Windows® Group Policy Resource Kit: Windows Server® 2008 and Windows Vista®
Read it now on the O’Reilly learning platform with a 10-day free trial.
O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
Book description
Get the in-depth information you need to use Group Policy to administer Windows Server 2008 and Windows Vista—direct from a leading Group Policy MVP and the Microsoft Group Policy team. With Group Policy and Active Directory directory service, administrators can take advantage of policy-based management to streamline the administration of users and computers throughout the enterprise—from servers running Windows Server 2008, Windows Server 2003 or Windows 2000 Server, to workstations running Windows Vista, Windows XP Professional, or Windows 2000 Professional. This essential resource provides in-depth technical information and expert insights for simplifying and automating administrative tasks, including policy enforcement, system updates, and software installations, as well as how to centralize the management of network resources. The CD provides essential utilities, job aids, and more. It’s everything you need to help increase your efficiency while bolstering user productivity, security services, and system reliability.
For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook.
Show and hide more
Table of contents Product information
Table of contents
- Dedication
- Acknowledgments
- List of Reviewers from the Group Policy Team
- Overview of the Book
- Part I: Introducing Group Policy
- Part II: Group Policy Structure
- Part III: Administering Group Policy
- Part IV: Implementing Security
- Part V: Using Registry-Based Policy Settings
- Part VI: Group Policy Settings
- Part VII: Advanced Topics
- Part VIII: Appendices
- Reader Aids
- Sidebars
- Command-Line Examples
- Elevation Tools
- Management scripts
- eBook
- Chapter-Related Materials
- 1. Why Group Policy?
- The Past, Present, and Future of Group Policy
- Group Policy’s Past
- Group Policy’s Present
- Group Policy Requires Active Directory
- Group Policy Includes Security Settings
- Group Policy Includes Software Distribution
- Group Policy Helps Eliminate Tattooing
- Group Policy Can Modify System Settings
- Group Policy Is Extensible
- Group Policy Is Dynamic
- Much, Much More
- Troubleshooting Tools
- Enterprise Administration
- Disaster Recovery
- Reporting
- Instant Configuration
- Is the Future Already Here?
- More Efficient Management
- More Powerful Management
- Reliability
- Extensibility
- Security
- Diversity
- Consistency
- Stability
- Group Policy Negatives
- Limited Troubleshooting Tools
- Limited Testing Environment and Tools
- Limited Inter-Domain and Inter-Forest Support
- Remember When
- New and Now
- New Group Policy Features in Windows Vista
- Multiple Local GPOs
- Local Computer Policy Object
- Administrators and Non-Administrators Local GPOs
- User-Specific Local GPO
- Precedence and Application
- Filters
- Starter GPOs
- Commenting
- Group Policy Preferences
- Advanced Group Policy Management (GPOVault)
- Group Policy Defined
- Structural Overview of a GPO
- Computer Configuration
- User Configuration
- Local Policy Object
- Administrators and Non-Administrators Local GPOs
- User-Specific Local GPOs
- Precedence
- Default Domain Policy
- Account Policies in the Default Domain Policy
- Other Policy Settings in the Default Domain Policy
- Privileges for Creating New GPOs
- Creating GPOs Correctly
- 4. Architecture of Group Policy
- Group Policy Dependencies
- Active Directory and Group Policy
- Domain Name System
- Replication
- DFS
- Using the PDC Emulator
- Selecting the Domain Controller for GPO Editing
- Group Policy Template
- Group Policy Container
- Group Policy Template and SYSVOL Replication
- Active Directory Replication
- Scope of Management
- Group Policy Processing
- GPO Precedence for GPOs Linked to Different Nodes
- GPO Precedence for GPOs Linked to the Same Node
- Background GPO Policy Processing
- Foreground Group Policy Processing
- Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Computer Configuration\Policies\Administrative Templates\Windows Components
- Computer Configuration\Policies\Administrative Templates\System
- User Configuration\Policies\Administrative Templates\Windows Components
- User Configuration\Policies\Administrative Templates\System
- GPO Version Numbers on the Client
- GPO Version Numbers on the Domain Controller
- Block Policy Inheritance
- Enforce
- Security Filtering
- WMI Filters
- Group Policy Preferences
- 6. Using the GPMC
- Getting Around in the GPMC
- Launching the GPMC from Windows Server 2008
- Launching the GPMC from Windows Vista
- Domain Views in the GPMC
- Forest Views in the GPMC
- Site Views in the GPMC
- GPMC Management Limitations
- Selecting Domain Controllers for Administration of GPOs
- Creating GPOs
- Linking GPOs
- Managing GPO Configurations
- Enabling and Disabling GPOs
- Renaming GPOs
- Enabling and Disabling a GPO Link
- Backing Up GPOs
- Restoring GPOs
- Restoring an Existing GPO
- Restoring a Deleted GPO
- Viewing the GPO Settings of a Backed-Up GPO
- Creating Starter GPOs
- Editing Starter GPOs
- Backing Up Starter GPOs
- Working with Starter GPO Cabinet Files
- Working with GPOs
- Searching GPOs
- Filtering Administrative Templates in the GPME
- Filter Options
- Filter Option Operators
- Results Pane for Group Policy Results
- Summary
- Settings
- Policy Events
- Advanced View
- Rerun Query
- Save Report
- Results Pane for Group Policy Modeling
- Summary
- Settings
- Query
- Advanced View
- Rerun Query
- Create New Query From This One
- Save Report
- Starter GPO Comments
- Production GPO Comments
- Comments for Administrative Template Settings
- Reasons for Migrating GPOs
- Requirements for Migrating GPOs Between Domains
- Settings in a GPO That Require Translation
- Migrating GPOs Across Domains
- Migrating a GPO Using Copy and Paste
- Migrating a GPO Using Backup and Import
- GPMC Scripts
- Backing Up and Restoring GPOs
- BackupGPO.wsf
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example #1 & Output
- Example #2 & Output
- CopyGPO.wsf
- Syntax
- Example
- Syntax
- Example
- Syntax
- Example
- CreateGPO.wsf
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- DeleteGPO.wsf
- Syntax
- Example & Output
- DumpGPOInfo.wsf
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Example #2 & Output
- Syntax
- Example & Output
- FindDisabledGPOs.wsf
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example
- Syntax
- Syntax
- Example & Output
- GrantPermissionOnAllGPOs.wsf
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example & Output
- Syntax
- Example #1 & Output
- Example #2 & Output
- 9. Security Delegation for Administration of GPOs
- Default Security Environment
- Default Security of the GPMC
- Default Security of AGPM
- Creating GPOs
- Linking GPOs
- Managing GPOs
- Editing GPOs
- Modeling GPOs
- RSoP of GPOs
- Full Control
- Editing
- Approving
- Reviewing
- Creating GPOs
- Creating GPOs without AGPM
- Creating GPOs with AGPM
- Segregation of Group Policy Creation from Other Duties without AGPM
- Editing GPOs without AGPM
- Editing GPOs with AGPM
- Testing GPOs without AGPM with a Production Organizational Unit
- Testing GPOs without AGPM with a Test Domain
- Testing GPOs with AGPM with a Production Organizational Unit
- 10. ADM Templates, ADMX Files, and the ADMX Central Store
- Administrative (.adm) Templates
- Default .adm Templates
- Working with .adm Templates
- Default Installed .adm Templates
- Importing .adm Templates
- Adding .adm Templates
- Removing .adm Templates
- Managing .adm Templates
- Controlling Updated Versions of .adm Templates
- Turn Off Automatic Updates Of ADM Files
- Always Use Local ADM Files For Group Policy Editor
- Scenario 1: Administration of GPO with Windows Vista
- Scenario 2: Administration of GPO with a Windows Server 2008 Domain Controller
- Scenario 3: Administration of GPO from a Windows XP Workstation
- File Syntax Conversion for .adm Template to ADMX Files
- ADMX Migrator
- Creating the Central Store
- Copying ADMX and ADML Files to the Central Store
- Creating Custom .adm Templates
- A Simple .adm Template
- Structure of an .adm Template
- #if version
- Syntax for Updating the Registry
- CLASS
- KEYNAME
- VALUENAME
- VALUEOFF/VALUEON
- STRINGS
- CATEGORY
- POLICY
- PART
- CHECKBOX
- CLIENTTEXT
- COMBOBOX
- DROPDOWNLIST
- EDITTEXT
- LISTBOX
- NUMERIC
- TEXT
- Comments
- REQUIRED
- MAXLEN
- EXPLAIN
- SUPPORTED
- ADMX Schema
- ADMX File Structure
- ADML File Structure
- Core ADMX File Concepts
- Referencing the Windows Base ADMX File
- Referencing Category Elements from the Windows Base ADMX File
- Referencing Category Elements from the Windows Base ADMX File
- 12. Group Policy Preferences
- Benefits of Group Policy Preferences
- User-Friendly Interface
- Thousands More Settings
- Practical and Valuable Settings
- Reduced Desktop Images
- Reduced Need for Log-on Scripts
- Working with Any Organizational Unit Design
- Managing Group Policy Preferences Using the GPME
- Windows Server 2008
- Windows Vista
- Windows Server 2008
- Windows Vista, Windows Server 2003 SP1, and Windows XP SP2
- Group Policy Preferences: Windows Settings
- Applications
- Drive Maps
- Environment
- Files
- Folders
- Ini Files
- Network Shares
- Registry
- Shortcuts
- Data Sources
- Devices
- Folder Options
- Internet Settings
- Local Users and Groups
- Network Options
- Power Options
- Printers
- Regional Options
- Scheduled Tasks
- Services
- Start Menu
- Action Modes
- Common Tab
- Item-Level Targeting
- Item-Level Targeting Items
- Battery Present
- Computer Name
- CPU Speed
- Date Match
- Dial-Up Connection
- Disk Space
- Domain
- Environment Variable
- File Match
- IP Address Range
- Language
- LDAP Query
- MAC Address Range
- MSI Query
- Operating System
- Organizational Unit
- PCMCIA Present
- Portable Computer
- Processing Mode
- RAM
- Registry Match
- Security Group
- Site
- Terminal Session
- Time Range
- User
- WMI Query
- Desktop vs. Laptop
- Computer Performance
- Operating System Targeting
- Drive Mapping Security
- Overall GPO Structure
- Policies
- Software Settings
- Windows Settings
- Remote Installation Services (User Configuration Only)
- Scripts
- Security Settings
- Account Policies (Computer Configuration Only)
- Local Policies (Computer Configuration Only)
- Restricted Groups (Computer Configuration Only)
- System Services (Computer Configuration Only)
- Registry (Computer Configuration Only)
- File System (Computer Configuration Only)
- Wired Network (IEEE 802.3) Policies (Computer Configuration Only)
- Windows Firewall with Advanced Security (Computer Configuration Only)
- Wireless Network (IEEE 802.11) Policies (Computer Configuration Only)
- Public Key Policies
- Software Restriction Policies
- Network Access Protection (Computer Configuration Only)
- IP Security Policies on Active Directory (Computer Configuration Only)
- Folder Redirection (User Configuration Only)
- Policy-Based QoS
- Internet Explorer Maintenance (User Configuration Only)
- Terminal Services
- User Account Control
- Log-on Scripts
- Servers
- Hardware Components
- Network Security
- 14. Advanced Group Policy Management
- Architecture of AGPM
- Operating System Support
- GPMC Requirements
- Server Installation
- Client Installation
- When the Changes Were Made
- Who Made the Changes
- What Changes Were Made
- E-Mail Configuration
- Pending Tab
- Creating GPOs
- Creating a GPO (with Create Permissions)
- Creating a GPO (without Create Permissions)
- Withdrawing a GPO That Is Pending Creation
- Approving or Rejecting a Pending GPO
- Deploying a GPO That Was Created Offline (with Deploy Permissions)
- Deploying a GPO That Was Created Offline (without Deploy Permissions)
- Deploying a GPO from the Archive (with Deploy Permissions)
- Deploying a GPO from the Archive (without Deploy Permissions)
- Settings Reports
- Difference Reports
- Difference Report between Two Versions of the Same GPO
- Difference Report between Two GPOs
- Difference Report between a GPO and an AGPM Template
- Group Policy Troubleshooting Essentials
- Common Problems with GPOs
- DNS-Related Problems
- Asynchronous Group Policy Processing
- Group Policy Operational Log
- Event Viewer Troubleshooting Procedure
- Evaluate the System Event Log
- Evaluate the Group Policy Operational Log: Determine the ActivityID of Group Policy Processing
- Evaluate the Group Policy Operational Log: Create a Custom View of a Group Policy Instance
- Divide the Custom View of the Log into Three Phases: Preprocessing
- Start Policy Processing
- Retrieve Account Information
- Domain Controller Discovery
- Computer Role Discovery
- Security Principal Discovery
- Loopback Processing Mode Discovery
- GPO Discovery
- Slow Link Detection
- Nonsystem GP Extension Discovery
- GPLogView
- Export All Group Policy Events
- Export Group Policy Events with a Specific ActivityID
- Run in Monitor Mode
- Use an External Event Log for Input
- A. Third-Party Group Policy Tools
- BeyondTrust: Privilege Manager
- FullArmor: Workflow Studio
- Moskowitz, Inc.
- PolicyPak for Applications
- PolicyPak Group Policy Design Studio
- Group Policy Administrator
- Change Guardian
- GPExpert Troubleshooting Pak
- GPExpert™ Scripting Toolkit for PowerShell
- GPExpert™ Backup Manager for Group Policy
- GPMC PowerShell Cmdlets
- Specops Deploy
- Specops Inventory
- Specops Command
- Specops Password Policy
- Specops Gpupdate
- PolMan
- ADM Template Editor
- Policy Reporter
- Group Policy Wiki
- Microsoft Group Policy Web Site
- Windows Server 2003 Web Site
- Microsoft Group Policy Team Blog
- Group Policy Webcast Web Site
- Group Policy Script Repository
- Microsoft TechNet
- TeamGPExpert.com
- BrainCore.net
- GPOGuy.com
- GPAnswers.com
- Summary
- Additional Resources for IT Professionals
- Also available as single volumes
Show and hide more
Product information
- Title: Windows® Group Policy Resource Kit: Windows Server® 2008 and Windows Vista®
- Author(s): Derek Melber
- Release date: March 2008
- Publisher(s): Microsoft Press
- ISBN: 9780735625143
