70-411 Configure and Manage Group Policy
Configuring Power Options
A typical Control Panel setting uses the Power Options preference extension. Using this extension, you can create a new domain power plan and deploy it to selected users and computers by using Group Policy Preferences. The four actions for the preference extension are: ■■ Create Creates a new power plan confguration. If an existing power plan has the same name, the plan isn't changed. ■■ Delete Removes a power plan of the same name; it does not remove built-in power plans. ■■ Replace Deletes and then re-creates a power plan. If the named power plan exists, it overwrites all existing settings for the plan. If the plan doesn't exist, it creates it. ■■ Update Updates an existing plan without removing settings that aren't part of the defned preference item. If the plan doesn't exist, it creates it. You can create a power plan preference in either the Computer Confguration container or the User Confguration container. User power plans process after computer power plans, and users who are local administrators or Power Users can change their power settings in Control Panel. Power plan preferences are subject to item-level targeting.
Manage Group Policy Objects
Because Group Policy is critical to the way computers and users can do their work in your enterprise, you need to be able to back up and restore GPOs to known good states. And when things go really wrong, you can reset the default GPOs to their shipping state. When you want to copy GPOs to a new domain environment, use a Migration Table to manage the changes. Finally, you can delegate management of portions of Group Policy to users who are not full domain administrators.
Configuring Item-Level Targeting
Before you go any further to cover other preference items, let's cover item-level targeting, introduced in Windows Server 2012 and Windows 8. You can use item-level targeting to narrow the scope of preference items to only certain computers or users within the overall scope of the GPO. The targeting items that you can confgure and use are these: ■■ Battery Present ■■ Computer Name ■■ CPU Speed ■■ Date Match ■■ Disk Space ■■ Domain ■■ Environment Variable ■■ File Match ■■ IP Address Range ■■ Language ■■ LDAP Query ■■ MAC Address Range ■■ MSI Query ■■ Network Connection ■■ Operating System ■■ Organizational Unit ■■ PCMCIA Present ■■ Portable Computer ■■ Processing Mode ■■ RAM ■■ Registry Match ■■ Security Group ■■ Site ■■ Terminal Session ■■ Time Range ■■ User ■■ WMI Query To use item-level targeting, select the Item-Level Targeting check box on the Common tab of the preference setting, as shown in Figure 6-22.
Configuring Client-Side Extension (CSE) Behavior
CSEs run on the Windows computer to interpret some of the Group Policy Preferences. CSEs (typically .dll fles) do the actual processing and applying of preferences at the destination computer. You can confgure the processing of CSEs by confguring the applicable policies in Computer Confguration/Policies/Administrative Templates/System/Group Policy. The policies that control CSEs are shown in Table 6-1
Configuring Custom Registry Settings
Confguring custom registry settings The Group Policy Registry preference extension enables you to manipulate registry settings for computers (HKLM) or Users (HKLU). With this extension, you can do the following: ■■ Copy registry settings from a source computer and apply them to target computers ■■ Create, replace, or delete an individual registry value ■■ Create an empty key, delete a key, or delete all values and subkeys in a key ■■ Create collections of Registry preference items in the GPMC and apply the collections to multiple registry items ■■ Create collections in the GPMC based on the registry of a source computer You can use the Registry Wizard to create multiple registry items by following these steps: 1. Open the GPMC and right-click the GPO you want to add Registry preference items to. 2. Select Edit to open the Group Policy Management Editor. Expand the Com puter Confguration or User Confguration container and select Registry from the Preferences/Windows Settings container. 3. Right-click Registry and select New and then Registry Wizard to open the Registry Browser. If the settings you want to copy are on the local computer, click Next. If they're on a different computer, enter the computer name in the Another Computer box (or use the Browse button to locate it) and then click Next. 4. On the Select Any Registry Item By Checking Its Check Box To The Left page of the Reg istry Browser (see Figure 6-29), expand the registry hive where the settings you want to copy are located and select the check box for the folder that contains the settings. 5. After you select the registry entries you want to make part of this preference, click Fin ish. The values are added to the Registry Wizard Values folder, as shown in Figure 6-30. 6. Add any additional items you want and then close the Group Policy Management Edi tor to return to the GPMC. You can also create collections of registry settings by selecting New and then Collection Item in the Group Policy Management Editor. Collections can contain other collections, or items added individually or by using the Registry Wizard.
Configuring File Deployment
Confguring fle deployment The Group Policy File preference extension enables you to use Group Policy to do the following: ■■ Copy a fle or fles in one folder to another while confguring the attributes of those fles ■■ Delete a fle or fles in one folder, replacing them with copies from a source folder ■■ Modify the attributes of one or more fles in a folder ■■ Modify the attributes of, replace, or delete all the fles in a folder that have a specifed extension ■■ Modify the attributes of, replace, or delete all the fles in a folder The actions available with the File preference extension are these: ■■ Create Copies a fle or fles from a source location to a target location if the fle or fles don't already exist and confgures the attributes of the target fles. ■■ Delete Removes a fle or fles from a single folder. ■■ Replace Combines the actions of Delete and Create. It overwrites any fles that already exist at the target location or copies ones that don't exist. Sets the attributes of the fles at the target location. ■■ Update Modifes attributes of existing fle or fles, changing only those attributes specifed in the Group Policy Preference. If a fle doesn't exist at the target location, the fle is copied from the source location. The settings that can be confgured for fles include these: ■■ Source fle(s) The source location, which can be a UNC path, or a local or mapped drive path from the perspective of the client. Variables and wildcards are accepted. ■■ Destination fle The target location for the fle if creating, replacing, or updating a single fle. It can be a UNC path, or a local or mapped drive path from the perspective of the client. It can have the same fle name as the source fle, or can change the name of the target fle. ■■ Destination folder The target location for the fle or fles. This can be a UNC path, or a local or mapped drive path from the perspective of the client. This option is available only if the Source File(s) options includes wildcards. ■■ Delete fle(s) The target fle path from the perspective of the client. Wildcards are accepted. ■■ Suppress errors on individual fle actions If selected, individual errors are ignored, and the rest of the actions continue. ■■ Attributes Confgures the fle system attributes for target fles. By default, the Archive attribute is selected.
Configuring Loopback Processing
Confguring loopback processing Normal GPO processing follows the LSDOU rule—Local, Site, Domain, OU. Loopback processing allows different GPO user settings to apply based on which computer the user logs on to. You can enable loopback processing of user mode settings by setting the Computer Confguration/Policies/Administrative Templates/System/Group Policy/Confgure User Group Policy Loopback Processing Mode policy. When set to Enabled, you can choose one of two modes: ■■ Merge mode When set, user settings in the Computer Confguration section of the GPO are combined with settings in the User Confguration section of the GPO. When there is a conflict, the Computer Confguration setting takes precedence. ■■ Replace mode When set, user settings in the Computer Confguration section of the GPO replace any user settings normally applied to the user in the User Confguration section
Configuring Network Drive Mappings
Confguring network drive mappings Preference settings for network drive mappings enable you to set standard drive maps for groups of users or computers. When combined with item-level targeting, you can also ensure that the maps aren't enabled when a covered laptop or mobile device is off the domain network. To create or replace a drive map that maps the S drive to the Software share on server trey-dc-02 when a computer is on the 192.168.10/24 domain network, follow these steps: 1. Open the GPMC and navigate to the Group Policy Objects container for the TreyResearch.net domain. 2. Right-click the Group Policy Objects container and select New. In the Name box, enter Drive Preference and click OK. 3. Right-click the TreyResearch.net domain in the console tree and select Link An Existing GPO. Select Drive Preference from the list of Group Policy Objects and click OK. 4. Right-click Drive Preference and select Edit to open the Group Policy Management Editor. 5. Expand the User Confguration container and select Drive Maps from the Prefer ences/Windows Settings container. 6. Right-click and select New and then Mapped Drive to open the New Drive Properties dialog box, 7. Select Create from the Action drop-down list, and enter \\trey-dc-02\software in the Location box. 8. Select Reconnect and enter Software Distribution Point in the Label As box. 9. Select S from the Use drop-down list in the Drive Letter section, as shown in Figure 6-27. FIGURE 6-27 The New Drive Properties dialog box 10. Click the Common tab and select Item-Level Targeting. 11. Click Targeting to open the Targeting Editor. 12. Click New Item and select IP Address Range from the drop-down list. 13. Enter 192.168.10.1 in the Between box and 192.168.10.254 in the And box, as shown in Figure 6-28. FIGURE 6-28 The Targeting Editor with an IP Address range target 14. Click OK to close the Targeting Editor and OK again to close the New Drive Properties dialog box.
Configuring Printers
Confguring printers The Group Policy Printers extension is used to confgure local, shared, and TCP/IP printers without having to create and maintain logon scripts. You can create, replace, update, and delete printers. Printers can be set in either the Computer mode or the User mode of Group olicy. To create a Printer preference for users in the Canada OU, create a Preferences GPO, nk it to the Canada OU, and then set the preferences in that GPO. Follow these steps: 1. Open the GPMC and locate the Canada OU in the console tree. 2. Right-click the Canada OU and select Create A GPO In This Domain, And Link It Here. 3. In the New GPO dialog box, enter Canada Preferences in the Name box and click OK. 4. Right-click the Canada Preferences GPO link and select Edit from the menu. 5. Expand the User Confguration node and click Printers in the Preferences/Control Panel Settings container, as shown in Figure 6-20. FIGURE 6-20 The Printer Preferences container of User Configuration 6. Right-click Printers, select New, and then select Shared Printer. The New Shared Printer Properties dialog box displays (see Figure 6-21). 7. Select Replace as the Action and enter the path to the shared printer in the Share Path box. 8. Specify whether this printer is to be the default and whether that default setting should apply only if there isn't a local printer present. 9. Click OK; the new preference settings will be propagated to the linked OU. When you use preferences to map a printer, you have four choices for an action, as follows: ■■ Create Creates a new local printer. If a local printer with the same name already exists, it makes no changes. ■■ Delete Removes a local printer of the same name if it exists without removing the printer driver. No action is taken if the printer doesn't exist. ■■ Replace Combines the actions of Delete and Create. ■■ Update Similar to Replace, but also updates the settings defned for the printer.
Configuring Property Filters for Administrative Templates
Confguring property flters for administrative templates You can flter which administrative templates are visible in the Group Policy Management Editor by using flters on the administrative templates. These flters affect only Administrative templates. There are three basic property flters: ■■ Managed Managed settings are those that the Group Policy Client service governs, and the settings are removed when they fall out of scope for a computer or user. ■■ Confgured There are three states for administrative template settings: Not Confgured, Enabled, or Disabled. When you flter by Confgured, only those changed from Not Confgured are shown. ■■ Commented When set to Yes, only those settings that have comments are shown. When set to No, only those settings without comments are shown. The default is Any, which doesn't flter on comments. You can also flter by keyword, as shown in Figure 6-12. For example, you could search on the keyword "Password" and see only policies that related to password policies. Finally, you can flter by specifc product by selecting the Enable Requirements Filters check box and then selecting the product and versions you want to flter on. You can combine any combination of these flters to get a view of the administrative templates that makes it easy to isolate what you're looking for
Configuring Enforced Policies
Confguring security fltering and Windows Management Instrumentation fltering A GPO usually applies to all members of the object it is linked to, but you can flter which objects are affected by the GPO by using a security flter or by using a WMI flter. The flter is applied to the GPO, not to the link. To apply a security flter to a GPO, follow these steps: 1. Open the GPMC and expand the console tree to display the domain for which you want to set a security flter on a GPO. 2. Select the GPO to which you want to apply the flter. 3. In the details pane, select the Scope tab. 4. Click Add in the Security Filtering section to open the Select User, Computer, Or Group dialog box. 5. Enter the object names to select or click Advanced to search for them, as shown in Figure 6-5 FIGURE 6-5 The Select User, Computer, Or Group dialog box 6. Click OK after you enter the security group, user, or computer to apply the flter to. 7. Select Authenticated Users and click Remove. To link a WMI flter to a GPO, follow these steps: 1. Open the GPMC and expand the console tree to display the domain for which you want to link a WMI flter to a GPO. 2. Select the GPO you want to flter. 3. Select the WMI flter from the This GPO Is Linked To The Following WMI Filter drop-down list. Before you can use a WMI flter, you need to create it. You can do the following: ■■ Create a new flter You can create a new flter by following these steps: 1. In the GPMC, expand the console tree for the domain and forest in which you want to create the flter. 2. Right-click the WMI Filters container and select New from the menu. 3. Type a name and description for the new WMI flter and then click Add. 4. Enter the Namespace to use or Browse to select one. 5. Type the query you want to use, as shown in Figure 6-6. Click OK and then click Save to save the WMI flter. ■■ Export a flter You can export a WMI flter by right-clicking the flter and selecting Export from the menu. Filters are saved as .mof fles. ■■ Import a flter You can import a previously saved flter by right-clicking the WMI Filters container of the domain where it resides in the console tree of the GPMC and selecting Import from the menu. ■■ Copy a flter You can use Copy and Paste with WMI flters by selecting the flter, right-clicking, and selecting Copy. Then right-click the WMI Filters container for the domain you want to copy the flter to and selecting Paste from the menu.
Configuring Shortcut Deployment
Confguring shortcut deployment The Shortcut preference extension enables you to deploy standard shortcuts to users and computers. Shortcuts can be deployed in either the Computer mode or the User mode of Group Policy. The Shortcut preference GPO extension allows you to create, modify, or remove a shortcut on a client computer. Shortcuts that include drive mappings can only be made in the User mode of Group Policy. Shortcuts can point to: ■■ URL A webpage, website or other location that can be addressed with a URL, such as an FTP site. ■■ File system object A Windows path, including a fle, folder, share or computer. If the path includes a mapped drive, it is only available in User mode. ■■ Shell object An object within the Windows shell, such as a printer, desktop or Control Panel item. Can also be any fle system object. The actions available with the Shortcut preference extension are these: ■■ Create Creates a shortcut if the shortcut doesn't already exist. ■■ Delete Removes a shortcut if it exists. ■■ Replace Combines the actions of Delete and Create, replacing an existing shortcut with a new one, or creating a new one if it doesn't exist. ■■ Update Modifes an existing shortcut without deleting it and re-creating it. It does not overwrite existing settings except those explicitly set in the preference, but creates a new shortcut if the shortcut doesn't exist. EXAM TIP By default, variables in the target path of a shortcut preference are resolved by Group policy before it is created, replaced or updated. this is usually not what was intended and can lead to a compelling, but incorrect, answer. You need to use unresolved variable syntax for variables to allow them to be resolved in the environment of the user or computer. So, for example, %USerNaMe% will resolve to the user creating the preference. this likely was not what was intended. Instead, use %<USerNaMe>% to cause the username of the logged on user to be used.
Delegating Group Policy Management
Delegating Group policy management By default, members of the Domain Admins and Enterprise Admins groups have full permissions to manage Group Policy. However, you can delegate permissions on specifc GPOs or OUs to non-administrators to manage. The permissions you can delegate are these: ■■ Permissions on a GPO ■■ Permissions to link a GPO ■■ Permissions to generate Group Policy modeling data ■■ Permissions to generate Group Policy results ■■ Permissions on a WMI flter All these permissions are delegated in the GPMC. The steps are similar for each set of permissions, so start with granting delegated permissions on a GPO: 1. Expand the console tree of the GPMC and navigate to the Group Policy Objects con tainer of the domain for which you want to delegate permissions. 2. Select the GPO you want to delegate and click the Delegation tab in the details pane (see Figure 6-18). FIGURE 6-18 The Delegation tab of the GPMC 3. Click Add to open the Select User, Computer Or Group dialog box; enter the user or group to whom you want to delegate permissions. 4. Click OK and then select the Permissions from the drop-down list in the Add Group Or User dialog box (see Figure 6-19). FIGURE 6-19 The Add Group Or User dialog box 5. Click OK; the user is added to the Delegation list. You can delegate permissions to create GPOs in the domain by either adding the users to the Group Policy Creator Owners security group, or adding the user or group to the Delegation tab as described previously for individual GPOs. You can delegate permissions to Link GPOs, to Perform Group Policy Modeling Analyses, or to Read Group Policy Results Data to a site, domain, or OU by selecting the site, domain, or OU in the console tree and then clicking the Delegation tab in the details pane. Select the permission you want to delegate and then click Add to add the user or group. You can restrict the delegation to the specifc container or include child containers.
Configuring Group Policy Preferences
Group Policy Preferences (GPPs) is a set of CSEs to Group Policy that enable preference settings on domain-joined computers. Unlike policy settings, preference settings can be altered by the user, but provide a starting point for confguration. You use the GPMC to set preference items and you can do specifc targeting to confgure settings appropriate to the user or group. There are both Computer Confguration and User Confguration preference settings.
Group Policy
Group Policy is at the core of computer and user management in the Active Directory domain environment. With each release of Windows Server, the options and flexibility of Group Policy have improved. This chapter covers the confguration and management of Group Policy and how to ensure that it does what you want it to.
Configuring Processing Order and Precedence
Multiple Group Policy Objects (GPOs) can be linked to the same site, domain, or organizational unit (OU), and OUs inherit GPOs from higher-level containers. GPOs are processed serially, with local computer Group Policy processed frst. Inherited GPOs are then processed, unless they are blocked or enforced (see the sections entitled "Confguring blocking of inheritance" and "Confguring enforcement of inheritance" later in this chapter). The GPOs linked directly to the domain or OU are processed in the order they are linked; then enforced GPOs are processed. Where multiple GPOs are confguring the same Group Policy setting, the last one processed controls the setting. You can control the order of linking for an OU or domain, as well as controlling inheritance to some extent. You can block inheritance at the domain or OU level, but where the higher-level link to the GPO is set to Enforced, the inheritance can't be blocked and enforced links are the last processed—again, in the reverse link order. To see the order of linked GPOs, use the Group Policy Management Console (GPMC). Select the domain or OU for which you want to see the link order in the console tree, and then select the Linked Group Policy Objects tab in the details pane, as shown in Figure 6-1. To change the link order, select a link in the Linked Group Policy Objects pane and then use the arrow buttons on the left to move the order up or down, as desired. Move a linked GPO to a lower Link Order number to have it processed later. Thus a GPO with a Link Order of 1 will be processed after a GPO with a Link Order of 2; and if both GPOs have a policy confguration for the same setting, the GPO with a Link Order of 1 will be the controlling GPO. Remember that policy settings can also be inherited. To see all the GPOs that affect a given OU or domain, use the GPMC and follow these steps: 1. Expand the console tree of the GPMC and select the OU or domain for which you want to see the GPOs. 2. In the details pane, select the Group Policy Inheritance tab, as shown in Figure 6-2 Remember that policy settings can also be inherited. To see all the GPOs that affect a given OU or domain, use the GPMC and follow these steps: 1. Expand the console tree of the GPMC and select the OU or domain for which you want to see the GPOs. 2. In the details pane, select the Group Policy Inheritance tab, as shown in Figure 6-2
Software Installation
Software Installation You can use Group Policy to deploy software to groups of users based on their needs and roles, or to deploy software to specifc computers. The steps for deploying software are these: ■■ Create a shared folder A shared folder accessible by all users or computers you want to distribute the software to. ■■ Create a GPO Using the GPMC, create a GPO for the software distribution. ■■ Assign the software package Edit the GPO to assign the software package to the computers or users covered by the GPO. This process causes the software to be automatically installed. ■■ Publish the software package Edit the GPO to publish the software package to the computers or users covered by the GPO. This process causes the software to be listed as available to be installed from the network. Using Group Policy to deploy software has some limitations. The most basic limitation is that you can deploy only software that uses Microsoft Installer (.msi) or Zero Administration for Windows Downlevel Application Package (.zap) fles. Software that uses an executable fle (.exe) can't be installed directly from Group Policy, although you can use startup scripts to install the software or use third-party products to package .exe installations as .msi installations. You can edit the GPO that installs the software to specify whether it is assigned or published to computers or users. If you want the software to be assigned to computers, edit the Computer Confguration/Policies/Software Settings policy. To assign or publish the software to users, edit the User Confguration/Policies/Software Settings policy. When you add software to the user or computer confguration, you need to specify the location from which the software is being installed. Always use a Universal Naming Convention (UNC) path, not a drive letter path. For example, to add the MyApp application as a published application for users in the HR security group, follow these steps:
Object Summary
Use Group Policy Preferences to confgure Windows Settings and Control Panel settings. ■■ Use item-level targeting to provide fne-grained control of which users or computers the preference targets. ■■ Group Policy Preferences have four actions: Create, Delete, Replace and Update. ■■ The Replace action is a combination of Delete and Create; it removes any existing settings. ■■ The Update action leaves the existing Windows or Control Panel settings in place and changes only the specifc settings in the preference item. ■■ Some preferences, such as Drive Mappings, are applied only during a Synchronous Group Policy update. Over slow links, they typically are not processed. ■■ Use Group Policy Preferences to deploy standardized template fles to all computers covered by the GPO.
Configuring and Managing Slow-Link Processing and Group Policy Caching
When you log on to a domain-joined computer and a network is present, the computer contacts a domain controller to get the latest GPOs. If the computer is connected by a typical fast network connection, all the GPO settings are processed by the client. However, if the client detects that the link to the domain controller is a slow link, only the most important GPO settings are processed. By default, a slow link is defned as a connection speed of 500 Kbps per second or less. You can confgure this threshold by setting the Computer Confguration/ Policies/Administrative Templates/System/Group Policy/Confgure Group Policy Slow Link Detection setting. The settings that are not downloaded when a slow link is detected are these: ■■ Disk quotas ■■ Scripts ■■ Folder redirection ■■ Software installation ■■ Network policies for wired and wireless networks ■■ Internet Explorer maintenance extension Not included in this list in Windows 8.1 and Windows Server 2012 R2 are drive mappings. They used to be processed as foreground client-side extensions (CSEs), but are now processed in the background, allowing logon to occur without all the Group Policy drive mapping preferences being completed before the logon is allowed to complete. Group Policy caching is new in Windows Server 2012 R2 and Windows 8.1, and is enabled by default. Group Policy caching stores a copy of policies on the local machine to speed up synchronous foreground processing of GPOs. Caching affects only Windows 8.1; it does not change processing in Windows Server 2012 R2. Windows Server always processes synchronously and never caches unless the Computer Confguration/Administrative Templates/ System/Group Policy/Enable Group Policy Caching For Servers policy is enabled. Group Policy caching doesn't affect asynchronous or background processing. You can disable Group Policy caching by setting the Computer Confguration/Policies/Administrative Templates/System/Group Policy/Confgure Group Policy Caching policy to Disabled. If left Not Confgured, caching is enabled. If set to Enabled, you can set the value to detect a slow link, and the timeout value before Group Policy will decide that you're not connected to the domain network.
Importing Custom Administrative Template Files
Windows includes a full set of administrative templates, and these templates are automatically available. However, you can install additional administrative templates for other versions of Windows, available from the Microsoft Download Center; for Microsoft Offce, also available from the Microsoft Download Center; or for non-Microsoft Windows hardware and software, available from other vendors.
Backing Up, Importing, Copying, and Restoring GPO's
You can back up and restore GPOs as well as make copies of them. You can also import the settings from a backed-up GPO without changing the other settings of the GPO, and you can copy GPOs, either within a domain or across domain boundaries.
Importing GPO Settings
You can import the settings from a backed-up GPO into any other GPO. When you import the settings of a GPO, you import only the settings. The existing attributes of the target GPO, such as security fltering, delegation, links, and WMI fltering, are left untouched. To import GPO settings, follow these steps: 1. Open the GPMC and navigate to the Group Policy Objects container for the domain you want to import settings to 2. Right-click the target GPO and select Import Settings. 3. Click Next on the Welcome page. 4. On the Backup GPO page, click Backup to make a backup of the current GPO before you make changes to it. 5. Enter the backup location if the correct one isn't already entered, click Back Up, and then click OK when the backup completes. 6. Click Next, enter the GPO Backup location if it isn't shown correctly, and click Next again. 7. Select the source GPO backup whose settings you want to import. 8. On the Scanning Backup page, read the Scan Results. You might have references that you need to address. If not, skip the next step. 9. On the Migrating References page, you can choose to copy the references or use a Migration Table. (See the section, "Creating and confguring a Migration Table" for details on how to make a Migration Table.) 10. Click Next and then Finish to import the settings.
Backing Up and Restoring GPO Part 3
You can manage your backed-up GPOs. Right-click the Group Policy Objects container in the GPMC and select Manage Backups from the menu to open the Manage Backups dialog box
Scripts
You can run four types of scripts from Group Policy, triggered by the following: ■■ Computer startup ■■ Computer shutdown ■■ User logon ■■ User logoff The scripts run by Group Policy can be Windows PowerShell or any other scripting language supported on the client computers. Any Windows Script Host (WSH) language is supported. You can set up the scripts on a domain controller and then copy them to the Netlogon shared folder on the domain controller. You can also specify the scripts in the Group Policy Management Editor. Logon and logoff scripts are located in User Confguration/Policies/Windows Settings/Scripts. Startup and shutdown scripts are located in Computer Confguration/Policies/Windows Settings/Scripts. You can have multiple scripts for each of the four scripts folders, both PowerShell and nonPowerShell scripts. You can specify the order in which the scripts run and you can specify that all PowerShell scripts run frst or last.
Configuring Internet Explorer Settings
You can set Internet Explorer (IE) settings by using the Internet Settings Group Policy preference extension. To set preferences, follow these steps: 1. Open the GPMC and right-click the GPO for which you want to set IE preferences. 2. Select Edit from the menu to open the Group Policy Management Editor. 3. Expand the User Confguration container and select the Preferences/Control Panel Settings/Internet Settings node. 4. Right-click Internet Settings and select the version of IE for which you want to create set tings. Select Internet Explorer 10 for both Internet Explorer 10 and Internet Explorer 11. 5. Use the New Internet Explorer 10 Properties dialog box to confgure options for IE 10 and IE 11. For example, you can set a default home page and have IE always starting on that home page (see Figure 6-31). FIGURE 6-31 The New Internet Explorer 10 Properties dialog box 6. After you make all the settings changes, click OK to close the dialog box. Exit the Group Policy Management Editor to return to the GPMC.
Configuring Settings
You can use Group Policy to confgure the settings for users and computers to provide a predictable experience for all users. The settings you can confgure include these: ■■ Software installation ■■ Folder redirection ■■ Scripts ■■ Administrative template setting
Folder Redirection
You can use Group Policy to redirect the folders of user profles. To modify the user profle folders, follow these steps: 1. In the GPMC, right-click the GPO in which you want to confgure folder redirection. It can be an existing GPO linked to the site, domain, or OU containing the users you want to target; or it can be a new GPO you create for folder redirection. 2. Select Edit to open the Group Policy Management Editor. 3. Expand the User Confguration node and navigate to User Confguration/Policies/ Windows Settings/Folder Redirection. 4. Right-click the folder you want to redirect and select Properties from the menu. 5. On the Target tab, choose Basic to redirect the folder of every user for whom the GPO applies in the same way. Select Advanced to create multiple redirection rules depending on security group membership. The choices for Target Folder Location are these: ■■ Create A Folder For Each User Under The Root Path Each user's profle folder is in a user-specifc path below a common root folder (for example, Documents would be \\server\root\%USERNAME%\Documents). ■■ Redirect Everyone's Folder To The Same Location All the profle folders are located beneath the same root path ■■ Redirect To The Local Userprofle Location The profle folder is redirected back to the local location. ■■ Follow The Documents Folder Applies only to Music, Pictures, and Videos. When this setting is specifed, the relocation of these folders is beneath the Documents folder. 6. On the Settings tab, you can specify the following: ■■ Grant The User Exclusive Rights To <foldername> Only the user has access to the redirected folder. ■■ Move The Contents Of <foldername> To The New Location If selected, all the current contents are moved to the new location when implementing the policy. ■■ Also Apply Redirection Policy To Windows 2000, Windows 2000 Server, Windows XP, And Windows Server 2003 Operating Systems When selected, the equivalent folder for the specifed operating systems are redirected. ■■ Policy Removal By default, folders are left in the redirected location when the policy is removed. You can specify that the folders revert to the local userprofle location when the policy is removed. 7. Click OK to close the Folder Properties dialog box. 8. Exit the Group Policy Management Editor.
Objective Summary
■■ Back up GPOs to provide an easy recovery scenario. ■■ Use Import Settings to copy the settings from a backed-up GPO to a new or existing GPO. ■■ Copy GPOs within the domain or across domain boundaries. ■■ Use Migration Tables to copy or import GPOs from another domain. ■■ Reset the Default Domain Policy or the Default Domain Controller Policy to return to an as-installed condition for these critical GPOs. ■■ Use the Delegation tab in GPMC to delegate authority to edit GPOs
Objective Summary
■■ Use Group Policy settings to manage software installation and folder redirection. ■■ Control the four stages of startup and shutdown with Group Policy scripts: Startup, Logon, Logoff, and Shutdown. ■■ Use Administrative templates to control registry-based policies for users and computers. ■■ Use security templates to jump-start the confguration of various Administrative template settings and to ensure a consistent experience across multiple GPOs. ■■ Custom templates can aid in the management of third-party hardware and software, as well as other versions of Windows. ■■ Manage the view of Group Policy to show only those Administrative settings that you want to see, simplifying the management process by using property flters on Administrative templates.
Configuring Control Panel Settings
The Control Panel settings in Table 6-3 are available for both Computer Confguration preferences and User Confguration preferences. TABLE 6-3 Control Panel settings Extension Action Data Sources extension Creates, deletes, replaces, or updates Open Database Connectivity (ODBC) data source names Devices extension Enables or disables hardware devices or classes of devices Folder Options extension Confgures folder options Creates, deletes, replaces, or updates Open With associations for fle name extensions Creates, deletes, replaces, or updates fle name extensions associated with a type of fles Internet Settings extension Modifes user-confgurable Internet settings Local Users and Groups extension Creates, deletes, replaces, or updates local users and groups The Control Panel settings in Table 6-3 are available for both Computer Confguration preferences and User Confguration preferences. TABLE 6-3 Control Panel settings Extension Action Data Sources extension Creates, deletes, replaces, or updates Open Database Connectivity (ODBC) data source names Devices extension Enables or disables hardware devices or classes of devices Folder Options extension Confgures folder options Creates, deletes, replaces, or updates Open With associations for fle name extensions Creates, deletes, replaces, or updates fle name extensions associated with a type of fles Internet Settings extension Modifes user-confgurable Internet settings Local Users and Groups extension Creates, deletes, replaces, or updates local users and groups
Configuring Folder Deployment
The Folder preference GPO extension allows you to create, modify, or remove a folder on a client computer. With this extension, you can do the following: ■■ Create or modify a folder and then confgure its attributes ■■ Delete a folder and its contents, or delete it only if it is empty ■■ Delete all the fles in folder without deleting the folder ■■ Delete all the fles in a folder without deleting subfolders The actions available with the Folder preference extension are these: ■■ Create Creates a new folder if the folder doesn't exist, setting the attributes of the folder. ■■ Delete Removes a folder if it exists or the fles within the folder. ■■ Replace Combines the actions of Delete and Create, replacing any existing fles or subfolders if they were included. It overwrites any existing folder and re-creates it with the specifed attributes, or creates a new folder if it doesn't exist. ■■ Update Modifes an existing folder without deleting it and re-creating it. It does not overwrite existing settings except those explicitly set in the preference, but creates a new folder if the folder doesn't exist.
Forcing Group Policy Update via Powershell
The Invoke-GPUpdate cmdlet accepts a -Computer parameter that enables you to specify the specifc computer on which to force the update. So to force a synchronous update at the next user logon of only the User Confguration preferences on server trey-wds-11, for example, use the following command: Invoke-GPUpdate -Computer trey-wds-11 -Target User -Sync -LogOff To force a Group Policy update from the GPMC, right-click the OU for which you want to trigger the update and select Group Policy Update from the menu, as shown in Figure 6-7. Click Yes at the confrmation screen, and the policy will be updated on the computers in that OU.
Configure Group Policy Settings
The basic aim of Group Policy is to confgure the settings that control users and computers. By using these settings, you can control what software is installed, where folders are located, what the startup and shutdown experience is, and which individual settings control access and rights to a wide variety of Windows objects.
Configure Group Policy Processing
The processing order and the fltering of Group Policy control which policies are applied to which users and computers. By understanding and controlling the processing order, you can understand and control which policies have the fnal impact on a given Active Directory object. Local Group Policy is processed frst; then each Active Directory level is processed from the farthest away from the object (the site) to the closest to the object (the organizational unit [OU]). This processing order is known as LSDOU: Local, Site, Domain, Organizational Unit.
Import a GPO using Powershell
To import a GPO, use the Import-GPO cmdlet. The command to import a ClientBackupGPO from the TreyResearch.net domain using a Migration Table is this: Import-GPO -Domain TreyResearch.net` -BackupGpoName ClientBackupGPO ` -TargetName "Client Backup" ` -Path "D:\GPOs" ` -MigrationTable "D:\MigTables\ClientBackupToTailspinToys.migtable" ` -CreateIfNeeded This command imports the most recent backup of the ClientBackupGPO to a new GPO called "Client Backup" in the TailspinToys.com domain. The target GPO is created if it doesn't already exist, and a migration table is used to migrate domain specifc settings in the source GPO backup
