Microsoft Press working group policy guide phần 1 pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.07 MB, 76 trang )
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2005 by Darren Mar-Elia, Derek Melber, and William Stanek
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by
any means without the written permission of the publisher.
Library of Congress Control Number: 2005922203
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWT 9 8 7 6 5 4 3
Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from
the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further information
about international editions, contact your local Microsoft Corporation office or contact Microsoft Press Inter-
national directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/. Send comments
to
Microsoft, Active Desktop, Active Directory, ActiveX, Authenticode, FrontPage, Hotmail, InfoPath,
IntelliMouse, JScript, Microsoft Press, MSDN, MS-DOS, MSN, NetMeeting, OneNote, Outlook, PivotTable,
PowerPoint, SharePoint, Visio, Visual Basic, Win32, Windows, Windows Media, Windows NT, and Windows
Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries. Other product and company names mentioned herein may be the trademarks of their
respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious. No association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided with-
out any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers,
or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly
by this book.
Acquisitions Editor: Martin DelRe
Project Editor: Karen Szall
Copy Editor: Ina Chang
Technical Editor: Mitch Tulloch
Indexer: Julie Bess
Compositor: Dan Latimer
Body Part No. X11-06980
A02LX1106980.fm Page iv Tuesday, April 5, 2005 11:10 AM
i
“The Microsoft® Windows® Group Policy Guide is a “must have” for any IT Professional
looking to actively manage their desktops and servers! It contains a comprehensive
collection of guidance on all aspects of Group Policy.”
Michael Dennis
Lead Program Manager, Group Policy at Microsoft
Thanks to Karen for keeping me motivated and to Sid for walking
on top of my keyboard repeatedly as I tried to work.
— Darren Mar-Elia
Thanks to my family for being there in the
hard times and the good times.
— Derek Melber
To my wife and children, keeping
the dream alive.
— William R. Stanek
Thanks to Karen for keeping me motivated and to Sid for walking
on top of my keyboard repeatedly as I tried to work.
— Darren Mar-Elia
Thanks to my family for being there in the
hard times and the good times.
— Derek Melber
To my wife and children, keeping
the dream alive.
— William R. Stanek
vii
About the Authors
Darren Mar-Elia () is Quest Software’s CTO for Windows
Management and a Microsoft MVP for Group Policy. Darren has more than 18 years of
experience in systems and network administration, design, and architecture. Darren is
a contributing editor for Windows IT Pro Magazine. He has written and contributed to
ten books on Windows NT and Windows 2000, including Upgrading and Repairing
Networks (Que, 1996), The Definitive Guide to Windows 2000 Group Policy (NetIQ,
FullArmor, and Realtimepublishers.com), and Tips and Tricks Guide to Group Policy
(NetIQ, FullArmor, and Realtimepublishers.com). You can reach Darren by sending
him e-mail at
Derek Melber is a technical instructor, consultant, and author. Derek holds a Masters
degree from the University of Kansas. He also has Microsoft Certified Systems
Engineer (MCSE) certification and Certified Information Security Manager (CISM)
certification. A Microsoft MVP with 15 years of experience in solution development,
training, public speaking, and consulting, Derek has used his experience and knowl-
edge to write numerous books on Windows Active Directory, Group Policy, security,
auditing, and certifications. Derek offers both training and consulting on Group Pol-
icy, and he has developed and trained over 100,000 technical professionals around
the world. To contact Derek for training, consulting, or questions, e-mail him at
William R. Stanek () has 20 years of hands-on experi-
ence with advanced programming and development. He is a leading technology
expert, an award-winning author, and an exceptional instructor who teaches courses
in Microsoft Windows, SQL Server, Exchange Server, and IIS administration. Over the
years, his practical advice has helped millions of programmers, developers, and net-
work engineers all over the world. His 50+ books have more than three million copies
in print. Current and forthcoming books include Microsoft Windows Server 2003 Inside
Out (Microsoft Press, 2004), Microsoft Windows XP Professional Administrator’s Pocket
Consultant, Second Edition (Microsoft Press, 2004), Microsoft Windows Server 2003
Administrator’s Pocket Consultant (Microsoft Press, 2003), and Microsoft IIS 6.0 Admin-
istrator’s Pocket Consultant (Microsoft Press, 2003). To contact William, visit his Web
site () and send him an e-mail.
ix
Thank you to those who contributed to the Microsoft Windows Group Policy Guide.
Group Policy Lead Program Manager: Michael Dennis
Technical Contributors: John Kaiser, Anshul Rawat, Mark Williams, Dan Fritch,
Kurt Dillard, Adam Edwards, Stacia Snapp, Tim Thompson, Scott Cousins, Jennifer
Hendrix, Gary Ericson, John Hrvatin, Drew Leaumont, Michael Surkan, Joseph
Davies, David Beder, Mohammed Samji, Bill Gruber, Patanjali Venkatacharya, Mike
Stephens, Michael Dennis, Paul Barr, Mike Jorden, Tarek Kamel, Mike Treit, Judith
Herman, Rhynier Myburgh, Colin Torretta
From the Microsoft Press editorial team, the following individuals contributed to the
Microsoft Windows Group Policy Guide:
Product Planner: Martin DelRe
Project Editor: Karen Szall
Technical Reviewer: Mitch Tulloch
Copy Editor: Ina Chang
Production Leads: Dan Latimer and Elizabeth Hansford
Indexer: Julie Bess
Art production: Joel Panchot and William Teel
Contents at a Glance
Part I Getting Started with Group Policy
1 Overview of Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Working with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 Advanced Group Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Part II Group Policy Implementation and Scenarios
4 Deploying Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5 Hardening Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
6 Managing and Maintaining Essential Windows Components . . . . . . . . . .217
7 Managing User Settings and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
8 Maintaining Internet Explorer Configurations . . . . . . . . . . . . . . . . . . . . 289
9 Deploying and Maintaining Software Through Group Policy . . . . . . . 317
10 Managing Microsoft Office Configurations . . . . . . . . . . . . . . . . . . . . . . 369
11 Maintaining Secure Network Communications . . . . . . . . . . . . . . . . . . . 397
12 Creating Custom Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Part III Group Policy Customization
13 Group Policy Structure and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 473
14 Customizing Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 515
15 Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Part IV Group Policy Troubleshooting
16 Troubleshooting Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
17 Resolving Common Group Policy Problems . . . . . . . . . . . . . . . . . . . . . . 625
Part V Appendixes
A Group Policy Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
B New Features in Windows Server 2003 Service Pack 1 . . . . . . . . . . . . . 669
C GPMC Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
D Office 2003 Administrative Template Highlights . . . . . . . . . . . . . . . . . . 705
xiii
What do you think of this book?
We want to hear from you!
Microsoft is interested in hearing your feedback about this publication so we can
continually improve our books and learning resources for you. To participate in a brief
online survey, please visit: www.microsoft.com/learning/booksurvey/
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Part
I Getting Started with Group Policy
1 Overview of Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What It Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
How It Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Using and Implementing Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Using Group Policy in Workgroups and Domains. . . . . . . . . . . . . . . . . . . . . . . . . 6
Working with Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Getting Started with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Understanding Group Policy Settings and Options . . . . . . . . . . . . . . . . . . . . . . . 7
Using Group Policy for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Understanding the Required Infrastructure for Group Policy . . . . . . . . . . . . . . . . . . . . 10
DNS and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Applying Active Directory Structure to Inheritance . . . . . . . . . . . . . . . . . . . . . . 11
Examining GPO Links and Default GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding GPO Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Working with Linked GPOs and Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Working with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Navigating Group Policy Objects and Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Connecting to and Working with GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Applying Group Policy and Using Resultant Set of Policy . . . . . . . . . . . . . . . . . 23
RSoP Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Managing Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Managing Local Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Managing Active Directory–Based Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . 32
xiv Contents
Creating and Linking GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating and Linking GPOs for Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Creating and Linking GPOs for Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Creating and Linking GPOs for OUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Delegating Privileges for Group Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Determining and Assigning GPO Creation Rights . . . . . . . . . . . . . . . . . . . . . . . 45
Determining Group Policy Management Privileges . . . . . . . . . . . . . . . . . . . . . . 47
Delegating Control for Working with GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Delegating Authority for Managing Links and RSoP . . . . . . . . . . . . . . . . . . . . . 50
Removing Links and Deleting GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Removing a Link to a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Deleting a GPO Permanently. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3 Advanced Group Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Searching and Filtering Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Filtering Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Searching Policy Objects, Links, and Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Filtering by Security Group, User, or Computer . . . . . . . . . . . . . . . . . . . . . . . . . 59
Managing Group Policy Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Changing Link Order and Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Overriding Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Blocking Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Enforcing Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Managing Group Policy Processing and Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Changing the Refresh Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Enabling or Disabling GPO Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Changing Policy Processing Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring Slow Link Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Refreshing Group Policy Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Modeling and Maintaining Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Modeling Group Policy for Planning Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Copying and Importing Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Backing Up GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Restoring Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Determining the Effective Group Policy Settings and Last Refresh . . . . . . . . . . . . . . . 93
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Contents xv
Part II Group Policy Implementation and Scenarios
4 Deploying Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Group Policy Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Active Directory Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Physical Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Remote Access Connection Design Considerations . . . . . . . . . . . . . . . . . . . . . 105
GPO Application Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Additional GPO Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Controlling GPO Processing Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Common Performance Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Performance Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Best Practices for Deploying GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Choosing the Best Level to Link GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Resources Used by GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Designing GPOs Based on GPO Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Limit Enforced and Block Policy Inheritance Options. . . . . . . . . . . . . . . . . . . . 125
When to Use Security Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
When to Use WMI Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Network Topology Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Limiting Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Naming GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Testing GPOs Before Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Migrating GPOs from Test to Production . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Migrating GPOs from Production to Production . . . . . . . . . . . . . . . . . . . . . . . 130
Using Migration Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5 Hardening Clients and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Understanding Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Default Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Sections of the Security Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Tools for Accessing, Creating, and Modifying Security Templates . . . . . . . . . 150
Using the Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Deploying Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Importing Security Templates into GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Using the Security Configuration and Analysis Tool. . . . . . . . . . . . . . . . . . . . . 162
xvi Contents
Using the Secedit.exe Command-Line Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Using the Security Configuration Wizard and the scwcmd Command . . . . . 163
General Hardening Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Closing Unnecessary Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Disabling Unnecessary Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Tools Used in Hardening Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Server Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Member Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
File and Print Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Client Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Ports Required for Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Restricted Groups for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Client Computers for IT Staff and Administrators . . . . . . . . . . . . . . . . . . . . . . 206
Client Computers for Help Desk Staff. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Security Areas and Potential Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
6 Managing and Maintaining Essential Windows Components . . . . . . . . . 217
Configuring Application Compatibility Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Optimizing Application Compatibility Through Group Policy . . . . . . . . . . . . 218
Configuring Additional Application Compatibility Settings . . . . . . . . . . . . . . 219
Configuring Attachment Manager Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Working with Attachment Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Configuring Risk Levels and Trust Logic in Group Policy. . . . . . . . . . . . . . . . . 221
Configuring Event Viewer Information Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Using Event Viewer Information Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Customizing Event Details Through Group Policy . . . . . . . . . . . . . . . . . . . . . . 225
Controlling IIS Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Configuring Access to and Use of Microsoft Management Console. . . . . . . . . . . . . 226
Blocking Author Mode for MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Designating Prohibited and Permitted Snap-Ins . . . . . . . . . . . . . . . . . . . . . . . 227
Requiring Explicit Permission for All Snap-Ins. . . . . . . . . . . . . . . . . . . . . . . . . . 228
Optimizing NetMeeting Security and Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Configuring NetMeeting Through Group Policy . . . . . . . . . . . . . . . . . . . . . . . 229
Contents xvii
Enabling Security Center for Use in Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Managing Access to Scheduled Tasks and Task Scheduler . . . . . . . . . . . . . . . . . . . . . 230
Managing File System, Drive, and Windows Explorer Access Options. . . . . . . . . . . . 231
Hiding Drives in Windows Explorer and Related Views . . . . . . . . . . . . . . . . . . 232
Preventing Access to Drives in Windows Explorer and Related Views. . . . . . 233
Removing CD-Burning and DVD-Burning Features in
Windows Explorer and Related Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Removing the Security Tab in Windows Explorer and Related Views . . . . . . 235
Limiting the Maximum Size of the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . 235
Optimizing the Windows Installer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Controlling System Restore Checkpoints for Program Installations . . . . . . . . 237
Configuring Baseline File Cache Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Controlling Rollback File Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Elevating User Privileges for Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Controlling Per-User Installation and Program Operation . . . . . . . . . . . . . . . 240
Preventing Installation from Floppy Disk, CD, DVD,
and Other Removable Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Configuring Windows Installer Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Optimizing Automatic Updates with Windows Update . . . . . . . . . . . . . . . . . . . . . . . . 243
Enabling and Configuring Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . 243
Controlling Auto Download and Notify for Install . . . . . . . . . . . . . . . . . . . . . . 246
Blocking Access to Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Designating an Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
7 Managing User Settings and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Understanding User Profiles and Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Configuring Roaming Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Configuring the Network Share for Roaming Profiles . . . . . . . . . . . . . . . . . . . 258
Configuring User Accounts to Use Roaming Profiles . . . . . . . . . . . . . . . . . . . . 258
Optimizing User Profile Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Modifying the Way Local and Roaming Profiles Are Used . . . . . . . . . . . . . . . 260
Modifying the Way Profile Data Is Updated and Changed . . . . . . . . . . . . . . . 265
Modifying the Way Profile Data Can Be Accessed . . . . . . . . . . . . . . . . . . . . . . 266
Limiting Profile Size and Included Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Redirecting User Profile Folders and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Understanding Folder Redirection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Configuring Folder Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
xviii Contents
Managing Computer and User Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Working with Computer and User Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring Computer Startup and Shutdown Scripts . . . . . . . . . . . . . . . . . . 283
Configuring User Logon and Logoff Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Controlling Script Visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Controlling Script Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Controlling Script Execution and Run Technique . . . . . . . . . . . . . . . . . . . . . . . 287
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
8 Maintaining Internet Explorer Configurations . . . . . . . . . . . . . . . . . . . . 289
Customizing the Internet Explorer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Customizing the Title Bar Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Customizing Logos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Customizing Buttons and Toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Customizing URLs, Favorites, and Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Customizing Home, Search, and Support URLs . . . . . . . . . . . . . . . . . . . . . . . . 295
Customizing Favorites and Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Configuring Global Default Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Optimizing Connection and Proxy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Deploying Connection Settings Through Group Policy. . . . . . . . . . . . . . . . . . 301
Deploying Proxy Settings Through Group Policy . . . . . . . . . . . . . . . . . . . . . . . 303
Enhancing Internet Explorer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Working with Security Zones and Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Restricting Security Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Deploying Security Zone Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Importing and Deploying the Security Zone Settings . . . . . . . . . . . . . . . . . . . 313
Configuring Additional Policies for Internet Options. . . . . . . . . . . . . . . . . . . . . . . . . . 313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
9 Deploying and Maintaining Software Through Group Policy . . . . . . . 317
Understanding Group Policy Software Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
How Software Installation Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
What You Need to Know to Prepare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
How to Set Up the Installation Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
What Limitations Apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Planning the Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Creating Software Deployment GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Configuring the Software Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Contents xix
Deploying Software Through Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Deploying Software with Windows Installer Packages . . . . . . . . . . . . . . . . . . . 326
Deploying Software with Non–Windows Installer Packages . . . . . . . . . . . . . . 330
Configuring Advanced and Global Software Installation Options . . . . . . . . . . . . . . . 334
Viewing and Setting General Deployment Properties . . . . . . . . . . . . . . . . . . . 334
Changing the Deployment Type and Installation Options . . . . . . . . . . . . . . . 335
Defining Application Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Adding, Modifying, and Removing Application Categories . . . . . . . . . . . . . . 339
Adding an Application to a Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Performing Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Customizing the Installation Package with Transforms . . . . . . . . . . . . . . . . . . 344
Controlling Deployment by Security Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Setting Global Deployment Defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Deploying Microsoft Office and Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Deploying Office Through Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Deploying Windows Service Packs Through Policy . . . . . . . . . . . . . . . . . . . . . 354
Maintaining Deployed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Removing Deployed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Redeploying Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Configuring Software Restriction Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Troubleshooting Software Installation Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
10 Managing Microsoft Office Configurations . . . . . . . . . . . . . . . . . . . . . . 369
Introducing Office Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Customizing Office Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Downloading and Installing the Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Working with the Custom Installation Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . 372
Working with the Custom Maintenance Wizard . . . . . . . . . . . . . . . . . . . . . . . . 375
Preparing the Policy Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Deploying Office Administrative Template Files . . . . . . . . . . . . . . . . . . . . . . . . 377
Creating Office Configuration GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Managing Multiple Office Configuration Versions . . . . . . . . . . . . . . . . . . . . . . 381
Managing Office-Related Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Working with Office-Related Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Examining Global and Application-Specific Settings . . . . . . . . . . . . . . . . . . . . 384
xx Contents
Configuring Office-related Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Preventing Users from Changing Office Configurations . . . . . . . . . . . . . . . . . 386
Controlling Default File and Folder Locations. . . . . . . . . . . . . . . . . . . . . . . . . . 391
Configuring Outlook Security Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Controlling Office Language Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Troubleshooting Office Administrative Template Policy . . . . . . . . . . . . . . . . . 394
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
11 Maintaining Secure Network Communications . . . . . . . . . . . . . . . . . . . 397
Understanding IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
How IPSec Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
How IPSec Policy Is Deployed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
When to Use IPSec and IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Managing and Maintaining IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Activating and Deactivating IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Create Additional IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Monitoring IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Deploying Public Key Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
How Public Key Certificates Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
How Public Key Policies Are Used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Managing Public Key Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Understanding Windows Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
How Windows Firewall Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
How Windows Firewall Policy Is Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Managing Windows Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Configuring IPSec Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Enabling and Disabling Windows Firewall with Group Policy . . . . . . . . . . . . 425
Managing Firewall Exceptions with Group Policy. . . . . . . . . . . . . . . . . . . . . . . 426
Configuring Firewall Notification, Logging, and Response Requests . . . . . . 437
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
12 Creating Custom Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Loopback Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Replace Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Merge Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Troubleshooting Loopback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Contents xxi
Controlling Terminal Services Through Group Policy
on an Individual Computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Controlling Terminal Services Through Group Policy in a Domain . . . . . . . . 445
Configuring Order of Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuring Terminal Services User Properties . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuring License Server Using Group Policy Settings. . . . . . . . . . . . . . . . . 447
Configuring Terminal Services Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Managing Drive, Printer, and Device Mappings for Clients. . . . . . . . . . . . . . . 456
Controlling Terminal Services Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Group Policy over Slow Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Default Policy Application over Slow Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Slow Link Behavior for RAS Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Slow Link Detection Group Policy Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Additional Slow Link Detection Settings for Client-Side Extensions. . . . . . . . 467
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Part
III Group Policy Customization
13 Group Policy Structure and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Navigating Group Policy Logical Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Working with Group Policy Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Examining Attributes of groupPolicyContainer Objects . . . . . . . . . . . . . . . . . . 476
Examining the Security of groupPolicyContainer Objects . . . . . . . . . . . . . . . . 477
Examining GPO Creation Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Viewing and Setting Default Security for New GPOs . . . . . . . . . . . . . . . . . . . . 479
Navigating Group Policy Physical Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Working with Group Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Understanding Group Policy Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Understanding Group Policy Template Security . . . . . . . . . . . . . . . . . . . . . . . . 488
Navigating Group Policy Link Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Examining Group Policy Linking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Examining Inheritance Blocking on Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Understanding Group Policy Security and Links . . . . . . . . . . . . . . . . . . . . . . . . 491
Understanding Group Policy Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Examining Client-Side Extension Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Examining Server-Side Extension Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Understanding Policy Processing Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
xxii Contents
Asynchronous vs. Synchronous Policy Processing . . . . . . . . . . . . . . . . . . . . . . 502
Tracking Policy Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Tracking Slow Link Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Modifying Security Policy Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Group Policy History and State Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Navigating Local GPO Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Understanding LGPO Creation and Application. . . . . . . . . . . . . . . . . . . . . . . . 511
Understanding LGPO Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Managing and Maintaining LGPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Controlling Access to the LGPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
14 Customizing Administrative Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 515
What Is an Administrative Template? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Default .adm Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Working with .adm Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Default Installed .adm Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Tips for Importing .adm Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Adding .adm Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Removing .adm Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Managing .adm Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Policies vs. Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Creating Custom .adm Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
A Simple .adm File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Using .adm File Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Structure of an .adm File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
#if version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Syntax for Updating the Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Syntax for Updating the Group Policy Object Editor Interface . . . . . . . . . . . 534
Additional Statements in the .adm Template . . . . . . . . . . . . . . . . . . . . . . . . . . 546
.adm File String and Tab Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
15 Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Understanding the Security Template Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Account Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Local Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Contents xxiii
Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Restricted Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Where Security Template Settings Overlap with GPO Settings . . . . . . . . . . . . . . . . . . 561
Working With Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Security Templates Snap-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Raw Security Template INF Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Customizing Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Copying Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Creating New Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Customizing Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Structure of the Sceregvl.inf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Customizing the Sceregvl.inf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Getting the Custom Entry to Show Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Customizing Services in the Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Getting the Correct Service to Automatically Display . . . . . . . . . . . . . . . . . . . 572
Acquiring the Service Syntax for the Security Template File . . . . . . . . . . . . . . 572
Manually Updating Services in the Security Template File . . . . . . . . . . . . . . . 573
Microsoft Solutions for Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Part
IV Group Policy Troubleshooting
16 Troubleshooting Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Group Policy Troubleshooting Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Verifying the Core Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Verifying Key Infrastructure Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Verifying the Scope of Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Essential Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Working with Resultant Set Of Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Viewing RSoP from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Verifying Server-Side GPO Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Managing RSoP Logs Centrally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Group Policy Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Navigating the Application Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Contents xxiii
xxiv Contents
Managing Userenv Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Managing Logging for Specific CSEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
17 Resolving Common Group Policy Problems . . . . . . . . . . . . . . . . . . . . . . 625
Solving GPO Administration Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Domain Controller Running the PDC Emulator Is Not Available . . . . . . . . . . 626
Not All Settings Show Up in the Group Policy Editor . . . . . . . . . . . . . . . . . . . 627
Delegation Restrictions Within the GPMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Group Policy Settings Are Not Being Applied Due to Infrastructure Problems. . . . 638
Domain Controllers Are Not Available. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Active Directory Database Is Corrupt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Local Logon vs. Active Directory Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
SYSVOL Files Are Causing GPO Application Failure . . . . . . . . . . . . . . . . . . . . . 642
Problems with Replication and Convergence
of Active Directory and SYSVOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
DNS Problems Causing GPO Application Problems. . . . . . . . . . . . . . . . . . . . . 645
Solving Implementation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Tracking Down Incorrect GPO Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
GPO Links Causing GPO Application Problems . . . . . . . . . . . . . . . . . . . . . . . . 650
Accounts Are Not Located in the Correct OU. . . . . . . . . . . . . . . . . . . . . . . . . . 651
Trying to Apply Group Policy Settings to Groups. . . . . . . . . . . . . . . . . . . . . . . 652
Conflicting Settings in Two GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Modifying Default GPO Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Part
V Appendixes
A Group Policy Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Computer Configuration Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
User Configuration Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
B New Features in Windows Server 2003 Service Pack 1 . . . . . . . . . . . . . 669
Adprep. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Internet Explorer Feature Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Managing Feature Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Contents xxv
Configuring Policies and Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Internet Explorer Administration Kit/Internet Explorer Maintenance . . . . . . 673
Internet Explorer URL Action Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Changes to Internet Explorer URL Action Security Settings . . . . . . . . . . . . . . 675
Resultant Set of Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
Changes to RSoP in SP1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
Administering Remote RSoP with GPMC SP1 . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Delegating Access to Group Policy Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Post-Setup Security Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Changes to Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Changes for Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
Changes for Netsh Helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Windows Firewall New Group Policy Support . . . . . . . . . . . . . . . . . . . . . . . . . . 682
C GPMC Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
GPMC Scripting Interface Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Understanding the GPMC Scripting Object Model . . . . . . . . . . . . . . . . . . . . . 687
Creating the Initial GPM Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Referencing the Domain to Manage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Creating and Linking GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Automating Group Policy Security Management . . . . . . . . . . . . . . . . . . . . . . . 693
Using the GPMC’s Prebuilt Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Creating GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Deleting GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Finding Disabled GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Finding GPOs by Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Finding GPOs Without Active Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Setting GPO Creation Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Setting Other GPO Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Backing Up All GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Backing Up Individual GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Copying GPOs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Importing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Generating RSoP Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Mirroring Your Production Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
GPMC Prebuilt Script Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Contents xxv
