of the tools or any bug

fixes for these tools However, Microsoft Press provides a way for customers who

purchase Microsoft Windows Group Policy Guide to report any problems with the

software and to receive feedback To report any issues or problems, send an e-mail

message to rkinput@microsoft.com This e-mail address is only for issues related to Microsoft Windows Group Policy Guide

Microsoft Press also provides corrections for books and companion CDs through the

World Wide Web at http://www.microsoft.com/learning/support/ To connect directly

to the Microsoft Knowledge Base and enter a query regarding a question or issue you

have, go to http://support.microsoft.com For issues related to the Microsoft Windows

Server 2003 operating system, refer to the support information included with your product

System Requirements

To use the tools, eBooks, and other materials on the CD, you need to meet the ing minimum system requirements:

follow-■ Microsoft Windows Server 2003 or Windows XP operating system

■ PC with 233-megahertz (MHz) or higher processor; 550-MHz or higher sor is recommended

proces-■ 128 megabytes (MB) of RAM; 256 MB or higher is recommended

■ 1.5 to 2 gigabytes (GB) of available hard disk space

Introduction xxxiii

■ Super VGA (800 x 600) or higher resolution video adapter and monitor

■ CD or DVD drive

■ Keyboard and Microsoft mouse or compatible pointing device

■ Adobe Acrobat or Adobe Reader

■ Internet connectivity for tools that are downloaded

Note Actual requirements, including Internet and network access and any related charges, will vary based on your system configuration and the applications and fea-tures that you choose to install Additional hard disk space might be required if you are installing over a network

In this chapter, we will introduce Group Policy You’ll learn what Group Policy does, how it can be used in both domain and workgroup settings, and what infrastructure

is required to implement it If you’re running an Active Directory® directory service network environment, you need Group Policy Period There’s no doubt, no question

at all Your only real question should be how to make the most of what Group Policy has to offer, given your organization’s structure and needs Why? Because Group Policy is meant to make your life as an administrator easier Microsoft coined the term

Group Policy to describe the technology that allows you to group policy settings

together and apply them in discrete sets Group Policy is, in fact, a collection of policy settings that simplify administration of common and repetitive tasks as well as unique tasks that are difficult to implement manually but can be automated (such as deploy-ing new software or enforcing which programs can be installed on computers)

Understanding Group Policy

Group Policy provides a convenient and effective way to manage computer and user settings

What It Does

With Group Policy, you can manage settings for thousands of users or computers in the same way that you manage settings for one user or computer—and without ever leaving your desk To do this, you use one of several management tools to change a setting to a desired value, and this change is applied throughout the network to a desired subset of users or computers or to any individual user or computer

One way to think of Group Policy is as a set of rules that you can apply to help you manage users and computers Despite common misperceptions, Group Policy does this in a way that is more intuitive than was previously possible Still a nonbeliever? Consider for a moment that before Group Policy, many of the administrative changes that Group Policy enables were possible only by hacking the Windows registry, and each change had to be made individually on each target computer Time consuming, tricky to implement, prone to disastrous results? You betcha

Enter Group Policy, whereby you can simply enable or disable a policy to tweak a registry value or other setting, and the change will apply automatically to every com-puter you designate the next time Group Policy is refreshed Because changes can be modeled (through the Group Policy Management Console) before the modifications are applied, you can be certain of the effect of each desired change Plus, if you don’t like the results, you can undo a change by setting the policy back to its original or Not Configured state

To take this scenario a step further, consider the case in which you’ve manually tweaked multiple Microsoft® Windows® registry settings on a number of machines and you start to have problems Maybe users can’t log on, they can’t perform neces-sary actions, or computers aren’t responding normally If you documented every change on every computer, you might be able to undo the changes—if you are lucky and if you properly documented the original settings as well as the changes In con-trast, Group Policy allows you to back up (“save”) the state of Group Policy before making changes If something goes wrong, you can restore Group Policy to its original state When you restore the state of Group Policy, you can be certain that all changes are undone with the next Group Policy refresh