Free ebooks ==> www.Ebook777.com

www.Ebook777.com


Free ebooks ==> www.Ebook777.com

www.Ebook777.com


Group Policy
Fundamentals,
Security, and the
Managed Desktop
Third Edition



Free ebooks ==> www.Ebook777.com

Group Policy
Fundamentals,
Security, and the
Managed Desktop
Third Edition

Jeremy Moskowitz

www.Ebook777.com

Senior Acquisitions Editor: Kenyon Brown
Development Editor: Sara Barry
Technical Editor: Alan Burchill
Production Editor: Elizabeth Campbell
Copy Editor: Judy Flynn
Editorial Manager: Mary Beth Wakefield
Production Manager: Kathleen Wisor
Associate Publisher: Jim Minatel
Book Designers: Judy Fung and Bill Gibson
Compositors: Craig Woods and Kate Kaminski, Happenstance Type-O-Rama
Proofreaders: Jenn Bennett, Jen Larsen Word One New York
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: © Mehmet Hilmi Barcin / iStockPhoto
Copyright © 2015 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-03558-9
ISBN: 9781119035671 (ebk)
ISBN: 9781119035688 (ebk)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley
& Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at
/>Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,

the services of a competent professional person should be sought. Neither the publisher nor the author shall
be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work
as a citation and/or a potential source of further information does not mean that the author or the publisher
endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared
between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or
fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material
included with standard print versions of this book may not be included in e-books or in print-on-demand.
If this book refers to media such as a CD or DVD that is not included in the version you purchased, you
may download this material at . For more information about Wiley
products, visit www.wiley.com.
Library of Congress Control Number: 2015946972
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of
John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used
without written permission. All other trademarks are the property of their respective owners. John Wiley
& Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1


For L, A, M, J, B, E, J, and E as we journey through life together.
—Jeremy



Acknowledgments
I want to thank Alan Burchill for the second time in taking on the not-so-glamorous job
of technical editor. I’m really glad to have you on my team, helping me clean up the little
messes I made during the writing process and taking on a heavy responsibility. Note:

If there are still any technical problems with the book, blame me, not him. Alan was
awesome.
I want to thank Sara Barry for taking my initial chapters and kneading them from a wad
of dough into tasty pizza. And to Elizabeth Campbell, who has worked with me through
every major project to completion for almost 15 years now. We joke that she’s “been making
Jeremy sound like Jeremy since 2001.” And it’s mostly true. Thank you.
Special thanks to my Sybex and Wiley compatriots: Ken Brown, Mariann Barsolo, Jim
Minitel, Mary Beth Wakefield, and everyone else on the Sybex/Wiley team. Once again,
your dedication to my book’s success means so much to me. You take everything I create
and deal with it so personally, and I really know that. Thank you, very sincerely.
Thanks to Jeff Hicks, PowerShell MVP, who helped me write Appendix A on Group
Policy and PowerShell. Jeff, you did a smashing job as usual. Thank you.
Thank you to Microsoft Group Policy team and the Group Policy MVPs who support
me directly and indirectly, and help me out whenever they can.
Thank you, Mark Minasi, for being a trusted friend and a great inspiration to me
personally and professionally.
A special thanks to my GPanswers.com and PolicyPak Team: You are awesome and it’s
great to work with you every day.
Finally, I want to thank you. If you’re holding this book, there’s a good chance you’ve
owned a previous edition, or multiple previous editions. Thank you for your trust, and for
purchasing and repurchasing each edition of this book I work so hard to bring you each time.
When I meet you, the reader of this book, in person, it makes the hours and hours spent
on a project like this vaporize away to a distant memory. Thank you for buying the book, for
joining me at my live events and at GPAnswers.com, and for using my PolicyPak software.
You all make me the best “me” I can be. Thanks.


Free ebooks ==> www.Ebook777.com

About the Author

Jeremy Moskowitz   Group Policy MVP, is the founder of GPanswers.com and PolicyPak
Software (PolicyPak.com). He is a nationally recognized authority on Windows Server,
Active Directory, Group Policy, and Windows management. He is one of fewer than a dozen
Microsoft MVPs in Group Policy. His GPanswers.com is ranked by Computerworld as a “Top
20 Resource for Microsoft IT Professionals.” Jeremy is a sought-after speaker and trainer at
many industry conferences and, in his training workshops, helps thousands of administrators
every year do more with Group Policy. Contact Jeremy by visiting www.GPanswers.com or
www.PolicyPak.com.

www.Ebook777.com


About The Contributors
Jeffery Hicks   is an IT veteran with over 25 years of experience, much of it spent as an IT
infrastructure consultant specializing in Microsoft server technologies with an emphasis
in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in
Windows PowerShell. He works today as an independent author, trainer, and consultant.
He has taught and presented on PowerShell and the benefits of automation to IT pros all
over the world. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, a Pluralsight author, and a frequent speaker at technology
conferences and user groups. His latest book is PowerShell In Depth: An Administrator's
Guide, Second Edition, with Don Jones and Richard Siddaway (Manning Publications,
2013). You can keep up with Jeff on Twitter ( and on his
blog ( />Alan Burchill   works as a manager for Avanade Australia based in Brisbane. He has a
normal day job as the lead global Active Directory administrator for a large multinational
corporation. Alan has been working with Microsoft technologies for over 17 years and is
a regular speaker at Microsoft TechEd and Ignite conferences. He has been a Microsoft
Valuable Professional in the area of Group Policy for the past six years. He regularly blogs
about Group Policy and other related topics at his website called Group Policy Central
at www.grouppolicy.biz. Alan also runs the Brisbane Infrastructure Users Group
(www.bigau.org), where he organizes monthly meetings about Microsoft Infrastructurerelated topics, and he is the organizer of the annual Infrastructure Saturday event

(www.infrastructuresaturday.com), which is a full-day community event about Microsoft
Infrastructure Technologies. You can reach him via his website or via Twitter
@alanburchill.



Contents at a Glance
Introductionxxv
Chapter 1

Group Policy Essentials

Chapter 2

Managing Group Policy with the GPMC and via PowerShell

Chapter 3

Group Policy Processing Behavior Essentials

169

Chapter 4

Advanced Group Policy Processing

223

Chapter 5


Group Policy Preferences

249

Chapter 6

Managing Applications and Settings Using Group Policy

335

Chapter 7

Troubleshooting Group Policy

379

Chapter 8

Implementing Security with Group Policy

465

Chapter 9

Profiles: Local, Roaming, and Mandatory

579

Chapter 10


The Managed Desktop, Part 1: Redirected Folders,
Offline Files, and the Synchronization Manager

643

The Managed Desktop, Part 2: Software Deployment
via Group Policy

723

Finishing Touches with Group Policy: Scripts, Internet
Explorer, Hardware Control, Printer Deployment, Local
Admin Password Control

797

Scripting Group Policy Operations with
Windows PowerShell

839

Appendix B

Group Policy and VDI

885

Appendix C

Advanced Group Policy Management


897

Appendix D

Security Compliance Manager

969

Appendix E

Microsoft Intune and PolicyPak Cloud

991

Chapter 11
Chapter 12

Appendix A

1
67

Index1005



Contents
Introductionxxv
Chapter 1


Group Policy Essentials

1

Getting Ready to Use This Book
2
Getting Started with Group Policy
7
Group Policy Entities and Policy Settings
7
Active Directory and Local Group Policy
9
Understanding Local Group Policy
10
Group Policy and Active Directory
13
Linking Group Policy Objects
15
Final Thoughts on Local GPOs
20
An Example of Group Policy Application
21
Examining the Resultant Set of Policy
23
At the Site Level
23
At the Domain Level
24
At the OU Level

24
25
Bringing It All Together
26
Group Policy, Active Directory, and the GPMC
Implementing the GPMC on Your Management Station
27
30
Creating a One-Stop-Shop MMC
32
Group Policy 101 and Active Directory
32
Active Directory Users and Computers vs. GPMC
33
Adjusting the View within the GPMC
The GPMC-centric View
35
37
Our Own Group Policy Examples
More about Linking and the Group Policy
Objects Container38
Applying a Group Policy Object to the Site Level
41
44
Applying Group Policy Objects to the Domain Level
Applying Group Policy Objects to the OU Level
47
52
Testing Your Delegation of Group Policy Management
54

Understanding Group Policy Object Linking Delegation
Granting OU Admins Access to Create New Group
Policy Objects55
Creating and Linking Group Policy Objects at the OU Level 56
Creating a New Group Policy Object Affecting Computers
in an OU
59
Moving Computers into the Human Resources
Computers OU
61
Verifying Your Cumulative Changes
62
Final Thoughts
64


xivContents

Chapter 2

Managing Group Policy with the GPMC and
via PowerShell

67

Common Procedures with the GPMC and PowerShell
69
Raising or Lowering the Precedence of Multiple
Group Policy Objects
75

Understanding GPMC’s Link Warning
76
Stopping Group Policy Objects from Applying
78
Block Inheritance
85
The Enforced Function
87
Security Filtering and Delegation with the GPMC
90
Filtering the Scope of Group Policy Objects with Security
91
User Permissions on Group Policy Objects
102
Granting Group Policy Object Creation Rights in
the Domain104
Special Group Policy Operation Delegations
105
Who Can Create and Use WMI Filters?
107
Performing RSoP Calculations with the GPMC
109
What’s-Going-On Calculations with Group Policy Results 110
What-If Calculations with Group Policy Modeling
116
Searching and Commenting Group Policy Objects and
Policy Settings
118
Searching for GPO Characteristics
119

Filtering Inside a GPO for Policy Settings
121
Comments for GPOs and Policy Settings
132
Starter GPOs
137
Creating a Starter GPO
139
Editing a Starter GPO
139
Leveraging a Starter GPO
141
Delegating Control of Starter GPOs
142
Wrapping Up and Sending Starter GPOs
143
Should You Use Microsoft’s Pre-created Starter GPOs?
144
Back Up and Restore for Group Policy
145
Backing Up Group Policy Objects
146
Restoring Group Policy Objects
148
Backing Up and Restoring Starter GPOs
152
Backing Up and Restoring WMI Filters
153
Backing Up and Restoring IPsec Filters
153

Migrating Group Policy Objects between Domains
154
Basic Interdomain Copy and Import
154
Copy and Import with Migration Tables
162
GPMC At-a-Glance Icon View
166
Final Thoughts
167


Contents

Chapter 3

Group Policy Processing Behavior Essentials
Group Policy Processing Principles
Don’t Get Lost
Initial Policy Processing
Background Refresh Policy Processing
Security Background Refresh Processing
Special Case: Moving a User or a Computer Object
Windows 8, 8.1, and 10 Group Policy: Subtle Differences
Policy Application via Remote Access, Slow Links, and
after Hibernation
When and How Does Windows Check for Slow Links?
What Is Processed over a Slow Network Connection?
Always Get Group Policy (Even on the Road, through
the Internet)

Using Group Policy to Affect Group Policy
Affecting the User Settings of Group Policy
Affecting the Computer Settings of Group Policy
The Missing Group Policy Preferences Policy Settings
Final Thoughts

Chapter 4

Advanced Group Policy Processing
Fine-Tuning When and Where Group Policy Applies
Using WMI Filters to Filter the Scope of a
Group Policy Object (Itself)
Using PolicyPak Admin Templates Manager to Filter
the Scope of a Group Policy Object’s Contents
Group Policy Loopback Processing
Reviewing Normal Group Policy Processing
Group Policy Loopback—Merge Mode
Group Policy Loopback—Replace Mode
Loopback without Loopback (Switched Mode with
PolicyPak Application Manager and PolicyPak Admin
Templates Manager)
Group Policy with Cross-Forest Trusts
What Happens When Logging onto Different Clients
across a Cross-Forest Trust?
Disabling Loopback Processing When Using
Cross-Forest Trusts
Understanding Cross-Forest Trust Permissions
Final Thoughts

xv


169
170
172
172
174
187
193
194
200
200
201
202
205
205
207
219
221
223
223
224
230
231
232
233
233

239
242
243

245
245
247


xviContents

Chapter 5

Group Policy Preferences
Powers of the Group Policy Preferences
Computer Configuration ➢ Preferences
User Configuration ➢ Preferences
Group Policy Preferences Concepts
Preference vs. Policy
The Overlap of Group Policy vs. Group Policy Preferences
and Associated Issues
The Lines and Circles and the CRUD Action Modes
Common Tab
Group Policy Preferences Tips, Tricks, and Troubleshooting
Quick Copy, Drag and Drop, Cut and Paste, and
Sharing of Settings
Multiple Preference Items at a Level
Temporarily Disabling a Single Preference Item or
Extension Root
Environment Variables
Managing Group Policy Preferences: Hiding Extensions
from within the Editor
Troubleshooting: Reporting, Logging, and Tracing
Giving Group Policy Preferences a “Boost” (Using PolicyPak

Preferences Manager and PolicyPak Cloud)
Using PolicyPak Preferences Manager to Maintain
Group Policy Preferences while Offline
Using PolicyPak Preferences Manager to Deliver
Group Policy Preferences Using “Not Group Policy”
Delivering Group Policy Preferences over the Internet
Using PolicyPak Cloud (to Domain-Joined and
Non–Domain-Joined Machines)
Final Thoughts

Chapter 6

Managing Applications and Settings Using
Group Policy
Understanding Administrative Templates
Administrative Templates: Then and Now
Policy vs. Preference
Exploring ADM vs. ADMX and ADML Files
Looking Back at ADM Files
Understanding the Updated GPMC’s ADMX
and ADML Files
Comparing ADM vs. ADMX Files

249
252
258
269
278
279
281

293
301
313
313
315
317
318
320
321
329
330
330

331
332
335
336
336
337
342
342
342
344


Contents

ADMX and ADML Files: What They Do and the Problems
They Solve
Problem and Solution 1: Tackling SYSVOL Bloat

Problem 2: How Do We Deal with Multiple Languages?
Problem 3: How Do We Deal with “Write Overlaps”?
Problem 4: How Do We Distribute Updated Definitions
to All Our Administrators?
The Central Store
The Windows ADMX/ADML Central Store
Creating and Editing GPOs in a Mixed Environment
Scenario 1: Start by Creating and Editing a GPO Using
the Older GPMC; Edit Using Another Older GPMC
Management Station
Scenario 2: Start by Creating and Editing a GPO with
the Older GPMC; Edit Using the Updated GPMC
Scenario 3: Start by Creating and Editing a GPO Using
the Updated GPMC; Edit Using Another Updated
GPMC Management Station
Scenario 4: Start by Creating and Editing a GPO Using
an Updated GPMC Management Station; Edit Using an
Older GPMC Management Station
Using ADM and ADMX Templates from Other Sources
Using ADM Templates with the Updated GPMC
Using ADMX Templates from Other Sources
ADMX Migrator and ADMX Editor Tools
ADMX Migrator
ADMX Creation and Editor Tools
PolicyPak Application Manager
PolicyPak Concepts and Installation
Top PolicyPak Application Manager Pak Examples
Understanding PolicyPak Superpowers and What
Happens When Computers Are Off the Network
Final Thoughts

Chapter 7

Troubleshooting Group Policy
Under the Hood of Group Policy
Inside Local Group Policy
Inside Active Directory Group Policy Objects
The Birth, Life, and Death of a GPO
How Group Policy Objects Are “Born”
How a GPO “Lives”
Death of a GPO

xvii

345
345
346
347
349
349
351
355

355
356

358

358
359
359

361
362
363
365
365
367
369
373
376
379
381
381
383
385
386
387
415


Free ebooks ==> www.Ebook777.com
xviiiContents

How Client Systems Get Group Policy Objects
The Steps to Group Policy Processing
Client-Side Extensions
Where Are Administrative Templates Registry
Settings Stored?
Why Isn’t Group Policy Applying?
Reviewing the Basics
Advanced Inspection

Client-Side Troubleshooting
RSoP for Windows Clients
Advanced Group Policy Troubleshooting with the
Event Viewer Logs
Group Policy Processing Performance
Final Thoughts
Chapter 8

Implementing Security with Group Policy
The Two Default Group Policy Objects
GPOs Linked at the Domain Level
Group Policy Objects Linked to the Domain
Controllers OU
Oops, the “Default Domain Policy” GPO and/or
“Default Domain Controllers Policy” GPO Got
Screwed Up!
The Strange Life of Password Policy
What Happens When You Set Password Settings
at an OU Level
Fine-Grained Password Policy
Inside Basic and Advanced Auditing
Basic Auditable Events Using Group Policy
Auditing File Access
Auditing Group Policy Object Changes
Advanced Audit Policy Configuration
Restricted Groups
Strictly Controlling Active Directory Groups
Strictly Applying Group Nesting
Which Groups Can Go into Which Other Groups
via Restricted Groups?

Restrict Software Using AppLocker
Inside Software Restriction Policies
Software Restriction Policies’ “Philosophies”
Software Restriction Policies’ Rules
Restricting Software Using AppLocker

www.Ebook777.com

416
416
419
427
429
429
432
441
442
450
462
463
465
466
467
471

473
475
475
477
482

482
487
489
491
495
497
499
500
500
501
502
503
510


Contents

Controlling User Account Control with Group Policy
Just Who Will See the UAC Prompts, Anyway?
Understanding the Group Policy Controls for UAC
UAC Policy Setting Suggestions
Wireless (802.3) and Wired Network (802.11) Policies
802.11 Wireless Policy for Windows XP
802.11 Wireless Policy and 802.3 Wired Policy
for Modern Windows
Configuring Windows Firewall with Group Policy
Manipulating the Windows Firewall (the Old Way)
Windows Firewall with Advanced Security WFAS
IPsec (Now in Windows Firewall with Advanced Security)
How Windows Firewall Rules Are Ultimately Calculated

Final Thoughts
Chapter 9

Profiles: Local, Roaming, and Mandatory

xix

531
534
539
548
551
552
553
554
557
558
567
572
576
579

Setting the Stage for Multiple Clients
579
What Is a User Profile?
583
The NTUSER.DAT File
583
Profile Folders for Type 1 Computers (Windows XP
and Windows 2003 Server)

584
Profile Folders for Type 2–5 Computers (Windows Vista
and Later)
586
The Default Local User Profile
591
The Default Network User Profile
594
Roaming Profiles
599
Are Roaming Profiles “Evil”? And What Are
the Alternatives?601
Setting Up Roaming Profiles
604
Testing Roaming Profiles
608
Roaming and Nonroaming Folders
610
Managing Roaming Profiles
614
Manipulating Roaming Profiles with Computer
Group Policy Settings
617
Manipulating Roaming Profiles with User Group
Policy Settings
630
Mandatory Profiles
635
Establishing Mandatory Profiles for Windows XP
636

Establishing Mandatory Profiles for Modern Windows
638
Mandatory Profiles—Finishing Touches
639
Forced Mandatory Profiles (Super-Mandatory)
640
Final Thoughts
642


xxContents

Chapter 10

The Managed Desktop, Part 1: Redirected Folders,
Offline Files, and the Synchronization Manager
643
Redirected Folders
644
Available Folders to Redirect
644
Redirected Documents/My Documents
645
Redirecting the Start Menu and the Desktop
665
Redirecting the Application Data Folder
666
Group Policy Setting for Folder Redirection
667
Troubleshooting Redirected Folders

669
Offline Files and Synchronization
672
Making Offline Files Available
673
Inside Windows 10 File Synchronization
676
Handling Conflicts
684
Client Configuration of Offline Files
686
Using Folder Redirection and Offline Files over Slow Links
694
Synchronizing over Slow Links with Redirected
My Documents695
Synchronizing over Slow Links with Regular Shares
697
Teaching Windows 10 How to React to Slow Links
698
Using Group Policy to Configure Offline Files
(User and Computer Node)
702
Troubleshooting Sync Center
710
Turning Off Folder Redirection’s Automatic Offline
Caching for Desktops
712
Final Thoughts
720


Chapter 11

The Managed Desktop, Part 2:
Software Deployment via Group Policy
Group Policy Software Installation (GPSI) Overview
The Windows Installer Service
Understanding .MSI Packages
Utilizing an Existing .MSI Package
Assigning and Publishing Applications
Assigning Applications
Publishing Applications
Rules of Deployment
Package-Targeting Strategy
Advanced Published or Assigned
The General Tab
The Deployment Tab
The Upgrades Tab
The Categories Tab
The Modifications Tab
The Security Tab

723
724
726
726
727
732
732
733
734

734
745
746
746
750
752
752
754


Contents

xxi

Default Group Policy Software Installation Properties
755
The General Tab
755
The Advanced Tab
756
The File Extensions Tab
757
The Categories Tab
757
Removing Applications
757
Users Can Manually Change or Remove Applications
758
Automatically Removing Assigned or Published
.MSI Applications758

Forcibly Removing Assigned or Published
.MSI Applications759
Using Group Policy Software Installation over Slow Links
761
MSI, the Windows Installer, and Group Policy
764
Inside the MSIEXEC Tool
764
Patching a Distribution Point
765
Affecting Windows Installer with Group Policy
767
Deploying Office 2010 and Later Using Group Policy
(MSI Version)
771
Steps to Office 2013 and 2016 Deployment Using
Group Policy772
Result of Your Office Deployment Using Group Policy
782
Installing Office Using Click-to-Run
783
Getting Office Click-to-Run
784
Installing Office Click-to-Run by Hand
784
Deploying Office Click-to-Run via Group Policy
786
System Center Configuration Manager vs. Group Policy
(and Alternatives)
793

Final Thoughts
796
Chapter 12

Finishing Touches with Group Policy: Scripts,
Internet Explorer, Hardware Control, Printer
Deployment, Local Admin Password Control

797

Scripts: Logon, Logoff, Startup, and Shutdown
798
Non-PowerShell-Based Scripts
798
Deploying PowerShell Scripts to Windows 7 and
Later Clients801
Managing Internet Explorer with Group Policy
802
Managing Internet Explorer with Group
Policy Preferences
803
Internet Explorer’s Group Policy Settings
805
Understanding Internet Explorer 11’s Enterprise Mode
806
Managing Internet Explorer 11 Using PolicyPak
Application Manager
808



xxiiContents

Restricting Access to Hardware via Group Policy
808
Group Policy Preferences Devices Extension
809
Restricting Driver Access with Policy Settings
814
Getting a Handle on Classes and IDs
815
Restricting or Allowing Your Hardware via Group Policy 817
Understanding the Remaining Policy Settings for
Hardware Restrictions
819
Assigning Printers via Group Policy
821
Zapping Down Printers to Users and Computers
(a Refresher)
821
Implementing Rotating Local Passwords with LAPS
830
What to Install from LAPS
831
Extending the Schema and Setting LAPS Permissions
832
Using a Group Policy Object to Manage LAPS
835
Using LAPS Management’s Tools: Fat Client and
PowerShell836
Final Thoughts for This Chapter and for the Book

838
Appendix A

Scripting Group Policy Operations with
Windows PowerShell

839

Using PowerShell to Do More with Group Policy
840
Preparing for Your PowerShell Experience
841
Getting Started with PowerShell
842
Documenting Your Group Policy World with PowerShell 846
Setting GPO Permissions
867
Manipulating GPOs with PowerShell
870
Performing a Remote GPupdate (Invoking GPupdate)880
Replacing Microsoft’s GPMC Scripts with PowerShell
Equivalents881
Final Thoughts
883
Appendix B

Group Policy and VDI
Why Is VDI Different?
Tuning Your Images for VDI
Specific Functions to Turn Off for VDI Machines

Group Policy Settings to Set and Avoid for Maximum
VDI Performance
Group Policy Tweaks for Fast VDI Video
Tweaking RDP Using Group Policy for VDI
Tweaking RemoteFX using Group Policy for VDI
Managing and Locking Down Desktop UI Tweaks
Final Thoughts for VDI and Group Policy

885
886
887
888
889
891
891
892
893
894


Contents

Appendix C

Advanced Group Policy Management

xxiii

897


The Challenge of Group Policy Change Management
898
Architecture and Installation of AGPM
899
AGPM Architecture
899
Installing AGPM
900
What Happens after AGPM Is Installed?
906
GPMC Differences with AGPM Client
906
What’s With All the Access Denied Errors?
908
Does the World Change Right Away?
908
Understanding the AGPM Delegation Model
908
AGPM Delegation Roles
909
AGPM Common Tasks
912
Understanding and Working with AGPM’s Flow
914
Controlling Your Currently Uncontrolled GPOs
915
Creating a GPO and Immediately Controlling It
918
Check Out a GPO
919

Viewing Reports about a Controlled GPO
921
Editing a Checked-Out Offline Copy of a GPO
921
Performing a Check In of a Changed GPO
923
Deploying a GPO into Production
924
Making Additional Changes to a GPO and Labeling
a GPO
926
Using History and Differences to Roll Back a GPO
927
Using “Import from Production” to Catch Up a GPO
931
Uncontrolling, Restoring, and Destroying a GPO
932
Searching for GPOs Using the Search Box
934
AGPM Tasks with Multiple Admins
935
E‑mail Preparations and Configurations for
AGPM Requests936
Adding Someone to the AGPM System
939
Requesting the Creation of New Controlled GPO
943
Approving or Rejecting a Pending Request
944
Editing the GPO Offline via Check Out/Check In

946
Requesting Deployment of the GPO
946
Analyzing a GPO (as a Reviewer)
948
Advanced Configuration and Troubleshooting of AGPM
950
Production Delegation
950
Auto-Deleting Old GPO Versions
951
Export and Import of Controlled GPOs between
Forests and/or Domains
951
Troubleshooting AGPM Permissions
953
Leveraging AGPM Templates
955