Description

Book Synopsis
Get up to speed on the latest Group Policy tools, features, and best practices

Group Policy, Fundamentals, Security, and the Managed Desktop, 3rd Edition helps you streamline Windows and Windows Server management using the latest Group Policy tools and techniques. This updated edition covers Windows 10 and Windows Server vNext, bringing you up to speed on all the newest settings, features, and best practices. Microsoft Group Policy MVP Jeremy Moskowitz teaches you the major categories of Group Policy, essential troubleshooting techniques, and how to manage your Windows desktops.

This is your complete guide to the latest Group Policy features and functions for all modern Windows clients and servers, helping you manage more efficiently and effectively.

  • Perform true desktop and server management with the Group Policy Preferences, ADMX files, and additional add-ons
  • Use every feature of the GPMC and become a top-notch administrato

    Table of Contents

    Introduction xxv

    Chapter 1 Group Policy Essentials 1

    Getting Ready to Use This Book 2

    Getting Started with Group Policy 7

    Group Policy Entities and Policy Settings 7

    Active Directory and Local Group Policy 9

    Understanding Local Group Policy 10

    Group Policy and Active Directory 13

    Linking Group Policy Objects 15

    Final Thoughts on Local GPOs 20

    An Example of Group Policy Application 21

    Examining the Resultant Set of Policy 23

    At the Site Level 23

    At the Domain Level 24

    At the OU Level 24

    Bringing It All Together 25

    Group Policy, Active Directory, and the GPMC 26

    Implementing the GPMC on Your Management Station 27

    Creating a One-Stop-Shop MMC 30

    Group Policy 101 and Active Directory 32

    Active Directory Users and Computers vs. GPMC 32

    Adjusting the View within the GPMC 33

    The GPMC-centric View 35

    Our Own Group Policy Examples 37

    More about Linking and the Group Policy Objects Container 38

    Applying a Group Policy Object to the Site Level 41

    Applying Group Policy Objects to the Domain Level 44

    Applying Group Policy Objects to the OU Level 47

    Testing Your Delegation of Group Policy Management 52

    Understanding Group Policy Object Linking Delegation 54

    Granting OU Admins Access to Create New Group Policy Objects 55

    Creating and Linking Group Policy Objects at the OU Level 56

    Creating a New Group Policy Object Affecting Computers in an OU 59

    Moving Computers into the Human Resources

    Computers OU 61

    Verifying Your Cumulative Changes 62

    Final Thoughts 64

    Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67

    Common Procedures with the GPMC and PowerShell 69

    Raising or Lowering the Precedence of Multiple Group Policy Objects 75

    Understanding GPMC’s Link Warning 76

    Stopping Group Policy Objects from Applying 78

    Block Inheritance 85

    The Enforced Function 87

    Security Filtering and Delegation with the GPMC 90

    Filtering the Scope of Group Policy Objects with Security 91

    User Permissions on Group Policy Objects 102

    Granting Group Policy Object Creation Rights in the Domain 104

    Special Group Policy Operation Delegations 105

    Who Can Create and Use WMI Filters? 107

    Performing RSoP Calculations with the GPMC 109

    What’s-Going-On Calculations with Group Policy Results 110

    What-If Calculations with Group Policy Modeling 116

    Searching and Commenting Group Policy Objects and Policy Settings 118

    Searching for GPO Characteristics 119

    Filtering Inside a GPO for Policy Settings 121

    Comments for GPOs and Policy Settings 132

    Starter GPOs 137

    Creating a Starter GPO 139

    Editing a Starter GPO 139

    Leveraging a Starter GPO 141

    Delegating Control of Starter GPOs 142

    Wrapping Up and Sending Starter GPOs 143

    Should You Use Microsoft’s Pre-created Starter GPOs? 144

    Back Up and Restore for Group Policy 145

    Backing Up Group Policy Objects 146

    Restoring Group Policy Objects 148

    Backing Up and Restoring Starter GPOs 152

    Backing Up and Restoring WMI Filters 153

    Backing Up and Restoring IPsec Filters 153

    Migrating Group Policy Objects between Domains 154

    Basic Interdomain Copy and Import 154

    Copy and Import with Migration Tables 162

    GPMC At-a-Glance Icon View 166

    Final Thoughts 167

    Chapter 3 Group Policy Processing Behavior Essentials 169

    Group Policy Processing Principles 170

    Don’t Get Lost 172

    Initial Policy Processing 172

    Background Refresh Policy Processing 174

    Security Background Refresh Processing 187

    Special Case: Moving a User or a Computer Object 193

    Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194

    Policy Application via Remote Access, Slow Links, and after Hibernation 200

    When and How Does Windows Check for Slow Links? 200

    What Is Processed over a Slow Network Connection? 201

    Always Get Group Policy (Even on the Road, through the Internet) 202

    Using Group Policy to Affect Group Policy 205

    Affecting the User Settings of Group Policy 205

    Affecting the Computer Settings of Group Policy 207

    The Missing Group Policy Preferences Policy Settings 219

    Final Thoughts 221

    Chapter 4 Advanced Group Policy Processing 223

    Fine-Tuning When and Where Group Policy Applies 223

    Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224

    Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object’s Contents 230

    Group Policy Loopback Processing 231

    Reviewing Normal Group Policy Processing 232

    Group Policy Loopback—Merge Mode 233

    Group Policy Loopback—Replace Mode 233

    Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239

    Group Policy with Cross-Forest Trusts 242

    What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243

    Disabling Loopback Processing When Using Cross-Forest Trusts 245

    Understanding Cross-Forest Trust Permissions 245

    Final Thoughts 247

    Chapter 5 Group Policy Preferences 249

    Powers of the Group Policy Preferences 252

    Computer Configuration ➢ Preferences 258

    User Configuration ➢ Preferences 269

    Group Policy Preferences Concepts 278

    Preference vs. Policy 279

    The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281

    The Lines and Circles and the CRUD Action Modes 293

    Common Tab 301

    Group Policy Preferences Tips, Tricks, and Troubleshooting 313

    Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313

    Multiple Preference Items at a Level 315

    Temporarily Disabling a Single Preference Item or Extension Root 317

    Environment Variables 318

    Managing Group Policy Preferences: Hiding Extensions from within the Editor 320

    Troubleshooting: Reporting, Logging, and Tracing 321

    Giving Group Policy Preferences a “Boost” (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329

    Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330

    Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using “Not Group Policy” 330

    Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non–Domain-Joined Machines) 331

    Final Thoughts 332

    Chapter 6 Managing Applications and Settings Using Group Policy 335

    Understanding Administrative Templates 336

    Administrative Templates: Then and Now 336

    Policy vs. Preference 337

    Exploring ADM vs. ADMX and ADML Files 342

    Looking Back at ADM Files 342

    Understanding the Updated GPMC’s ADMX and ADML Files 342

    Comparing ADM vs. ADMX Files 344

    ADMX and ADML Files: What They Do and the Problems They Solve 345

    Problem and Solution 1: Tackling SYSVOL Bloat 345

    Problem 2: How Do We Deal with Multiple Languages? 346

    Problem 3: How Do We Deal with “Write Overlaps”? 347

    Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349

    The Central Store 349

    The Windows ADMX/ADML Central Store 351

    Creating and Editing GPOs in a Mixed Environment 355

    Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355

    Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356

    Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358

    Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358

    Using ADM and ADMX Templates from Other Sources 359

    Using ADM Templates with the Updated GPMC 359

    Using ADMX Templates from Other Sources 361

    ADMX Migrator and ADMX Editor Tools 362

    ADMX Migrator 363

    ADMX Creation and Editor Tools 365

    PolicyPak Application Manager 365

    PolicyPak Concepts and Installation 367

    Top PolicyPak Application Manager Pak Examples 369

    Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373

    Final Thoughts 376

    Chapter 7 Troubleshooting Group Policy 379

    Under the Hood of Group Policy 381

    Inside Local Group Policy 381

    Inside Active Directory Group Policy Objects 383

    The Birth, Life, and Death of a GPO 385

    How Group Policy Objects Are “Born” 386

    How a GPO “Lives” 387

    Death of a GPO 415

    How Client Systems Get Group Policy Objects 416

    The Steps to Group Policy Processing 416

    Client-Side Extensions 419

    Where Are Administrative Templates Registry Settings Stored? 427

    Why Isn’t Group Policy Applying? 429

    Reviewing the Basics 429

    Advanced Inspection 432

    Client-Side Troubleshooting 441

    RSoP for Windows Clients 442

    Advanced Group Policy Troubleshooting with the Event Viewer Logs 450

    Group Policy Processing Performance 462

    Final Thoughts 463

    Chapter 8 Implementing Security with Group Policy 465

    The Two Default Group Policy Objects 466

    GPOs Linked at the Domain Level 467

    Group Policy Objects Linked to the Domain Controllers OU 471

    Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 473

    The Strange Life of Password Policy 475

    What Happens When You Set Password Settings at an OU Level 475

    Fine-Grained Password Policy 477

    Inside Basic and Advanced Auditing 482

    Basic Auditable Events Using Group Policy 482

    Auditing File Access 487

    Auditing Group Policy Object Changes 489

    Advanced Audit Policy Configuration 491

    Restricted Groups 495

    Strictly Controlling Active Directory Groups 497

    Strictly Applying Group Nesting 499

    Which Groups Can Go into Which Other Groups via Restricted Groups? 500

    Restrict Software Using AppLocker 500

    Inside Software Restriction Policies 501

    Software Restriction Policies’ “Philosophies” 502

    Software Restriction Policies’ Rules 503

    Restricting Software Using AppLocker 510

    Controlling User Account Control with Group Policy 531

    Just Who Will See the UAC Prompts, Anyway? 534

    Understanding the Group Policy Controls for UAC 539

    UAC Policy Setting Suggestions 548

    Wireless (802.3) and Wired Network (802.11) Policies 551

    802.11 Wireless Policy for Windows XP 552

    802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553

    Configuring Windows Firewall with Group Policy 554

    Manipulating the Windows Firewall (the Old Way) 557

    Windows Firewall with Advanced Security WFAS 558

    IPsec (Now in Windows Firewall with Advanced Security) 567

    How Windows Firewall Rules Are Ultimately Calculated 572

    Final Thoughts 576

    Chapter 9 Profiles: Local, Roaming, and Mandatory 579

    Setting the Stage for Multiple Clients 579

    What Is a User Profile? 583

    The NTUSER.DAT File 583

    Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584

    Profile Folders for Type 2–5 Computers (Windows Vista and Later) 586

    The Default Local User Profile 591

    The Default Network User Profile 594

    Roaming Profiles 599

    Are Roaming Profiles “Evil”? And What Are the Alternatives? 601

    Setting Up Roaming Profiles 604

    Testing Roaming Profiles 608

    Roaming and Nonroaming Folders 610

    Managing Roaming Profiles 614

    Manipulating Roaming Profiles with Computer Group Policy Settings 617

    Manipulating Roaming Profiles with User Group Policy Settings 630

    Mandatory Profiles 635

    Establishing Mandatory Profiles for Windows XP 636

    Establishing Mandatory Profiles for Modern Windows 638

    Mandatory Profiles—Finishing Touches 639

    Forced Mandatory Profiles (Super-Mandatory) 640

    Final Thoughts 642

    Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643

    Redirected Folders 644

    Available Folders to Redirect 644

    Redirected Documents/My Documents 645

    Redirecting the Start Menu and the Desktop 665

    Redirecting the Application Data Folder 666

    Group Policy Setting for Folder Redirection 667

    Troubleshooting Redirected Folders 669

    Offline Files and Synchronization 672

    Making Offline Files Available 673

    Inside Windows 10 File Synchronization 676

    Handling Conflicts 684

    Client Configuration of Offline Files 686

    Using Folder Redirection and Offline Files over Slow Links 694

    Synchronizing over Slow Links with Redirected My Documents 695

    Synchronizing over Slow Links with Regular Shares 697

    Teaching Windows 10 How to React to Slow Links 698

    Using Group Policy to Configure Offline Files (User and Computer Node) 702

    Troubleshooting Sync Center 710

    Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 712

    Final Thoughts 720

    Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723

    Group Policy Software Installation (GPSI) Overview 724

    The Windows Installer Service 726

    Understanding .MSI Packages 726

    Utilizing an Existing .MSI Package 727

    Assigning and Publishing Applications 732

    Assigning Applications 732

    Publishing Applications 733

    Rules of Deployment 734

    Package-Targeting Strategy 734

    Advanced Published or Assigned 745

    The General Tab 746

    The Deployment Tab 746

    The Upgrades Tab 750

    The Categories Tab 752

    The Modifications Tab 752

    The Security Tab 754

    Default Group Policy Software Installation Properties 755

    The General Tab 755

    The Advanced Tab 756

    The File Extensions Tab 757

    The Categories Tab 757

    Removing Applications 757

    Users Can Manually Change or Remove Applications 758

    Automatically Removing Assigned or Published .MSI Applications 758

    Forcibly Removing Assigned or Published .MSI Applications 759

    Using Group Policy Software Installation over Slow Links 761

    MSI, the Windows Installer, and Group Policy 764

    Inside the MSIEXEC Tool 764

    Patching a Distribution Point 765

    Affecting Windows Installer with Group Policy 767

    Deploying Office 2010 and Later Using Group Policy (MSI Version) 771

    Steps to Office 2013 and 2016 Deployment Using Group Policy 772

    Result of Your Office Deployment Using Group Policy 782

    Installing Office Using Click-to-Run 783

    Getting Office Click-to-Run 784

    Installing Office Click-to-Run by Hand 784

    Deploying Office Click-to-Run via Group Policy 786

    System Center Configuration Manager vs. Group Policy (and Alternatives) 793

    Final Thoughts 796

    Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797

    Scripts: Logon, Logoff, Startup, and Shutdown 798

    Non-PowerShell-Based Scripts 798

    Deploying PowerShell Scripts to Windows 7 and Later Clients 801

    Managing Internet Explorer with Group Policy 802

    Managing Internet Explorer with Group Policy Preferences 803

    Internet Explorer’s Group Policy Settings 805

    Understanding Internet Explorer 11’s Enterprise Mode 806

    Managing Internet Explorer 11 Using PolicyPak Application Manager 808

    Restricting Access to Hardware via Group Policy 808

    Group Policy Preferences Devices Extension 809

    Restricting Driver Access with Policy Settings 814

    Getting a Handle on Classes and IDs 815

    Restricting or Allowing Your Hardware via Group Policy 817

    Understanding the Remaining Policy Settings for Hardware Restrictions 819

    Assigning Printers via Group Policy 821

    Zapping Down Printers to Users and Computers (a Refresher) 821

    Implementing Rotating Local Passwords with LAPS 830

    What to Install from LAPS 831

    Extending the Schema and Setting LAPS Permissions 832

    Using a Group Policy Object to Manage LAPS 835

    Using LAPS Management’s Tools: Fat Client and PowerShell 836

    Final Thoughts for This Chapter and for the Book 838

    Appendix A Scripting Group Policy Operations with Windows PowerShell 839

    Using PowerShell to Do More with Group Policy 840

    Preparing for Your PowerShell Experience 841

    Getting Started with PowerShell 842

    Documenting Your Group Policy World with PowerShell 846

    Setting GPO Permissions 867

    Manipulating GPOs with PowerShell 870

    Performing a Remote GPupdate (Invoking GPupdate) 880

    Replacing Microsoft’s GPMC Scripts with PowerShell Equivalents 881

    Final Thoughts 883

    Appendix B Group Policy and VDI 885

    Why Is VDI Different? 886

    Tuning Your Images for VDI 887

    Specific Functions to Turn Off for VDI Machines 888

    Group Policy Settings to Set and Avoid for Maximum VDI Performance 889

    Group Policy Tweaks for Fast VDI Video 891

    Tweaking RDP Using Group Policy for VDI 891

    Tweaking RemoteFX using Group Policy for VDI 892

    Managing and Locking Down Desktop UI Tweaks 893

    Final Thoughts for VDI and Group Policy 894

    Appendix C Advanced Group Policy Management 897

    The Challenge of Group Policy Change Management 898

    Architecture and Installation of AGPM 899

    AGPM Architecture 899

    Installing AGPM 900

    What Happens after AGPM Is Installed? 906

    GPMC Differences with AGPM Client 906

    What’s With All the Access Denied Errors? 908

    Does the World Change Right Away? 908

    Understanding the AGPM Delegation Model 908

    AGPM Delegation Roles 909

    AGPM Common Tasks 912

    Understanding and Working with AGPM’s Flow 914

    Controlling Your Currently Uncontrolled GPOs 915

    Creating a GPO and Immediately Controlling It 918

    Check Out a GPO 919

    Viewing Reports about a Controlled GPO 921

    Editing a Checked-Out Offline Copy of a GPO 921

    Performing a Check In of a Changed GPO 923

    Deploying a GPO into Production 924

    Making Additional Changes to a GPO and Labeling a GPO 926

    Using History and Differences to Roll Back a GPO 927

    Using “Import from Production” to Catch Up a GPO 931

    Uncontrolling, Restoring, and Destroying a GPO 932

    Searching for GPOs Using the Search Box 934

    AGPM Tasks with Multiple Admins 935

    E‑mail Preparations and Configurations for AGPM Requests 936

    Adding Someone to the AGPM System 939

    Requesting the Creation of New Controlled GPO 943

    Approving or Rejecting a Pending Request 944

    Editing the GPO Offline via Check Out/Check In 946

    Requesting Deployment of the GPO 946

    Analyzing a GPO (as a Reviewer) 948

    Advanced Configuration and Troubleshooting of AGPM 950

    Production Delegation 950

    Auto-Deleting Old GPO Versions 951

    Export and Import of Controlled GPOs between Forests and/or Domains 951

    Troubleshooting AGPM Permissions 953

    Leveraging AGPM Templates 955

    Changing Permissions on GPO Archives 958

    Backing Up, Restoring, and Moving the AGPM Server 959

    Changing the Port That AGPM Uses 962

    Events from AGPM 963

    Leveraging the Built-in AGPM ADMX Template 963

    Final Thoughts 968

    Appendix D Security Compliance Manager 969

    SCM: Installation 970

    SCM: Getting Around 972

    SCM: Usual Use Case 974

    Importing Existing GPOs 980

    Comparing and Merging Baselines 980

    LocalGPO Tool 983

    Installing SCM’s LocalGPO Tool 984

    Using SCM’s LocalGPO 985

    Final Thoughts on LocalGPO and SCM 989

    Appendix E Microsoft Intune and PolicyPak Cloud 991

    Microsoft Intune 991

    Getting Started with Microsoft Intune 992

    Using Microsoft Intune 995

    Setting Up Microsoft Intune Groups 995

    Setting Up Policies Using Microsoft Intune 996

    Microsoft Intune and Group Policy Conflicts 997

    Final Thoughts on Microsoft Intune 998

    PolicyPak Cloud 998

    PolicyPak Cloud 101 999

    Understanding PolicyPak Cloud Policies 999

    Creating and Using PolicyPak Cloud Groups 1001

    Joining PolicyPak Cloud 1001

    Final Thoughts on PolicyPak Cloud 1003

    Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003

    Index 1005

Group Policy

    Product form

    £38.00

    Includes FREE delivery

    RRP £47.50 – you save £9.50 (20%)

    Order before 4pm tomorrow for delivery by Sat 4 Jul 2026.

    A Paperback / softback by Jeremy Moskowitz

    1 in stock

      Trusted by thousands of customers. See 2,385+ Customer Reviews

      View other formats and editions of Group Policy by Jeremy Moskowitz

      Publisher: John Wiley & Sons Inc
      Publication Date: 24/08/2015
      ISBN13: 9781119035589, 978-1119035589
      ISBN10: 1119035589
      Also in:
      Computer networking and communications

      Description

      Book Synopsis
      Get up to speed on the latest Group Policy tools, features, and best practices

      Group Policy, Fundamentals, Security, and the Managed Desktop, 3rd Edition helps you streamline Windows and Windows Server management using the latest Group Policy tools and techniques. This updated edition covers Windows 10 and Windows Server vNext, bringing you up to speed on all the newest settings, features, and best practices. Microsoft Group Policy MVP Jeremy Moskowitz teaches you the major categories of Group Policy, essential troubleshooting techniques, and how to manage your Windows desktops.

      This is your complete guide to the latest Group Policy features and functions for all modern Windows clients and servers, helping you manage more efficiently and effectively.

      • Perform true desktop and server management with the Group Policy Preferences, ADMX files, and additional add-ons
      • Use every feature of the GPMC and become a top-notch administrato

        Table of Contents

        Introduction xxv

        Chapter 1 Group Policy Essentials 1

        Getting Ready to Use This Book 2

        Getting Started with Group Policy 7

        Group Policy Entities and Policy Settings 7

        Active Directory and Local Group Policy 9

        Understanding Local Group Policy 10

        Group Policy and Active Directory 13

        Linking Group Policy Objects 15

        Final Thoughts on Local GPOs 20

        An Example of Group Policy Application 21

        Examining the Resultant Set of Policy 23

        At the Site Level 23

        At the Domain Level 24

        At the OU Level 24

        Bringing It All Together 25

        Group Policy, Active Directory, and the GPMC 26

        Implementing the GPMC on Your Management Station 27

        Creating a One-Stop-Shop MMC 30

        Group Policy 101 and Active Directory 32

        Active Directory Users and Computers vs. GPMC 32

        Adjusting the View within the GPMC 33

        The GPMC-centric View 35

        Our Own Group Policy Examples 37

        More about Linking and the Group Policy Objects Container 38

        Applying a Group Policy Object to the Site Level 41

        Applying Group Policy Objects to the Domain Level 44

        Applying Group Policy Objects to the OU Level 47

        Testing Your Delegation of Group Policy Management 52

        Understanding Group Policy Object Linking Delegation 54

        Granting OU Admins Access to Create New Group Policy Objects 55

        Creating and Linking Group Policy Objects at the OU Level 56

        Creating a New Group Policy Object Affecting Computers in an OU 59

        Moving Computers into the Human Resources

        Computers OU 61

        Verifying Your Cumulative Changes 62

        Final Thoughts 64

        Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67

        Common Procedures with the GPMC and PowerShell 69

        Raising or Lowering the Precedence of Multiple Group Policy Objects 75

        Understanding GPMC’s Link Warning 76

        Stopping Group Policy Objects from Applying 78

        Block Inheritance 85

        The Enforced Function 87

        Security Filtering and Delegation with the GPMC 90

        Filtering the Scope of Group Policy Objects with Security 91

        User Permissions on Group Policy Objects 102

        Granting Group Policy Object Creation Rights in the Domain 104

        Special Group Policy Operation Delegations 105

        Who Can Create and Use WMI Filters? 107

        Performing RSoP Calculations with the GPMC 109

        What’s-Going-On Calculations with Group Policy Results 110

        What-If Calculations with Group Policy Modeling 116

        Searching and Commenting Group Policy Objects and Policy Settings 118

        Searching for GPO Characteristics 119

        Filtering Inside a GPO for Policy Settings 121

        Comments for GPOs and Policy Settings 132

        Starter GPOs 137

        Creating a Starter GPO 139

        Editing a Starter GPO 139

        Leveraging a Starter GPO 141

        Delegating Control of Starter GPOs 142

        Wrapping Up and Sending Starter GPOs 143

        Should You Use Microsoft’s Pre-created Starter GPOs? 144

        Back Up and Restore for Group Policy 145

        Backing Up Group Policy Objects 146

        Restoring Group Policy Objects 148

        Backing Up and Restoring Starter GPOs 152

        Backing Up and Restoring WMI Filters 153

        Backing Up and Restoring IPsec Filters 153

        Migrating Group Policy Objects between Domains 154

        Basic Interdomain Copy and Import 154

        Copy and Import with Migration Tables 162

        GPMC At-a-Glance Icon View 166

        Final Thoughts 167

        Chapter 3 Group Policy Processing Behavior Essentials 169

        Group Policy Processing Principles 170

        Don’t Get Lost 172

        Initial Policy Processing 172

        Background Refresh Policy Processing 174

        Security Background Refresh Processing 187

        Special Case: Moving a User or a Computer Object 193

        Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194

        Policy Application via Remote Access, Slow Links, and after Hibernation 200

        When and How Does Windows Check for Slow Links? 200

        What Is Processed over a Slow Network Connection? 201

        Always Get Group Policy (Even on the Road, through the Internet) 202

        Using Group Policy to Affect Group Policy 205

        Affecting the User Settings of Group Policy 205

        Affecting the Computer Settings of Group Policy 207

        The Missing Group Policy Preferences Policy Settings 219

        Final Thoughts 221

        Chapter 4 Advanced Group Policy Processing 223

        Fine-Tuning When and Where Group Policy Applies 223

        Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224

        Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object’s Contents 230

        Group Policy Loopback Processing 231

        Reviewing Normal Group Policy Processing 232

        Group Policy Loopback—Merge Mode 233

        Group Policy Loopback—Replace Mode 233

        Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239

        Group Policy with Cross-Forest Trusts 242

        What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243

        Disabling Loopback Processing When Using Cross-Forest Trusts 245

        Understanding Cross-Forest Trust Permissions 245

        Final Thoughts 247

        Chapter 5 Group Policy Preferences 249

        Powers of the Group Policy Preferences 252

        Computer Configuration ➢ Preferences 258

        User Configuration ➢ Preferences 269

        Group Policy Preferences Concepts 278

        Preference vs. Policy 279

        The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281

        The Lines and Circles and the CRUD Action Modes 293

        Common Tab 301

        Group Policy Preferences Tips, Tricks, and Troubleshooting 313

        Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313

        Multiple Preference Items at a Level 315

        Temporarily Disabling a Single Preference Item or Extension Root 317

        Environment Variables 318

        Managing Group Policy Preferences: Hiding Extensions from within the Editor 320

        Troubleshooting: Reporting, Logging, and Tracing 321

        Giving Group Policy Preferences a “Boost” (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329

        Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330

        Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using “Not Group Policy” 330

        Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non–Domain-Joined Machines) 331

        Final Thoughts 332

        Chapter 6 Managing Applications and Settings Using Group Policy 335

        Understanding Administrative Templates 336

        Administrative Templates: Then and Now 336

        Policy vs. Preference 337

        Exploring ADM vs. ADMX and ADML Files 342

        Looking Back at ADM Files 342

        Understanding the Updated GPMC’s ADMX and ADML Files 342

        Comparing ADM vs. ADMX Files 344

        ADMX and ADML Files: What They Do and the Problems They Solve 345

        Problem and Solution 1: Tackling SYSVOL Bloat 345

        Problem 2: How Do We Deal with Multiple Languages? 346

        Problem 3: How Do We Deal with “Write Overlaps”? 347

        Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349

        The Central Store 349

        The Windows ADMX/ADML Central Store 351

        Creating and Editing GPOs in a Mixed Environment 355

        Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355

        Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356

        Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358

        Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358

        Using ADM and ADMX Templates from Other Sources 359

        Using ADM Templates with the Updated GPMC 359

        Using ADMX Templates from Other Sources 361

        ADMX Migrator and ADMX Editor Tools 362

        ADMX Migrator 363

        ADMX Creation and Editor Tools 365

        PolicyPak Application Manager 365

        PolicyPak Concepts and Installation 367

        Top PolicyPak Application Manager Pak Examples 369

        Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373

        Final Thoughts 376

        Chapter 7 Troubleshooting Group Policy 379

        Under the Hood of Group Policy 381

        Inside Local Group Policy 381

        Inside Active Directory Group Policy Objects 383

        The Birth, Life, and Death of a GPO 385

        How Group Policy Objects Are “Born” 386

        How a GPO “Lives” 387

        Death of a GPO 415

        How Client Systems Get Group Policy Objects 416

        The Steps to Group Policy Processing 416

        Client-Side Extensions 419

        Where Are Administrative Templates Registry Settings Stored? 427

        Why Isn’t Group Policy Applying? 429

        Reviewing the Basics 429

        Advanced Inspection 432

        Client-Side Troubleshooting 441

        RSoP for Windows Clients 442

        Advanced Group Policy Troubleshooting with the Event Viewer Logs 450

        Group Policy Processing Performance 462

        Final Thoughts 463

        Chapter 8 Implementing Security with Group Policy 465

        The Two Default Group Policy Objects 466

        GPOs Linked at the Domain Level 467

        Group Policy Objects Linked to the Domain Controllers OU 471

        Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 473

        The Strange Life of Password Policy 475

        What Happens When You Set Password Settings at an OU Level 475

        Fine-Grained Password Policy 477

        Inside Basic and Advanced Auditing 482

        Basic Auditable Events Using Group Policy 482

        Auditing File Access 487

        Auditing Group Policy Object Changes 489

        Advanced Audit Policy Configuration 491

        Restricted Groups 495

        Strictly Controlling Active Directory Groups 497

        Strictly Applying Group Nesting 499

        Which Groups Can Go into Which Other Groups via Restricted Groups? 500

        Restrict Software Using AppLocker 500

        Inside Software Restriction Policies 501

        Software Restriction Policies’ “Philosophies” 502

        Software Restriction Policies’ Rules 503

        Restricting Software Using AppLocker 510

        Controlling User Account Control with Group Policy 531

        Just Who Will See the UAC Prompts, Anyway? 534

        Understanding the Group Policy Controls for UAC 539

        UAC Policy Setting Suggestions 548

        Wireless (802.3) and Wired Network (802.11) Policies 551

        802.11 Wireless Policy for Windows XP 552

        802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553

        Configuring Windows Firewall with Group Policy 554

        Manipulating the Windows Firewall (the Old Way) 557

        Windows Firewall with Advanced Security WFAS 558

        IPsec (Now in Windows Firewall with Advanced Security) 567

        How Windows Firewall Rules Are Ultimately Calculated 572

        Final Thoughts 576

        Chapter 9 Profiles: Local, Roaming, and Mandatory 579

        Setting the Stage for Multiple Clients 579

        What Is a User Profile? 583

        The NTUSER.DAT File 583

        Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584

        Profile Folders for Type 2–5 Computers (Windows Vista and Later) 586

        The Default Local User Profile 591

        The Default Network User Profile 594

        Roaming Profiles 599

        Are Roaming Profiles “Evil”? And What Are the Alternatives? 601

        Setting Up Roaming Profiles 604

        Testing Roaming Profiles 608

        Roaming and Nonroaming Folders 610

        Managing Roaming Profiles 614

        Manipulating Roaming Profiles with Computer Group Policy Settings 617

        Manipulating Roaming Profiles with User Group Policy Settings 630

        Mandatory Profiles 635

        Establishing Mandatory Profiles for Windows XP 636

        Establishing Mandatory Profiles for Modern Windows 638

        Mandatory Profiles—Finishing Touches 639

        Forced Mandatory Profiles (Super-Mandatory) 640

        Final Thoughts 642

        Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643

        Redirected Folders 644

        Available Folders to Redirect 644

        Redirected Documents/My Documents 645

        Redirecting the Start Menu and the Desktop 665

        Redirecting the Application Data Folder 666

        Group Policy Setting for Folder Redirection 667

        Troubleshooting Redirected Folders 669

        Offline Files and Synchronization 672

        Making Offline Files Available 673

        Inside Windows 10 File Synchronization 676

        Handling Conflicts 684

        Client Configuration of Offline Files 686

        Using Folder Redirection and Offline Files over Slow Links 694

        Synchronizing over Slow Links with Redirected My Documents 695

        Synchronizing over Slow Links with Regular Shares 697

        Teaching Windows 10 How to React to Slow Links 698

        Using Group Policy to Configure Offline Files (User and Computer Node) 702

        Troubleshooting Sync Center 710

        Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 712

        Final Thoughts 720

        Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723

        Group Policy Software Installation (GPSI) Overview 724

        The Windows Installer Service 726

        Understanding .MSI Packages 726

        Utilizing an Existing .MSI Package 727

        Assigning and Publishing Applications 732

        Assigning Applications 732

        Publishing Applications 733

        Rules of Deployment 734

        Package-Targeting Strategy 734

        Advanced Published or Assigned 745

        The General Tab 746

        The Deployment Tab 746

        The Upgrades Tab 750

        The Categories Tab 752

        The Modifications Tab 752

        The Security Tab 754

        Default Group Policy Software Installation Properties 755

        The General Tab 755

        The Advanced Tab 756

        The File Extensions Tab 757

        The Categories Tab 757

        Removing Applications 757

        Users Can Manually Change or Remove Applications 758

        Automatically Removing Assigned or Published .MSI Applications 758

        Forcibly Removing Assigned or Published .MSI Applications 759

        Using Group Policy Software Installation over Slow Links 761

        MSI, the Windows Installer, and Group Policy 764

        Inside the MSIEXEC Tool 764

        Patching a Distribution Point 765

        Affecting Windows Installer with Group Policy 767

        Deploying Office 2010 and Later Using Group Policy (MSI Version) 771

        Steps to Office 2013 and 2016 Deployment Using Group Policy 772

        Result of Your Office Deployment Using Group Policy 782

        Installing Office Using Click-to-Run 783

        Getting Office Click-to-Run 784

        Installing Office Click-to-Run by Hand 784

        Deploying Office Click-to-Run via Group Policy 786

        System Center Configuration Manager vs. Group Policy (and Alternatives) 793

        Final Thoughts 796

        Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797

        Scripts: Logon, Logoff, Startup, and Shutdown 798

        Non-PowerShell-Based Scripts 798

        Deploying PowerShell Scripts to Windows 7 and Later Clients 801

        Managing Internet Explorer with Group Policy 802

        Managing Internet Explorer with Group Policy Preferences 803

        Internet Explorer’s Group Policy Settings 805

        Understanding Internet Explorer 11’s Enterprise Mode 806

        Managing Internet Explorer 11 Using PolicyPak Application Manager 808

        Restricting Access to Hardware via Group Policy 808

        Group Policy Preferences Devices Extension 809

        Restricting Driver Access with Policy Settings 814

        Getting a Handle on Classes and IDs 815

        Restricting or Allowing Your Hardware via Group Policy 817

        Understanding the Remaining Policy Settings for Hardware Restrictions 819

        Assigning Printers via Group Policy 821

        Zapping Down Printers to Users and Computers (a Refresher) 821

        Implementing Rotating Local Passwords with LAPS 830

        What to Install from LAPS 831

        Extending the Schema and Setting LAPS Permissions 832

        Using a Group Policy Object to Manage LAPS 835

        Using LAPS Management’s Tools: Fat Client and PowerShell 836

        Final Thoughts for This Chapter and for the Book 838

        Appendix A Scripting Group Policy Operations with Windows PowerShell 839

        Using PowerShell to Do More with Group Policy 840

        Preparing for Your PowerShell Experience 841

        Getting Started with PowerShell 842

        Documenting Your Group Policy World with PowerShell 846

        Setting GPO Permissions 867

        Manipulating GPOs with PowerShell 870

        Performing a Remote GPupdate (Invoking GPupdate) 880

        Replacing Microsoft’s GPMC Scripts with PowerShell Equivalents 881

        Final Thoughts 883

        Appendix B Group Policy and VDI 885

        Why Is VDI Different? 886

        Tuning Your Images for VDI 887

        Specific Functions to Turn Off for VDI Machines 888

        Group Policy Settings to Set and Avoid for Maximum VDI Performance 889

        Group Policy Tweaks for Fast VDI Video 891

        Tweaking RDP Using Group Policy for VDI 891

        Tweaking RemoteFX using Group Policy for VDI 892

        Managing and Locking Down Desktop UI Tweaks 893

        Final Thoughts for VDI and Group Policy 894

        Appendix C Advanced Group Policy Management 897

        The Challenge of Group Policy Change Management 898

        Architecture and Installation of AGPM 899

        AGPM Architecture 899

        Installing AGPM 900

        What Happens after AGPM Is Installed? 906

        GPMC Differences with AGPM Client 906

        What’s With All the Access Denied Errors? 908

        Does the World Change Right Away? 908

        Understanding the AGPM Delegation Model 908

        AGPM Delegation Roles 909

        AGPM Common Tasks 912

        Understanding and Working with AGPM’s Flow 914

        Controlling Your Currently Uncontrolled GPOs 915

        Creating a GPO and Immediately Controlling It 918

        Check Out a GPO 919

        Viewing Reports about a Controlled GPO 921

        Editing a Checked-Out Offline Copy of a GPO 921

        Performing a Check In of a Changed GPO 923

        Deploying a GPO into Production 924

        Making Additional Changes to a GPO and Labeling a GPO 926

        Using History and Differences to Roll Back a GPO 927

        Using “Import from Production” to Catch Up a GPO 931

        Uncontrolling, Restoring, and Destroying a GPO 932

        Searching for GPOs Using the Search Box 934

        AGPM Tasks with Multiple Admins 935

        E‑mail Preparations and Configurations for AGPM Requests 936

        Adding Someone to the AGPM System 939

        Requesting the Creation of New Controlled GPO 943

        Approving or Rejecting a Pending Request 944

        Editing the GPO Offline via Check Out/Check In 946

        Requesting Deployment of the GPO 946

        Analyzing a GPO (as a Reviewer) 948

        Advanced Configuration and Troubleshooting of AGPM 950

        Production Delegation 950

        Auto-Deleting Old GPO Versions 951

        Export and Import of Controlled GPOs between Forests and/or Domains 951

        Troubleshooting AGPM Permissions 953

        Leveraging AGPM Templates 955

        Changing Permissions on GPO Archives 958

        Backing Up, Restoring, and Moving the AGPM Server 959

        Changing the Port That AGPM Uses 962

        Events from AGPM 963

        Leveraging the Built-in AGPM ADMX Template 963

        Final Thoughts 968

        Appendix D Security Compliance Manager 969

        SCM: Installation 970

        SCM: Getting Around 972

        SCM: Usual Use Case 974

        Importing Existing GPOs 980

        Comparing and Merging Baselines 980

        LocalGPO Tool 983

        Installing SCM’s LocalGPO Tool 984

        Using SCM’s LocalGPO 985

        Final Thoughts on LocalGPO and SCM 989

        Appendix E Microsoft Intune and PolicyPak Cloud 991

        Microsoft Intune 991

        Getting Started with Microsoft Intune 992

        Using Microsoft Intune 995

        Setting Up Microsoft Intune Groups 995

        Setting Up Policies Using Microsoft Intune 996

        Microsoft Intune and Group Policy Conflicts 997

        Final Thoughts on Microsoft Intune 998

        PolicyPak Cloud 998

        PolicyPak Cloud 101 999

        Understanding PolicyPak Cloud Policies 999

        Creating and Using PolicyPak Cloud Groups 1001

        Joining PolicyPak Cloud 1001

        Final Thoughts on PolicyPak Cloud 1003

        Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003

        Index 1005

      Recently viewed products

      © 2026 Book Curl

        • American Express
        • Apple Pay
        • Diners Club
        • Discover
        • Google Pay
        • Maestro
        • Mastercard
        • PayPal
        • Shop Pay
        • Union Pay
        • Visa

        Login

        Forgot your password?

        Don't have an account yet?
        Create account