Managing Group Policy CHAPTER 14
503
FIGURE 14-2 The folder structure for the central store where ADMX template
files are stored for the domain
note For a list of ISO language identifiers, see
/library/dd318691.aspx.
After you create this folder structure for the central store on the PDC Emulator, the FRS will
replicate this structure to all domain controllers in the domain. You choose the PDC Emulator
as the domain controller on which to create this folder structure manually because the PDC
Emulator is the default choice for the focus of the GPMC.
note Creating a central store is not a requirement for using Group Policy to manage
computers running Windows Vista or later. For example, in the absence of a central store,
an administrator can use the GPMC on an RSAT administrative workstation running
Windows 7 to create GPOs and then use the GPMC to configure these GPOs. The advan-
tage of configuring a central store is that all GPOs created and edited after the store is
configured have access to all of the ADMX files within the store, which makes the central
store useful for deploying any custom ADMX files that you want to share with other admin-
istrators in your domain.
Adding ADMX Templates to the Store
After you configure the central store, you must populate it using ADMX template files. You
can copy these ADMX template files from a computer running Windows 7 by following these
steps:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
504
1. Log on to an administrative workstation running Windows 7 using a user account that
is a member of the Domain Admins built-in group.
2. Open a command prompt and type the following command.
xcopy %SystemRoot%\PolicyDefinitions\* %LogonServer%\sysvol\%UserDNSDomain%\
policies\
PolicyDefinitions /s /y

3. Repeat this process from any administrator workstations running Windows 7 that have
different languages installed.
After you copy the ADMX template files to the central store, the central store will be
replicated to all domain controllers in the domain as the contents of the SYSVOL share are
replicated by the FRS. Whenever you want to update the files or copy a custom ADMX file,
you must do this manually.
diReCt FRoM tHe SoURCe
Create and Populate the ADMX Central Store in a Single Step
Judith Herman, Group Policy Programming Writer
Windows Enterprise Management Division UA
A
s long as the ADMX central store directory exists, the Group Policy Management
Editor will ignore the local versions of the ADMX files. It is recommended that
as soon as the central store is created, the ADMX (and associated ADML files) are
used to populate the central store. If there is an empty central store directory when
the Group Policy Management Editor in Windows 7 is started, the ADM nodes will
not display any policy settings because the Group Policy Management Editor reads
ADM policy settings display information only from the empty central store.
Creating and Managing GPOs
After your central store is configured and you have copied ADMX template files to it, you are
ready to create GPOs for managing your environment. Beginning with Windows 7, you can
create and manage GPOs in two ways:
n
From the graphical user interface (GUI) by using the GPMC. This is the only method
available for managing Group Policy on earlier versions of Windows.
n
From the command line or via script automation by using the new Windows PowerShell
Group Policy cmdlets. This method for managing Group Policy is new in Windows 7 and
Windows Server 2008 R2 and is described in the section titled “Creating and Managing
GPOs Using Windows PowerShell” later in this chapter.

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
505
Obtaining the GPMC
The GPMC is not included in a default Windows 7 install. Instead, you must download and
install the RSAT for Windows 7 to use the GPMC on a Windows 7 computer. To do this, follow
these steps:
1. Obtain the appropriate RSAT package (x86 or x64) for your Windows 7 administrative
workstation from the Microsoft Download Center at
/downloads/ and install the RSAT .msu package on your computer.
2. Open Programs And Features from Control Panel and select Turn Windows Features
On Or Off.
3. In the Windows Features dialog box, expand Remote Server Administration Tools, fol-
lowed by Feature Administration Tools.
4. Select the check box next to Group Policy Management Tools and click OK.
Alternatively, instead of managing Group Policy by installing RSAT on a computer running
Windows 7, you can manage it directly from a computer running Windows Server 2008 R2 by
installing the RSAT feature using the Add Features Wizard in Server Manager.
Using Starter GPOs
Starter GPOs, introduced in the GPMC for Windows Server 2008 and Windows Vista SP1 with
RSAT, are read-only collections of configured Administrative Template (.admx) policy settings
that you can use to create a live GPO. Starter GPOs provide baselines of Group Policy settings
designed for specific scenarios. By using Starter GPOs as templates for creating domain-based
GPOs, you can deploy Group Policy quickly in different kinds of environments. Note that
Starter GPOs can contain only policy settings (ADM settings); they cannot include preference
items, security settings, or other types of Group Policy settings.
In Windows Vista SP1 and Windows Server 2008, you had to download Starter GPOs
before using them. Now, however, a default set of Starter GPOs are included in RSAT for
Windows 7 and in the GPMC feature of Windows Server 2008 R2.
RSAT for Windows 7 includes two different categories of Starter GPOs:

n
Enterprise Client (EC) Client computers in this type of environment are members
of an AD DS domain and need to communicate only with systems running Windows
Server 2003. The client computers in this environment may include a mixture of
Windows versions, including Windows 7, Windows Vista, and Windows XP.
n
Specialized Security Limited Functionality (SSLF) Client computers in this type of
environment are members of an AD DS domain and must be running Windows Vista
or later. Concern for security in this environment is a higher priority than functionality
and manageability, which means that the majority of enterprise organizations do not
use this environment. The types of environments that might use SSLF are military and
intelligence agency computers.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
506
In addition to these two categories, the default Starter GPOs in RSAT for Windows 7 can
also be categorized by whether they do the following:
n
Apply only to clients running Windows XP SP2 or later or Windows Vista SP1 or later.
n
Apply to users or to computers.
The result of this categorization is the following eight types of Starter GPOs included in
RSAT for Windows 7:
n
Windows Vista EC Computer
n
Windows Vista EC User
n
Windows Vista SSLF Computer
n

Windows Vista SSLF User
n
Windows XP EC Computer
n
Windows XP EC User
n
Windows XP SSLF Computer
n
Windows XP SSLF User
For more information concerning the default configuration of policy settings in Starter
GPOs designed for Windows Vista SP1 or later, see the Windows Vista Security Guide at
For more information concerning the default
configuration of policy settings in Starter GPOs designed for Windows XP SP2 or later,
see the Windows XP Security Compliance Management Toolkit at
/fwlink/?LinkId=14839. Updated information on Starter GPOs should also be available; search
for Windows 7 Security Guide on the Microsoft Download Center.
Before you can use Starter GPOs, you must prepare your environment by creating a sepa-
rate folder for these GPOs in the SYSVOL share on your domain controllers. If your forest has
more than one domain, you must create a separate Starter GPOs folder in each domain of
your forest. To create the Starter GPOs folder, perform the following steps:
1. Open the GPMC and select the Starter GPOs node in the console tree for the domain.
2. Click the Create Starter GPOs Folder button in the details pane (see Figure 14-3).
3. Repeat for each domain in your forest.
After you create your Starter GPOs folder, you can use the default Starter GPOs as templates
when you create new GPOs, as described in the next section. You can also create and manage
your own Starter GPOs by right-clicking the Starter GPOs node in the console tree of the
GPMC.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
507

FIGURE 14-3 Creating the Starter GPOs folder in SYSVOL for the domain
Creating and Managing GPOs Using the GPMC
To create and configure a GPO using the GPMC, follow these steps:
1. Log on to an administrative workstation running Windows 7 with RSAT using a user
account that is a member of the Domain Admins built-in group.
2. Right-click Start and then click Properties. On the Start Menu tab, click Customize.
Then in the Customize Start Menu dialog box, scroll down to System Administrative
Tools, select Display On The All Programs Menu And The Start Menu, and click OK.
3. Click Start, then Administrative Tools, and then Group Policy Management. (Alterna-
tively, you can type gpmc.msc in the Start Search box and then click gpmc.msc when
it appears under Programs in your search results.)
4. Expand the console tree to select the domain or OU to which you will link the new
GPO when you create it.
5. Right-click this domain or OU and select Create A GPO In This Domain And Link It
Here.
6. Type a descriptive name for your new GPO, such as Seattle Computers GPO, and
(optionally) select a Starter GPO as a template for it. Then click OK.
7. Expand the domain or OU to display the GPO link for your new GPO beneath it, as
shown in the following image.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
508
8. Right-click the GPO link and then select Edit to open the GPO.
9. Configure policy settings and preference items in the GPO as desired for the comput-
ers and/or users targeted by the GPO.
note If a domain controller is unavailable when a computer running Windows 7 tries
to log on to the network, the computer will log on using cached credentials and will use
the local copies of the ADMX template files to surface ADM policy settings in the Local
Group Policy Editor. Also, if an administrator uses a computer running Windows 7 with
RSAT to start GPMC or the Local Group Policy Editor and no central store is found, local

copies of the ADMX template files will be used to surface ADM policy settings in the
Local Group Policy Editor.
Creating and Managing GPOs Using Windows PowerShell
Beginning with Windows 7 and Windows Server 2008 R2, you can also use 25 new Windows
PowerShell cmdlets to create and manage GPOs from the PowerShell command line or by us-
ing PowerShell scripts. This new capability builds upon the earlier Component Object Model
(COM)–based Group Policy scripting capabilities found in Windows Vista and Windows Server
2008. This feature enables administrators to manage the full life cycle of GPOs, including cre-
ating, deleting, copying, configuring, linking, backing up and restoring, generating Resultant
Set of Policy (RSoP) reports, configuring permissions, and migrating (importing and export-
ing) GPOs across domains and forests and from test to production environments.
This new functionality is implemented using the GPMC application programming inter-
faces (APIs) and is available as a module that you can import from the Windows PowerShell
command line. This means that the GPMC must be installed on the computer from which you
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
509
run your Windows PowerShell commands. These new cmdlets provide functionality both for
performing GPMC operations and for reading and writing registry settings to GPOs (including
both policy settings and preference items).
You can also use Group Policy to configure policy settings that specify whether Windows
PowerShell scripts can run before non-PowerShell scripts during user computer startup and
shutdown and during user logon and logoff. By default, Windows PowerShell scripts run after
non-PowerShell scripts.
As shown in Table 14-3, the Windows PowerShell cmdlets in Group Policy can be organized
into five different categories according to their verb.
TABLE 14-3 Windows PowerShell cmdlets for Group Policy in Windows 7 and Windows Server 2008 R2
VERB CMDLETS
Get Get-GPInheritance
Get-GPO

Get-GPOReport
Get-GPPermissions
Get-GPPrefRegistryValue
Get-GPRegistryValue
Get-GPResultantSetofPolicy
Get-GPStarterGPO
New New-GPLink
New-GPO
New-GPStarterGPO
Set Set-GPInheritance
Set-GPLink
Set-GPPermissions
Set-GPPrefRegistryValue
Set-GPRegistryValue
Remove Remove-GPLink
Remove-GPO
Remove-GPPrefRegistryValue
Remove-GPRegistryValue
Misc Backup-GPO
Copy-GPO
Import-GPO
Rename-GPO
Restore-GPO
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
510
As an example of using these new cmdlets, the procedure described here creates a
new Seattle Users GPO and links it to the Seattle Users OU beneath the Seattle OU in the
contoso.com domain to complement the Seattle Computers GPO created using the GPMC
in the previous section.

1. Log on to your domain controller and click the Administrator: Windows PowerShell
icon pinned to the taskbar. This opens the Windows PowerShell command-prompt
window.
2. Type import-module GroupPolicy to import the Group Policy module into Windows
PowerShell. This step is required at the beginning of each Windows PowerShell script
or series of PowerShell commands that you execute to manage Group Policy.
3. Type $gpo = New-GPO "Seattle Users GPO" to create a new GPO named Seattle
Users GPO and assign the GPO to the Windows PowerShell variable named $gpo.
4. Type Get-GPO $gpo.DisplayName to retrieve the properties of the newly created
GPO and verify its creation, as shown here.
5. Type New-GPLink $gpo.DisplayName –target "ou=Seattle Users,ou=Seattle,dc=
contoso,dc=com" –order 1 to link the new GPO to the Seattle Users OU beneath the
Seattle OU in the contoso.com domain and assign the GPO a link order of 1.
If you refresh the GPMC view, you should now see the newly created GPO linked to the OU
you specified.
For more examples on how to use these new Group Policy cmdlets to create and manage
Group Policy, see the Windows PowerShell section of the Group Policy Team Blog on Microsoft
TechNet at For a gen-
eral introduction to the Windows PowerShell capabilities of Windows 7, see Chapter 13, “Over-
view of Management Tools.”
Editing GPOs
After you’ve created a GPO, you can edit the settings that it contains using one of two methods:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
511
n
From the GUI by using the Group Policy Management Editor, which can be started
from the GPMC. This is the only method available for editing GPOs in earlier versions
of Windows. Using this method, you can modify any GPO setting, including policy set-
tings, preference items, and security settings.

n
From the command line or via script automation by using the Set-GPRegistryValue,
SetGPPrefRegistryValue, Get-GPRegistryValue, Get-GPPrefRegistryValue,
Remove-GPRegistryValue, and Remove-GPPrefRegistryValue cmdlets, which are
among the new Windows PowerShell Group Policy cmdlets in Windows 7. Using this
method, you can modify either policy settings or Group Policy preferences registry-
based preference items (you cannot modify other types of preference items using the
cmdlets). You cannot use Windows PowerShell to modify security settings, software
installation settings, or any other types of GPO settings.
Configuring Policy Settings
To configure a policy setting in a GPO, follow these steps:
1. Right-click the GPO or its associated GPO link in GPMC and select Edit to open the
GPO in the Group Policy Management Editor.
2. Expand the Policies node under either Computer Configuration or User Configuration
as desired.
3. Expand the Administrative Templates node under Policy and browse to select the
policy you want to configure, as shown here.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
512
4. Double-click the policy setting to open its properties, then enable or disable the set-
ting as desired, and (optionally) type a comment to document your action, as shown
here.
5. Click OK to apply the change to the GPO.
After Group Policy is updated for the users or computers targeted by the GPO, the policy
setting will be applied. This policy setting, which applies only to Windows 7 and later versions,
displays a Search The Internet link above the Start menu button whenever a user types some-
thing into the Search box on the Start menu.
In addition to using the Group Policy Management Editor to configure policy settings,
you can use Windows PowerShell to do this if you have the GPMC installed on a computer

running Windows 7 or Windows Server 2008 R2. For example, to edit the Seattle Users GPO
and enable the Add Search Internet Link To Start Menu policy setting as was done previously,
open a Windows PowerShell command-prompt window and follow these steps:
1. Type Import-module GroupPolicy to import the GroupPolicy module into Windows
PowerShell.
2. Type $key = "HKCU\Software\Policies\Microsoft\Windows\Explorer" to assign
the registry path for the Add Search Internet Link To Start Menu policy setting to the
variable named $key.
3. Use the Set-GPRegistryValue cmdlet, as shown in Figure 14-4, to create a new DWORD
registry value named AddSearchInternetLinkinStartMenu under the registry key and
assign a value of 1 to this registry value.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
513
FIGURE 14-4 Configuring a policy setting in a GPO using Windows PowerShell
To verify that the policy setting has been modified as desired in the GPO, open the GPO
in the Group Policy Management Editor and double-click the policy setting to display its
properties. You can also select the GPO under the Group Policy Objects node in the GPMC
and then select the Settings tab in the details pane to view details concerning all configured
policy settings within the GPO.
note To modify a policy setting using the Set-GPRegistryValue cmdlet, you need to
know the registry setting associated with the policy setting. A simple way to obtain this
information is to download the Group Policy Settings Reference spreadsheet for Windows
Server 2008 R2 and Windows 7 from the Microsoft Download Center, open it in Microsoft
Office Excel, select the Administrative Templates worksheet, find the row that has the name
of the policy setting under the Policy Setting Name column, and then find the registry key
and value name for the policy under the Registry Information column for the selected row.
Note that this spreadsheet doesn’t state the value type or range of possible values of the
registry value—to determine this (if it’s not obvious), you can enable, disable, or otherwise
configure the policy setting on a test computer and then open the registry value for the

policy using Registry Editor to view the results.
Configuring Preference Items
To configure a preference item in a GPO, follow these steps:
1. Right-click the GPO or its associated GPO link in GPMC and select Edit to open the
GPO in the Group Policy Management Editor.
2. Expand the Preferences node under either Computer Configuration or User Configura-
tion as desired.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
514
3. Right-click a preference setting node and select the appropriate menu option to
create, replace, update, or remove a preference setting, as shown here.
You can also use the Get-GPPrefRegistrySetting cmdlet to configure preference items
using Windows PowerShell. For more examples on how to use the Group Policy cmdlets, see
the Windows PowerShell section of the Group Policy Team Blog on Microsoft TechNet at
/>diReCt FRoM tHe SoURCe
Group Policy Settings vs. Group Policy Preferences*
William R. Stanek
Author
O
ne way to think of Group Policy is as a set of rules that you can apply through-
out the enterprise. Although you can use Group Policy to manage servers and
workstations running Windows 2000 or later, Group Policy has changed since it was
first implemented with Windows 2000. For Windows Vista with SP1 or later and
Windows Server 2008, Group Policy includes both managed settings, referred to as
policy settings, and unmanaged settings, referred to as policy preferences. When
you deploy the Group Policy CSEs to Windows XP with SP2 or later, Windows Vista,
or Windows Server 2003 with SP1 or later, these older operating systems can use
Group Policy preferences as well.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Managing Group Policy CHAPTER 14
515
n
Group Policy settings enable you to control the configuration of the oper-
ating system and its features. You can also use policy settings to configure
computer and user scripts, folder redirection, computer security, software
installation, and more.
n
Group Policy preferences enable you to configure, deploy, and manage operat-
ing system and application settings that you were not able to manage using
earlier implementations of Group Policy, including data sources, mapped drives,
environment variables, network shares, folder options, shortcuts, and more. In
many cases, you’ll find that using Group Policy preferences is a better approach
than configuring these settings in Windows images or using logon scripts.
n
The key difference between preferences and policy settings is enforcement.
Group Policy strictly enforces policy settings. You use policy settings to control
the configuration of the operating system and its features. You also use policy
settings to disable the user interface for settings that Group Policy is manag-
ing, which prevents users from changing those settings. Most policy settings
are stored in policy-related branches of the registry. The operating system
and compliant applications check the policy-related branches of the registry
to determine whether and how various aspects of the operating system are
controlled. Group Policy refreshes policy settings at a regular interval, which is
every 90 to 120 minutes by default.
n
In contrast, Group Policy does not strictly enforce policy preferences. Group
Policy does not store preferences in the policy-related branches of the regis-
try. Instead, it writes preferences to the same locations in the registry that an
application or operating system feature uses to store the setting. This allows

Group Policy preferences to support applications and operating system fea-
tures that aren’t Group Policy–aware and also does not disable application or
operating system features in the user interface to prevent their use. Because
of this behavior, users can change settings that were configured using policy
preferences. Finally, although Group Policy by default refreshes preferences
using the same interval as Group Policy settings, you can prevent Group Policy
from refreshing individual preferences by choosing to apply them only once.
When working with policy settings, keep the following in mind:
n
Most policy settings are stored in policy-based areas of the registry.
n
Settings are enforced.
n
User interface options might be disabled.
n
Settings are refreshed automatically.
n
Settings require Group Policy–aware applications.
n
Original settings are not changed.
n
Removing the policy setting restores the original settings.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
516
When working with policy preferences, keep the following in mind:
n
Preferences are stored in the same registry locations as those used by the
operating system and applications.
n

Preferences are not enforced.
n
User interface options are not disabled.
n
Settings can be refreshed automatically or applied once.
n
Preferences support non-Group Policy–aware applications.
n
Original settings are overwritten.
n
Removing the preference item does not restore the original setting.
In the real world, the way you use policy settings or policy preferences depends
on whether you want to enforce the item. To configure an item without enforcing it,
use policy preferences and then disable automatic refresh. To configure an item and
enforce the specified configuration, use policy settings or configure preferences and
then enable automatic refresh.
*Excerpted with permission from the Windows Group Policy Administrator’s Pocket Consultant (Microsoft Press, 2009).
Managing MLGPOs
To edit different MLGPOs on a computer running Windows 7, follow these steps:
1. Log on to an administrative workstation running Windows 7 using a user account that
is a member of the local Administrators built-in group.
2. Type mmc in the Start menu and then click mmc.exe when it appears under Programs
in your search results.
3. Select File and then select Add/Remove Snap-in.
4. Select Group Policy Management Editor from the list of available snap-ins and then
click Add.
5. Do one of the following:
•
To create a custom Microsoft Management Console (MMC) for editing the Local
Computer Policy, click Finish.

•
To create a custom MMC for editing the Administrators Local Group Policy, click
Browse, click the Users tab, select Administrators, click OK, and then click Finish.
•
To create a custom MMC for editing the Non-Administrators Local Group Policy, click
Browse, click the Users tab, select Non-Administrators, click OK, and then click Finish.
•
To create a custom MMC for editing the Local Group Policy for a specific local user
account, click Browse, click the Users tab, select that user account, click OK, and
then click Finish.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
517
6. Alternatively, instead of creating multiple different custom MMCs, you can add multiple
instances of the Group Policy Management Editor snap-in to a single custom MMC con-
sole with each snap-in having a different MLGPO as its focus, as shown in Figure 14-5.
FIGURE 14-5 Editing Local Computer Policy, Administrators Local Group Policy,
and Non-Administrators Local Group Policy, all from a single MMC console
MLGPOs do not exist until you actually configure their settings using the Local Group
Policy Editor. You can delete MLGPOs that you no longer need by following these steps:
1. Log on to an administrative workstation running Windows 7 using a user account that
is a member of the local Administrators built-in group.
2. Click the Start button, type mmc in the Start menu Search box, and then click mmc.exe
when it appears under Programs in your search results.
3. Respond to the User Account Control (UAC) prompt by clicking Continue.
4. Select File and then select Add/Remove Snap-in.
5. Select Group Policy Management Editor from the list of available snap-ins and then click Add.
6. Click Browse and then click the Users tab, as shown here.
7. Right-click the user or group (Administrators or Non-Administrators) for which you
want to delete the associated MLGPO, select Remove Group Policy Object, click Yes,

and then click OK.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
518
note You can also disable an MLGPO temporarily by right-clicking its associated user
or group, selecting Properties, and then selecting the check boxes to disable the user and
machine (if available) portions of the MLGPO.
You can also choose to edit only the Local Computer Policy on a computer running
Windows 7 (similar to the way it is done in earlier versions of Windows) by following these
steps:
1. Log on to an administrative workstation running Windows 7 using a user account that
is a member of the Administrators built-in group.
2. Type gpedit.msc in the Start menu and then click gpedit.msc when it appears under
Programs in your search results.
3. Respond to the UAC prompt by clicking Continue.
4. Configure policy settings as desired.
Migrating ADM Templates to ADMX Format
ADMX Migrator is an MMC snap-in developed and supported by FullArmor Corporation
() that simplifies the task of converting existing Group Policy ADM
template files to ADMX template files so that your enterprise can take advantage of the
additional capabilities of this new format. ADMX Migrator is available from the Microsoft
Download Center at and can be installed on
Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server
2003 SP1 or later, and Windows XP SP2 or later, provided that MMC 3.0 and the Microsoft
.NET Framework 2.0 are installed.
iMpoRtAnt ADMX Migrator was developed by and is supported by FullArmor
Corporation. For support issues involving ADMX Migrator, go to
/admx-migrator-issue-report.htm.
With ADMX Migrator, administrators can do any of the following:
n

Use a GUI called ADMX Editor to convert ADM files to ADMX format and to create and
edit custom ADMX template files.
n
Use a command-line tool called ADMX Migrator Command Window to control tem-
plate migration settings granularly.
n
Choose multiple ADM template files for conversion to ADMX format.
n
Detect collisions resulting from duplicate names.
During the conversion process, any items that cannot be validated against the ADMX
schema are preserved in an Unsupported section instead of being deleted.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Group Policy CHAPTER 14
519
note Annotations within ADM template files are removed during the conversion process.
Converting ADM Template Files to ADMX Format
To convert a custom ADM file into ADMX format, install ADMX Migrator and then follow
these steps:
1. Click Start, click All Programs, click FullArmor, expand FullArmor ADMX Migrator, and
then click ADMX Editor.
2. Respond to the UAC prompt as required to open ADMX Migrator.
3. Right-click the root node in the console tree and then select Generate ADMX From ADM.
4. Browse to locate and select your custom ADM file and then click Open.
5. Click Yes when the message appears stating that the ADM file was successfully con-
verted to ADMX format. This will load the new ADMX file into the ADMX Migrator, as
shown here.
The converted ADMX template file is saved in the %UserProfile%\AppData\Local\Temp
folder using the same name as the .adm file but with the .admx extension. Copy this .admx
file to the central store for your domain and you’ll be able to configure the policy settings
defined by it when you create and edit domain-based GPOs.

Creating and Editing Custom ADMX Template Files
You can create new ADMX template files and modify existing ones by using ADMX Migrator.
Follow these steps:
1. Click Start, click All Programs, click FullArmor, expand FullArmor ADMX Migrator, and
then click ADMX Editor.
2. Respond to the UAC prompt as required to open ADMX Migrator.
3. Right-click the ADMX Templates node under the root node and select one of the
following:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
520
•
Select New Template to create a new ADMX template file. After you create this file,
you can right-click this template and select New Category to add categories of poli-
cy settings. After you add categories, you can right-click these categories and select
New Policy Setting to define new registry-based policy settings. Type a descriptive
name, a full path to the registry key, and a default value (optional) for the key.
•
Select Load Template to open an existing ADMX template file for editing. After you
open the file, you can add or delete categories and policy settings as desired.
WARning Do not modify the default ADMX template files included with Windows 7.
Configuring Group Policy Processing
Beginning with Windows Vista, there are two policy settings you can configure that affect
how Group Policy processing is performed:
n
Turn Off Local Group Policy Objects Processing This policy setting is found under
Computer Configuration\Policies\Administrative Templates\System\Group Policy.
Enabling this policy setting prevents LGPOs from being applied when Group Policy is
processed on the computer.
WARning Do not enable this policy setting within LGPOs on a stand-alone computer;

the Group Policy service does not honor this policy setting from an LGPO when in a
workgroup. Enable this policy only on domain-based GPOs if you want to disable
application of LGPOs completely during Group Policy processing.
n
Startup Policy Processing Wait Time This policy setting is found under Computer
Configuration\Policies\Administrative Templates\System\Group Policy. Enabling and
configuring this policy setting determines how long Group Policy must wait for net-
work availability notifications during startup policy processing. The default value for
this policy setting when it is enabled is 120 seconds, and configuring this policy setting
overrides any system-determined wait times. (The default wait time for computers run-
ning Windows 7 is 30 seconds.) If you are using synchronous startup policy processing,
the computer is blocked until the network becomes available or the configured wait
time is reached. If you are using asynchronous startup policy processing, the computer
is not blocked and policy processing takes place in the background. In either case,
configuring this policy setting overrides any system-computed wait times.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Troubleshooting Group Policy CHAPTER 14
521
Using Advanced Group Policy Management
Microsoft Advanced Group Policy Management (AGPM) 4.0, which supports Windows 7 and
Windows Server 2008 R2, will be part of the R2 release of the Microsoft Desktop Optimization
Pack (MDOP) 2009, a dynamic desktop solution available to Software Assurance (SA) custom-
ers that helps application deployment costs, supports delivery of applications as services, and
allows for easier management and control of enterprise desktop environments. AGPM was
originally based on GPOVault Enterprise Edition, a software solution developed by Desktop-
Standard and acquired by Microsoft. AGPM integrates seamlessly with the GPMC and provides
the following benefits relating to Group Policy management in enterprise environments:
n
More granular administrative control through role-based administration, a robust
delegation model, and change-request approval

n
Reduced risk of Group Policy failures by supporting offline editing of GPOs, recovery
of deleted GPOs, repair of live GPOs, difference reporting, and audit logging
n
More effective Group Policy change management through the creation of GPO
template libraries, version tracking, history capture, quick rollback of deployed
changes, and subscription to policy change e-mail notifications
MoRe inFo For more information about AGPM and other MDOP technologies, see
For detailed task-oriented
help on using AGPM to manage Group Policy in enterprise environments, see the
Windows Group Policy Administrator’s Pocket Consultant by William R. Stanek (Microsoft
Press, 2009).
Troubleshooting Group Policy
Beginning with Windows Vista SP1, the Group Policy engine no longer records information
in the Userenv.log. Instead, you can find detailed logging of information concerning Group
Policy issues by using the following methods:
n
Use Event Viewer to view events in the Group Policy operational log for resolving
issues relating to Group Policy processing on the computer.
n
Enable debug logging for the Group Policy Management Editor to generate a
GpEdit.log for resolving issues relating to malformed ADMX files.
MoRe inFo For additional information on how to troubleshoot Group Policy application
issues for Windows 7 and Windows Vista SP1, see “Troubleshooting Group Policy Using
Event Logs” at />43db-b097-f3752c84f67f1033.mspx?mfr=true.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
522
diReCt FRoM tHe SoURCe
An Ordered Approach to Troubleshooting Group Policy

Mark Lawrence, Senior Program Manager*
Windows Enterprise Management Division (WEMD)
T
o successfully troubleshoot Group Policy issues on Windows Vista and later ver-
sions, we recommend performing the following sequence of steps:
1. Start with Administrative Events under Custom Views in Event Viewer. Identify
any policy failures that occurred and then examine their descriptions, the Details
tab, and the More Information link for these events.
2. Open the Group Policy Operational log and obtain the activity ID from a failure
event. Then use GPLogView.exe with the –a option to filter events for this activity
ID and export the results as either HTML or XML for analysis and archiving.
3. Analyze the GPLogView.exe output to review step-by-step policy-processing
scenario events to identify any failure point and error codes for possible future
troubleshooting.
*With the help of information provided by Dilip Radhakrishnan of the Group Policy Program Managers Team.
Using Event Viewer
The operational log for Group Policy processing on the computer can be found in Event
Viewer under Applications And Service Logs\Microsoft\Windows\Group Policy\Operational,
as shown in Figure 14-6.
FIGURE 14-6 Operational log for Group Policy in Event Viewer
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Troubleshooting Group Policy CHAPTER 14
523
MoRe inFo For more information on using Event Viewer in Windows 7, see Chapter 21,
“Maintaining Desktop Health.”
This Group Policy Application channel within Event Viewer records each of the step-by-
step policy-processing events that occurs as Group Policy is applied on the client. This log-
ging channel is an administrator-friendly replacement for the Userenv.log used on previous
versions of Windows for troubleshooting Group Policy processing. (The Userenv.log was
challenging to parse on those platforms for Group Policy events because several other types

of events could be recorded in the same log.) These Group Policy operational events can pro-
vide valuable troubleshooting information such as user name, GPO list, and policy-processing
metrics, such as total processing time and individual extension processing time. In addition,
a unique activity ID allows for the grouping of events that occur during each Group Policy
processing cycle.
note Only the Group Policy engine logs events in the System Event Log. Group Policy
extension DLLs do not log events in this channel—they log their events in the Group Policy
Operational Event Log.
Table 14-4 summarizes the different ranges of event IDs in the Group Policy Application
channel and their meaning.
TABLE 14-4 Event ID Ranges for the Group Policy Operational Log
RANGE MEANING
4000–4299 Scenario Start Events
5000–5299 Corresponding success scenario End Events (Scenario Start Event + 1000)
5300–5999 Informational Events
6000–6299 Corresponding warning scenario End Events (Scenario Start Event + 2000)
6300–6999 Warning Events (Corresponding Informational Event +1000)
7000–7299 Corresponding error scenario End Events (Scenario Start Event + 3000)
7300–7999 Error Events (Corresponding Informational Event +2000)
8000–8999 Policy scenario Success Events
note Administrative events relating to Group Policy are still logged in the System Event Log
as on older Windows platforms, except that the event source for these events is now Group
Policy instead of USERENV. Another advantage beginning with Windows Vista is that Group
Policy script-processing errors (the scripts deployed through the Group Policy script exten-
sion) are now logged through the same mechanism as the rest of the Group Policy errors.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
524
MoRe inFo For another way of categorizing these events, see the posting named Group
Policy Troubleshooting – Helpful Event Log Categories on the Group Policy Team Blog at

/>helpful-event-log-categories.aspx.
Enabling Debug Logging
There are optional debug logging for the Group Policy Editor that provide much more de-
tailed logging than is available from within Event Viewer. You can enable debug logging by
creating and configuring the following REG_DWORD registry value.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPEditDebugLevel
The value normally used for troubleshooting purposes is 0x10002. Configuring this registry
value will create a GpEdit.log in the %SystemRoot%\debug\usermode folder. The following
sample output for this log file indicates malformed ADMX files named test.admx and test.adml.
GPEDIT(b6c.10c8) 12:10:03:713 PDX parser: Parsing file 'C:\Windows\PolicyDefinitions
\FolderRedirection.admx'.
GPEDIT(b6c.10c8) 12:10:03:716 PDX parser: Obtained appropriate PDX resource file
'C:\Windows\PolicyDefinitions\en-US\FolderRedirection.adml' for language 'en-US'.
GPEDIT(b6c.10c8) 12:10:03:717 PDX parser: Parsing resource file
'C:\Windows\PolicyDefinitions\en-US\FolderRedirection.adml'.
GPEDIT(b6c.10c8) 12:10:03:719 PDX parser: Parsing resource file completed successfully.
GPEDIT(b6c.10c8) 12:10:03:720 PDX parser: Successfully parsed file.
GPEDIT(b6c.10c8) 12:10:03:720 PDX parser: Parsing file 'C:\Windows\PolicyDefinitions
\test.admx'.
GPEDIT(b6c.10c8) 12:10:03:721 CSAXErrorHandlerImpl::fatalError: Parsing error, hr =
0xc00cee2d, message = 'Incorrect document syntax.
GPEDIT(b6c.10c8) 12:10:11:223 CSAXParser::ParseURL: parseURL for C:\Windows
\PolicyDefinitions\test.admx failed with 0xc00cee2d.
GPEDIT(b6c.10c8) 12:10:11:223 PDX parser: Failed to parse C:\Windows\PolicyDefinitions
\test.admx with 0xc00cee2d.
Using Group Policy Log View
GPLogView.exe is a command-line troubleshooting tool that you can use to export Group
Policy–related events logged in the System Event Log channel and the Group Policy Opera-
tional Event Log channel into a text, HTML or XML file. GPLogView.exe works only on
Windows Vista and later; it is not included with Windows 7 or Windows Server 2008 R2, but

it is available as a separate download from The
command-line options for this tool are the following:
n
–? Shows this usage message.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Troubleshooting Group Policy CHAPTER 14
525
n
–o output_filename Output filename required for text, XML, or HTML; not valid if
–m is specified.
n
–n Do not output the activity ID.
n
–p Dump the process ID and thread ID associated with each event.
n
–a activity_ID_GUID Shows only events matching the given activity ID.
n
–m Runs the tool in monitor mode displaying events in real time.
n
–x Dumps the event in XML; the only other options allowed with this option are –m
and –a, but not both together.
n
–h Dumps the events in HTML format; the –m or –x option is not allowed, and –a and
–n are allowed, but not both together. Also must specify the –o option.
n
–q query_filename Uses the query specified by the query file.
n
–l publisher_name If –q is specified, the publisher name must be specified.
The following examples illustrate the use of this tool:
n

GPLogView.exe -o GPEvents.txt
n
GPLogView.exe -n -o GPEvents.txt
n
GPLogView.exe -a ea276341-d646-43e0-866c-e7cc35aecc0a -o GPEvents.txt
n
GPLogView.exe -p -o GPEvents.txt
n
GPLogView.exe -x -o GPEvents.xml
n
GPLogView.exe -x -m
n
GPLogView.exe -x -a ea276341-d646-43e0-866c-e7cc35aecc0a -o GPEvents.xml
n
GPLogView.exe -h -o GPEvents.html
n
GPLogView.exe -h -a ea276341-d646-43e0-866c-e7cc35aecc0a -o GPEvents.html
n
GPLogView.exe -h -q somequeryFile.txt -l Microsoft-Windows-GroupPolicy
-oGPEvents.html
Using GPResult
GPResult.exe is a command-line tool built into Windows 7, Windows Server 2008 R2,
Windows Vista, and Windows Server 2008 that can be used for displaying Group Policy
settings and RSoP for a specified user or a computer. Two new command-line switches were
added to GPResult.exe beginning with Windows Vista SP1 and Windows Server 2008:
n
/x filename Saves the report in XML format at the location and with the filename
specified by the filename parameter
n
/h filename Saves the report in HTML format at the location and with the filename

specified by the filename parameter
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 14 Managing the Desktop Environment
526
In addition, GPResult now requires command-line parameters when it is run. For more
information concerning GPResult.exe syntax and usage, see
/windowsserver2008/en/library/dfaa3adf-2c83-486c-86d6-23f93c5c883c1033.mspx?mfr=true.
For additional information, see this posting on the Ask The Directory Services Team Blog:
/>results.aspx.
diReCt FRoM tHe SoURCe
Prerequisites for Using Preferences on Previous Versions of
Windows
The Group Policy Team at Microsoft
I
t’s important to know the CSE and XMLLite install requirements for Group Policy
preferences because this is the number one Group Policy issue for Microsoft
Product Support Services (PSS). To ensure that the preference items are applied to
clients, complete the following prerequisite tasks:
1. Install the Group Policy CSEs on any clients in which you plan to deploy prefer-
ence items if the CSEs are not already installed by default. These are required for
clients to process Group Policy preferences.
2. Install XMLLite on the same clients if it is not already installed by default (see
for more information).
One option for installing the CSEs and XMLLite is to use a script (see

for an example). Alternatively, you can obtain the CSEs through Windows Update or
Windows Server Update Services (WSUS) or from the Microsoft Download Center.
Then, you can obtain XMLLite from the Download Center.
The following information will help you determine whether the CSEs and XMLLite
need to be installed and whether you can obtain them from the Microsoft Down-

load Center or from Windows Update.
Requirements for CSEs
The following are the requirements for installing CSEs on earlier versions of Windows:
n
Windows Server 2008 CSEs are already included and therefore do not need
to be installed.
n
Windows Vista and Windows Vista with SP1 Download and install the
32-bit edition of CSEs from
and the 64-bit edition from />Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Summary CHAPTER 14
527
n
Windows XP with SP2 or later Download and install the 32-bit edition of
CSEs from and the 64-bit
edition from />n
Windows Server 2003 with SP1 or later Download and install the 32-bit
edition of CSEs from and the
64-bit edition from />Requirements for XMLLite
Note that XMLLite is not needed if:
n
Your clients run Windows Server 2008 or Windows Vista.
n
Your Windows XP and Windows Server 2003 clients run Internet Explorer 7
and/or the latest service packs.
For clients that run Windows Server 2003 and Windows XP operating system ver-
sions that support the CSEs, the following list indicates the requirements and where
to obtain XMLLite from the Download Center:
n
Windows XP SP3 XMLLite is already included and does not need to be

installed.
n
Windows XP SP2 Unless Internet Explorer 7 is installed (in which case
XMLLite is included), you must download and install XMLLite from
/>n
Windows Server 2003 SP2 XMLLite is already included and does not need
to be installed.
n
Windows Server 2003 SP1 Unless Internet Explorer 7 is installed (in which
case XMLLite is included), you must download and install XMLLite from
/>Summary
Best practices for using Group Policy to manage Windows 7 computers include the following:
n
Install RSAT on your Windows 7 administrative workstations so you can use them to
manage Group Policy.
n
After you edit GPOs using the GPMC included in Windows Server 2008 R2 or the
GPMC included with RSAT for Windows 7, do not use earlier versions of either the
GPMC or the Group Policy Management Editor to edit those GPOs any further.
n
Create a central store on domain controllers running Windows Server 2008 R2,
Windows Server 2008, or Windows Server 2003 and copy the ADMX files from your
computers running Windows 7 to this store.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.