Description

Book Synopsis
Get up to speed on the latest Group Policy tools, features, and best practices

Group Policy, Fundamentals, Security, and the Managed Desktop, 3rd Edition helps you streamline Windows and Windows Server management using the latest Group Policy tools and techniques. This updated edition covers Windows 10 and Windows Server vNext, bringing you up to speed on all the newest settings, features, and best practices. Microsoft Group Policy MVP Jeremy Moskowitz teaches you the major categories of Group Policy, essential troubleshooting techniques, and how to manage your Windows desktops.

This is your complete guide to the latest Group Policy features and functions for all modern Windows clients and servers, helping you manage more efficiently and effectively.

  • Perform true desktop and server management with the Group Policy Preferences, ADMX files, and additional add-ons
  • Use every feature of the GPMC and become a top-notch administrato

    Table of Contents

    Introduction xxv

    Chapter 1 Group Policy Essentials 1

    Getting Ready to Use This Book 2

    Getting Started with Group Policy 7

    Group Policy Entities and Policy Settings 7

    Active Directory and Local Group Policy 9

    Understanding Local Group Policy 10

    Group Policy and Active Directory 13

    Linking Group Policy Objects 15

    Final Thoughts on Local GPOs 20

    An Example of Group Policy Application 21

    Examining the Resultant Set of Policy 23

    At the Site Level 23

    At the Domain Level 24

    At the OU Level 24

    Bringing It All Together 25

    Group Policy, Active Directory, and the GPMC 26

    Implementing the GPMC on Your Management Station 27

    Creating a One-Stop-Shop MMC 30

    Group Policy 101 and Active Directory 32

    Active Directory Users and Computers vs. GPMC 32

    Adjusting the View within the GPMC 33

    The GPMC-centric View 35

    Our Own Group Policy Examples 37

    More about Linking and the Group Policy Objects Container 38

    Applying a Group Policy Object to the Site Level 41

    Applying Group Policy Objects to the Domain Level 44

    Applying Group Policy Objects to the OU Level 47

    Testing Your Delegation of Group Policy Management 52

    Understanding Group Policy Object Linking Delegation 54

    Granting OU Admins Access to Create New Group Policy Objects 55

    Creating and Linking Group Policy Objects at the OU Level 56

    Creating a New Group Policy Object Affecting Computers in an OU 59

    Moving Computers into the Human Resources

    Computers OU 61

    Verifying Your Cumulative Changes 62

    Final Thoughts 64

    Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67

    Common Procedures with the GPMC and PowerShell 69

    Raising or Lowering the Precedence of Multiple Group Policy Objects 75

    Understanding GPMC’s Link Warning 76

    Stopping Group Policy Objects from Applying 78

    Block Inheritance 85

    The Enforced Function 87

    Security Filtering and Delegation with the GPMC 90

    Filtering the Scope of Group Policy Objects with Security 91

    User Permissions on Group Policy Objects 102

    Granting Group Policy Object Creation Rights in the Domain 104

    Special Group Policy Operation Delegations 105

    Who Can Create and Use WMI Filters? 107

    Performing RSoP Calculations with the GPMC 109

    What’s-Going-On Calculations with Group Policy Results 110

    What-If Calculations with Group Policy Modeling 116

    Searching and Commenting Group Policy Objects and Policy Settings 118

    Searching for GPO Characteristics 119

    Filtering Inside a GPO for Policy Settings 121

    Comments for GPOs and Policy Settings 132

    Starter GPOs 137

    Creating a Starter GPO 139

    Editing a Starter GPO 139

    Leveraging a Starter GPO 141

    Delegating Control of Starter GPOs 142

    Wrapping Up and Sending Starter GPOs 143

    Should You Use Microsoft’s Pre-created Starter GPOs? 144

    Back Up and Restore for Group Policy 145

    Backing Up Group Policy Objects 146

    Restoring Group Policy Objects 148

    Backing Up and Restoring Starter GPOs 152

    Backing Up and Restoring WMI Filters 153

    Backing Up and Restoring IPsec Filters 153

    Migrating Group Policy Objects between Domains 154

    Basic Interdomain Copy and Import 154

    Copy and Import with Migration Tables 162

    GPMC At-a-Glance Icon View 166

    Final Thoughts 167

    Chapter 3 Group Policy Processing Behavior Essentials 169

    Group Policy Processing Principles 170

    Don’t Get Lost 172

    Initial Policy Processing 172

    Background Refresh Policy Processing 174

    Security Background Refresh Processing 187

    Special Case: Moving a User or a Computer Object 193

    Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194

    Policy Application via Remote Access, Slow Links, and after Hibernation 200

    When and How Does Windows Check for Slow Links? 200

    What Is Processed over a Slow Network Connection? 201

    Always Get Group Policy (Even on the Road, through the Internet) 202

    Using Group Policy to Affect Group Policy 205

    Affecting the User Settings of Group Policy 205

    Affecting the Computer Settings of Group Policy 207

    The Missing Group Policy Preferences Policy Settings 219

    Final Thoughts 221

    Chapter 4 Advanced Group Policy Processing 223

    Fine-Tuning When and Where Group Policy Applies 223

    Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224

    Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object’s Contents 230

    Group Policy Loopback Processing 231

    Reviewing Normal Group Policy Processing 232

    Group Policy Loopback—Merge Mode 233

    Group Policy Loopback—Replace Mode 233

    Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239

    Group Policy with Cross-Forest Trusts 242

    What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243

    Disabling Loopback Processing When Using Cross-Forest Trusts 245

    Understanding Cross-Forest Trust Permissions 245

    Final Thoughts 247

    Chapter 5 Group Policy Preferences 249

    Powers of the Group Policy Preferences 252

    Computer Configuration ➢ Preferences 258

    User Configuration ➢ Preferences 269

    Group Policy Preferences Concepts 278

    Preference vs. Policy 279

    The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281

    The Lines and Circles and the CRUD Action Modes 293

    Common Tab 301

    Group Policy Preferences Tips, Tricks, and Troubleshooting 313

    Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313

    Multiple Preference Items at a Level 315

    Temporarily Disabling a Single Preference Item or Extension Root 317

    Environment Variables 318

    Managing Group Policy Preferences: Hiding Extensions from within the Editor 320

    Troubleshooting: Reporting, Logging, and Tracing 321

    Giving Group Policy Preferences a “Boost” (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329

    Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330

    Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using “Not Group Policy” 330

    Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non–Domain-Joined Machines) 331

    Final Thoughts 332

    Chapter 6 Managing Applications and Settings Using Group Policy 335

    Understanding Administrative Templates 336

    Administrative Templates: Then and Now 336

    Policy vs. Preference 337

    Exploring ADM vs. ADMX and ADML Files 342

    Looking Back at ADM Files 342

    Understanding the Updated GPMC’s ADMX and ADML Files 342

    Comparing ADM vs. ADMX Files 344

    ADMX and ADML Files: What They Do and the Problems They Solve 345

    Problem and Solution 1: Tackling SYSVOL Bloat 345

    Problem 2: How Do We Deal with Multiple Languages? 346

    Problem 3: How Do We Deal with “Write Overlaps”? 347

    Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349

    The Central Store 349

    The Windows ADMX/ADML Central Store 351

    Creating and Editing GPOs in a Mixed Environment 355

    Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355

    Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356

    Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358

    Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358

    Using ADM and ADMX Templates from Other Sources 359

    Using ADM Templates with the Updated GPMC 359

    Using ADMX Templates from Other Sources 361

    ADMX Migrator and ADMX Editor Tools 362

    ADMX Migrator 363

    ADMX Creation and Editor Tools 365

    PolicyPak Application Manager 365

    PolicyPak Concepts and Installation 367

    Top PolicyPak Application Manager Pak Examples 369

    Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373

    Final Thoughts 376

    Chapter 7 Troubleshooting Group Policy 379

    Under the Hood of Group Policy 381

    Inside Local Group Policy 381

    Inside Active Directory Group Policy Objects 383

    The Birth, Life, and Death of a GPO 385

    How Group Policy Objects Are “Born” 386

    How a GPO “Lives” 387

    Death of a GPO 415

    How Client Systems Get Group Policy Objects 416

    The Steps to Group Policy Processing 416

    Client-Side Extensions 419

    Where Are Administrative Templates Registry Settings Stored? 427

    Why Isn’t Group Policy Applying? 429

    Reviewing the Basics 429

    Advanced Inspection 432

    Client-Side Troubleshooting 441

    RSoP for Windows Clients 442

    Advanced Group Policy Troubleshooting with the Event Viewer Logs 450

    Group Policy Processing Performance 462

    Final Thoughts 463

    Chapter 8 Implementing Security with Group Policy 465

    The Two Default Group Policy Objects 466

    GPOs Linked at the Domain Level 467

    Group Policy Objects Linked to the Domain Controllers OU 471

    Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 473

    The Strange Life of Password Policy 475

    What Happens When You Set Password Settings at an OU Level 475

    Fine-Grained Password Policy 477

    Inside Basic and Advanced Auditing 482

    Basic Auditable Events Using Group Policy 482

    Auditing File Access 487

    Auditing Group Policy Object Changes 489

    Advanced Audit Policy Configuration 491

    Restricted Groups 495

    Strictly Controlling Active Directory Groups 497

    Strictly Applying Group Nesting 499

    Which Groups Can Go into Which Other Groups via Restricted Groups? 500

    Restrict Software Using AppLocker 500

    Inside Software Restriction Policies 501

    Software Restriction Policies’ “Philosophies” 502

    Software Restriction Policies’ Rules 503

    Restricting Software Using AppLocker 510

    Controlling User Account Control with Group Policy 531

    Just Who Will See the UAC Prompts, Anyway? 534

    Understanding the Group Policy Controls for UAC 539

    UAC Policy Setting Suggestions 548

    Wireless (802.3) and Wired Network (802.11) Policies 551

    802.11 Wireless Policy for Windows XP 552

    802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553

    Configuring Windows Firewall with Group Policy 554

    Manipulating the Windows Firewall (the Old Way) 557

    Windows Firewall with Advanced Security WFAS 558

    IPsec (Now in Windows Firewall with Advanced Security) 567

    How Windows Firewall Rules Are Ultimately Calculated 572

    Final Thoughts 576

    Chapter 9 Profiles: Local, Roaming, and Mandatory 579

    Setting the Stage for Multiple Clients 579

    What Is a User Profile? 583

    The NTUSER.DAT File 583

    Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584

    Profile Folders for Type 2–5 Computers (Windows Vista and Later) 586

    The Default Local User Profile 591

    The Default Network User Profile 594

    Roaming Profiles 599

    Are Roaming Profiles “Evil”? And What Are the Alternatives? 601

    Setting Up Roaming Profiles 604

    Testing Roaming Profiles 608

    Roaming and Nonroaming Folders 610

    Managing Roaming Profiles 614

    Manipulating Roaming Profiles with Computer Group Policy Settings 617

    Manipulating Roaming Profiles with User Group Policy Settings 630

    Mandatory Profiles 635

    Establishing Mandatory Profiles for Windows XP 636

    Establishing Mandatory Profiles for Modern Windows 638

    Mandatory Profiles—Finishing Touches 639

    Forced Mandatory Profiles (Super-Mandatory) 640

    Final Thoughts 642

    Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643

    Redirected Folders 644

    Available Folders to Redirect 644

    Redirected Documents/My Documents 645

    Redirecting the Start Menu and the Desktop 665

    Redirecting the Application Data Folder 666

    Group Policy Setting for Folder Redirection 667

    Troubleshooting Redirected Folders 669

    Offline Files and Synchronization 672

    Making Offline Files Available 673

    Inside Windows 10 File Synchronization 676

    Handling Conflicts 684

    Client Configuration of Offline Files 686

    Using Folder Redirection and Offline Files over Slow Links 694

    Synchronizing over Slow Links with Redirected My Documents 695

    Synchronizing over Slow Links with Regular Shares 697

    Teaching Windows 10 How to React to Slow Links 698

    Using Group Policy to Configure Offline Files (User and Computer Node) 702

    Troubleshooting Sync Center 710

    Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 712

    Final Thoughts 720

    Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723

    Group Policy Software Installation (GPSI) Overview 724

    The Windows Installer Service 726

    Understanding .MSI Packages 726

    Utilizing an Existing .MSI Package 727

    Assigning and Publishing Applications 732

    Assigning Applications 732

    Publishing Applications 733

    Rules of Deployment 734

    Package-Targeting Strategy 734

    Advanced Published or Assigned 745

    The General Tab 746

    The Deployment Tab 746

    The Upgrades Tab 750

    The Categories Tab 752

    The Modifications Tab 752

    The Security Tab 754

    Default Group Policy Software Installation Properties 755

    The General Tab 755

    The Advanced Tab 756

    The File Extensions Tab 757

    The Categories Tab 757

    Removing Applications 757

    Users Can Manually Change or Remove Applications 758

    Automatically Removing Assigned or Published .MSI Applications 758

    Forcibly Removing Assigned or Published .MSI Applications 759

    Using Group Policy Software Installation over Slow Links 761

    MSI, the Windows Installer, and Group Policy 764

    Inside the MSIEXEC Tool 764

    Patching a Distribution Point 765

    Affecting Windows Installer with Group Policy 767

    Deploying Office 2010 and Later Using Group Policy (MSI Version) 771

    Steps to Office 2013 and 2016 Deployment Using Group Policy 772

    Result of Your Office Deployment Using Group Policy 782

    Installing Office Using Click-to-Run 783

    Getting Office Click-to-Run 784

    Installing Office Click-to-Run by Hand 784

    Deploying Office Click-to-Run via Group Policy 786

    System Center Configuration Manager vs. Group Policy (and Alternatives) 793

    Final Thoughts 796

    Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797

    Scripts: Logon, Logoff, Startup, and Shutdown 798

    Non-PowerShell-Based Scripts 798

    Deploying PowerShell Scripts to Windows 7 and Later Clients 801

    Managing Internet Explorer with Group Policy 802

    Managing Internet Explorer with Group Policy Preferences 803

    Internet Explorer’s Group Policy Settings 805

    Understanding Internet Explorer 11’s Enterprise Mode 806

    Managing Internet Explorer 11 Using PolicyPak Application Manager 808

    Restricting Access to Hardware via Group Policy 808

    Group Policy Preferences Devices Extension 809

    Restricting Driver Access with Policy Settings 814

    Getting a Handle on Classes and IDs 815

    Restricting or Allowing Your Hardware via Group Policy 817

    Understanding the Remaining Policy Settings for Hardware Restrictions 819

    Assigning Printers via Group Policy 821

    Zapping Down Printers to Users and Computers (a Refresher) 821

    Implementing Rotating Local Passwords with LAPS 830

    What to Install from LAPS 831

    Extending the Schema and Setting LAPS Permissions 832

    Using a Group Policy Object to Manage LAPS 835

    Using LAPS Management’s Tools: Fat Client and PowerShell 836

    Final Thoughts for This Chapter and for the Book 838

    Appendix A Scripting Group Policy Operations with Windows PowerShell 839

    Using PowerShell to Do More with Group Policy 840

    Preparing for Your PowerShell Experience 841

    Getting Started with PowerShell 842

    Documenting Your Group Policy World with PowerShell 846

    Setting GPO Permissions 867

    Manipulating GPOs with PowerShell 870

    Performing a Remote GPupdate (Invoking GPupdate) 880

    Replacing Microsoft’s GPMC Scripts with PowerShell Equivalents 881

    Final Thoughts 883

    Appendix B Group Policy and VDI 885

    Why Is VDI Different? 886

    Tuning Your Images for VDI 887

    Specific Functions to Turn Off for VDI Machines 888

    Group Policy Settings to Set and Avoid for Maximum VDI Performance 889

    Group Policy Tweaks for Fast VDI Video 891

    Tweaking RDP Using Group Policy for VDI 891

    Tweaking RemoteFX using Group Policy for VDI 892

    Managing and Locking Down Desktop UI Tweaks 893

    Final Thoughts for VDI and Group Policy 894

    Appendix C Advanced Group Policy Management 897

    The Challenge of Group Policy Change Management 898

    Architecture and Installation of AGPM 899

    AGPM Architecture 899

    Installing AGPM 900

    What Happens after AGPM Is Installed? 906

    GPMC Differences with AGPM Client 906

    What’s With All the Access Denied Errors? 908

    Does the World Change Right Away? 908

    Understanding the AGPM Delegation Model 908

    AGPM Delegation Roles 909

    AGPM Common Tasks 912

    Understanding and Working with AGPM’s Flow 914

    Controlling Your Currently Uncontrolled GPOs 915

    Creating a GPO and Immediately Controlling It 918

    Check Out a GPO 919

    Viewing Reports about a Controlled GPO 921

    Editing a Checked-Out Offline Copy of a GPO 921

    Performing a Check In of a Changed GPO 923

    Deploying a GPO into Production 924

    Making Additional Changes to a GPO and Labeling a GPO 926

    Using History and Differences to Roll Back a GPO 927

    Using “Import from Production” to Catch Up a GPO 931

    Uncontrolling, Restoring, and Destroying a GPO 932

    Searching for GPOs Using the Search Box 934

    AGPM Tasks with Multiple Admins 935

    E‑mail Preparations and Configurations for AGPM Requests 936

    Adding Someone to the AGPM System 939

    Requesting the Creation of New Controlled GPO 943

    Approving or Rejecting a Pending Request 944

    Editing the GPO Offline via Check Out/Check In 946

    Requesting Deployment of the GPO 946

    Analyzing a GPO (as a Reviewer) 948

    Advanced Configuration and Troubleshooting of AGPM 950

    Production Delegation 950

    Auto-Deleting Old GPO Versions 951

    Export and Import of Controlled GPOs between Forests and/or Domains 951

    Troubleshooting AGPM Permissions 953

    Leveraging AGPM Templates 955

    Changing Permissions on GPO Archives 958

    Backing Up, Restoring, and Moving the AGPM Server 959

    Changing the Port That AGPM Uses 962

    Events from AGPM 963

    Leveraging the Built-in AGPM ADMX Template 963

    Final Thoughts 968

    Appendix D Security Compliance Manager 969

    SCM: Installation 970

    SCM: Getting Around 972

    SCM: Usual Use Case 974

    Importing Existing GPOs 980

    Comparing and Merging Baselines 980

    LocalGPO Tool 983

    Installing SCM’s LocalGPO Tool 984

    Using SCM’s LocalGPO 985

    Final Thoughts on LocalGPO and SCM 989

    Appendix E Microsoft Intune and PolicyPak Cloud 991

    Microsoft Intune 991

    Getting Started with Microsoft Intune 992

    Using Microsoft Intune 995

    Setting Up Microsoft Intune Groups 995

    Setting Up Policies Using Microsoft Intune 996

    Microsoft Intune and Group Policy Conflicts 997

    Final Thoughts on Microsoft Intune 998

    PolicyPak Cloud 998

    PolicyPak Cloud 101 999

    Understanding PolicyPak Cloud Policies 999

    Creating and Using PolicyPak Cloud Groups 1001

    Joining PolicyPak Cloud 1001

    Final Thoughts on PolicyPak Cloud 1003

    Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003

    Index 1005

Group Policy

Product form

£38.00

Includes FREE delivery

RRP £47.50 – you save £9.50 (20%)

Order before 4pm tomorrow for delivery by Wed 21 Jan 2026.

A Paperback / softback by Jeremy Moskowitz

Out of stock


    View other formats and editions of Group Policy by Jeremy Moskowitz

    Publisher: John Wiley & Sons Inc
    Publication Date: 24/08/2015
    ISBN13: 9781119035589, 978-1119035589
    ISBN10: 1119035589
    Also in:
    Computer networking and communications

    Description

    Book Synopsis
    Get up to speed on the latest Group Policy tools, features, and best practices

    Group Policy, Fundamentals, Security, and the Managed Desktop, 3rd Edition helps you streamline Windows and Windows Server management using the latest Group Policy tools and techniques. This updated edition covers Windows 10 and Windows Server vNext, bringing you up to speed on all the newest settings, features, and best practices. Microsoft Group Policy MVP Jeremy Moskowitz teaches you the major categories of Group Policy, essential troubleshooting techniques, and how to manage your Windows desktops.

    This is your complete guide to the latest Group Policy features and functions for all modern Windows clients and servers, helping you manage more efficiently and effectively.

    • Perform true desktop and server management with the Group Policy Preferences, ADMX files, and additional add-ons
    • Use every feature of the GPMC and become a top-notch administrato

      Table of Contents

      Introduction xxv

      Chapter 1 Group Policy Essentials 1

      Getting Ready to Use This Book 2

      Getting Started with Group Policy 7

      Group Policy Entities and Policy Settings 7

      Active Directory and Local Group Policy 9

      Understanding Local Group Policy 10

      Group Policy and Active Directory 13

      Linking Group Policy Objects 15

      Final Thoughts on Local GPOs 20

      An Example of Group Policy Application 21

      Examining the Resultant Set of Policy 23

      At the Site Level 23

      At the Domain Level 24

      At the OU Level 24

      Bringing It All Together 25

      Group Policy, Active Directory, and the GPMC 26

      Implementing the GPMC on Your Management Station 27

      Creating a One-Stop-Shop MMC 30

      Group Policy 101 and Active Directory 32

      Active Directory Users and Computers vs. GPMC 32

      Adjusting the View within the GPMC 33

      The GPMC-centric View 35

      Our Own Group Policy Examples 37

      More about Linking and the Group Policy Objects Container 38

      Applying a Group Policy Object to the Site Level 41

      Applying Group Policy Objects to the Domain Level 44

      Applying Group Policy Objects to the OU Level 47

      Testing Your Delegation of Group Policy Management 52

      Understanding Group Policy Object Linking Delegation 54

      Granting OU Admins Access to Create New Group Policy Objects 55

      Creating and Linking Group Policy Objects at the OU Level 56

      Creating a New Group Policy Object Affecting Computers in an OU 59

      Moving Computers into the Human Resources

      Computers OU 61

      Verifying Your Cumulative Changes 62

      Final Thoughts 64

      Chapter 2 Managing Group Policy with the GPMC and via PowerShell 67

      Common Procedures with the GPMC and PowerShell 69

      Raising or Lowering the Precedence of Multiple Group Policy Objects 75

      Understanding GPMC’s Link Warning 76

      Stopping Group Policy Objects from Applying 78

      Block Inheritance 85

      The Enforced Function 87

      Security Filtering and Delegation with the GPMC 90

      Filtering the Scope of Group Policy Objects with Security 91

      User Permissions on Group Policy Objects 102

      Granting Group Policy Object Creation Rights in the Domain 104

      Special Group Policy Operation Delegations 105

      Who Can Create and Use WMI Filters? 107

      Performing RSoP Calculations with the GPMC 109

      What’s-Going-On Calculations with Group Policy Results 110

      What-If Calculations with Group Policy Modeling 116

      Searching and Commenting Group Policy Objects and Policy Settings 118

      Searching for GPO Characteristics 119

      Filtering Inside a GPO for Policy Settings 121

      Comments for GPOs and Policy Settings 132

      Starter GPOs 137

      Creating a Starter GPO 139

      Editing a Starter GPO 139

      Leveraging a Starter GPO 141

      Delegating Control of Starter GPOs 142

      Wrapping Up and Sending Starter GPOs 143

      Should You Use Microsoft’s Pre-created Starter GPOs? 144

      Back Up and Restore for Group Policy 145

      Backing Up Group Policy Objects 146

      Restoring Group Policy Objects 148

      Backing Up and Restoring Starter GPOs 152

      Backing Up and Restoring WMI Filters 153

      Backing Up and Restoring IPsec Filters 153

      Migrating Group Policy Objects between Domains 154

      Basic Interdomain Copy and Import 154

      Copy and Import with Migration Tables 162

      GPMC At-a-Glance Icon View 166

      Final Thoughts 167

      Chapter 3 Group Policy Processing Behavior Essentials 169

      Group Policy Processing Principles 170

      Don’t Get Lost 172

      Initial Policy Processing 172

      Background Refresh Policy Processing 174

      Security Background Refresh Processing 187

      Special Case: Moving a User or a Computer Object 193

      Windows 8, 8.1, and 10 Group Policy: Subtle Differences 194

      Policy Application via Remote Access, Slow Links, and after Hibernation 200

      When and How Does Windows Check for Slow Links? 200

      What Is Processed over a Slow Network Connection? 201

      Always Get Group Policy (Even on the Road, through the Internet) 202

      Using Group Policy to Affect Group Policy 205

      Affecting the User Settings of Group Policy 205

      Affecting the Computer Settings of Group Policy 207

      The Missing Group Policy Preferences Policy Settings 219

      Final Thoughts 221

      Chapter 4 Advanced Group Policy Processing 223

      Fine-Tuning When and Where Group Policy Applies 223

      Using WMI Filters to Filter the Scope of a Group Policy Object (Itself) 224

      Using PolicyPak Admin Templates Manager to Filter the Scope of a Group Policy Object’s Contents 230

      Group Policy Loopback Processing 231

      Reviewing Normal Group Policy Processing 232

      Group Policy Loopback—Merge Mode 233

      Group Policy Loopback—Replace Mode 233

      Loopback without Loopback (Switched Mode with PolicyPak Application Manager and PolicyPak Admin Templates Manager) 239

      Group Policy with Cross-Forest Trusts 242

      What Happens When Logging onto Different Clients across a Cross-Forest Trust? 243

      Disabling Loopback Processing When Using Cross-Forest Trusts 245

      Understanding Cross-Forest Trust Permissions 245

      Final Thoughts 247

      Chapter 5 Group Policy Preferences 249

      Powers of the Group Policy Preferences 252

      Computer Configuration ➢ Preferences 258

      User Configuration ➢ Preferences 269

      Group Policy Preferences Concepts 278

      Preference vs. Policy 279

      The Overlap of Group Policy vs. Group Policy Preferences and Associated Issues 281

      The Lines and Circles and the CRUD Action Modes 293

      Common Tab 301

      Group Policy Preferences Tips, Tricks, and Troubleshooting 313

      Quick Copy, Drag and Drop, Cut and Paste, and Sharing of Settings 313

      Multiple Preference Items at a Level 315

      Temporarily Disabling a Single Preference Item or Extension Root 317

      Environment Variables 318

      Managing Group Policy Preferences: Hiding Extensions from within the Editor 320

      Troubleshooting: Reporting, Logging, and Tracing 321

      Giving Group Policy Preferences a “Boost” (Using PolicyPak Preferences Manager and PolicyPak Cloud) 329

      Using PolicyPak Preferences Manager to Maintain Group Policy Preferences while Offline 330

      Using PolicyPak Preferences Manager to Deliver Group Policy Preferences Using “Not Group Policy” 330

      Delivering Group Policy Preferences over the Internet Using PolicyPak Cloud (to Domain-Joined and Non–Domain-Joined Machines) 331

      Final Thoughts 332

      Chapter 6 Managing Applications and Settings Using Group Policy 335

      Understanding Administrative Templates 336

      Administrative Templates: Then and Now 336

      Policy vs. Preference 337

      Exploring ADM vs. ADMX and ADML Files 342

      Looking Back at ADM Files 342

      Understanding the Updated GPMC’s ADMX and ADML Files 342

      Comparing ADM vs. ADMX Files 344

      ADMX and ADML Files: What They Do and the Problems They Solve 345

      Problem and Solution 1: Tackling SYSVOL Bloat 345

      Problem 2: How Do We Deal with Multiple Languages? 346

      Problem 3: How Do We Deal with “Write Overlaps”? 347

      Problem 4: How Do We Distribute Updated Definitions to All Our Administrators? 349

      The Central Store 349

      The Windows ADMX/ADML Central Store 351

      Creating and Editing GPOs in a Mixed Environment 355

      Scenario 1: Start by Creating and Editing a GPO Using the Older GPMC; Edit Using Another Older GPMC Management Station 355

      Scenario 2: Start by Creating and Editing a GPO with the Older GPMC; Edit Using the Updated GPMC 356

      Scenario 3: Start by Creating and Editing a GPO Using the Updated GPMC; Edit Using Another Updated GPMC Management Station 358

      Scenario 4: Start by Creating and Editing a GPO Using an Updated GPMC Management Station; Edit Using an Older GPMC Management Station 358

      Using ADM and ADMX Templates from Other Sources 359

      Using ADM Templates with the Updated GPMC 359

      Using ADMX Templates from Other Sources 361

      ADMX Migrator and ADMX Editor Tools 362

      ADMX Migrator 363

      ADMX Creation and Editor Tools 365

      PolicyPak Application Manager 365

      PolicyPak Concepts and Installation 367

      Top PolicyPak Application Manager Pak Examples 369

      Understanding PolicyPak Superpowers and What Happens When Computers Are Off the Network 373

      Final Thoughts 376

      Chapter 7 Troubleshooting Group Policy 379

      Under the Hood of Group Policy 381

      Inside Local Group Policy 381

      Inside Active Directory Group Policy Objects 383

      The Birth, Life, and Death of a GPO 385

      How Group Policy Objects Are “Born” 386

      How a GPO “Lives” 387

      Death of a GPO 415

      How Client Systems Get Group Policy Objects 416

      The Steps to Group Policy Processing 416

      Client-Side Extensions 419

      Where Are Administrative Templates Registry Settings Stored? 427

      Why Isn’t Group Policy Applying? 429

      Reviewing the Basics 429

      Advanced Inspection 432

      Client-Side Troubleshooting 441

      RSoP for Windows Clients 442

      Advanced Group Policy Troubleshooting with the Event Viewer Logs 450

      Group Policy Processing Performance 462

      Final Thoughts 463

      Chapter 8 Implementing Security with Group Policy 465

      The Two Default Group Policy Objects 466

      GPOs Linked at the Domain Level 467

      Group Policy Objects Linked to the Domain Controllers OU 471

      Oops, the “Default Domain Policy” GPO and/or “Default Domain Controllers Policy” GPO Got Screwed Up! 473

      The Strange Life of Password Policy 475

      What Happens When You Set Password Settings at an OU Level 475

      Fine-Grained Password Policy 477

      Inside Basic and Advanced Auditing 482

      Basic Auditable Events Using Group Policy 482

      Auditing File Access 487

      Auditing Group Policy Object Changes 489

      Advanced Audit Policy Configuration 491

      Restricted Groups 495

      Strictly Controlling Active Directory Groups 497

      Strictly Applying Group Nesting 499

      Which Groups Can Go into Which Other Groups via Restricted Groups? 500

      Restrict Software Using AppLocker 500

      Inside Software Restriction Policies 501

      Software Restriction Policies’ “Philosophies” 502

      Software Restriction Policies’ Rules 503

      Restricting Software Using AppLocker 510

      Controlling User Account Control with Group Policy 531

      Just Who Will See the UAC Prompts, Anyway? 534

      Understanding the Group Policy Controls for UAC 539

      UAC Policy Setting Suggestions 548

      Wireless (802.3) and Wired Network (802.11) Policies 551

      802.11 Wireless Policy for Windows XP 552

      802.11 Wireless Policy and 802.3 Wired Policy for Modern Windows 553

      Configuring Windows Firewall with Group Policy 554

      Manipulating the Windows Firewall (the Old Way) 557

      Windows Firewall with Advanced Security WFAS 558

      IPsec (Now in Windows Firewall with Advanced Security) 567

      How Windows Firewall Rules Are Ultimately Calculated 572

      Final Thoughts 576

      Chapter 9 Profiles: Local, Roaming, and Mandatory 579

      Setting the Stage for Multiple Clients 579

      What Is a User Profile? 583

      The NTUSER.DAT File 583

      Profile Folders for Type 1 Computers (Windows XP and Windows 2003 Server) 584

      Profile Folders for Type 2–5 Computers (Windows Vista and Later) 586

      The Default Local User Profile 591

      The Default Network User Profile 594

      Roaming Profiles 599

      Are Roaming Profiles “Evil”? And What Are the Alternatives? 601

      Setting Up Roaming Profiles 604

      Testing Roaming Profiles 608

      Roaming and Nonroaming Folders 610

      Managing Roaming Profiles 614

      Manipulating Roaming Profiles with Computer Group Policy Settings 617

      Manipulating Roaming Profiles with User Group Policy Settings 630

      Mandatory Profiles 635

      Establishing Mandatory Profiles for Windows XP 636

      Establishing Mandatory Profiles for Modern Windows 638

      Mandatory Profiles—Finishing Touches 639

      Forced Mandatory Profiles (Super-Mandatory) 640

      Final Thoughts 642

      Chapter 10 The Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 643

      Redirected Folders 644

      Available Folders to Redirect 644

      Redirected Documents/My Documents 645

      Redirecting the Start Menu and the Desktop 665

      Redirecting the Application Data Folder 666

      Group Policy Setting for Folder Redirection 667

      Troubleshooting Redirected Folders 669

      Offline Files and Synchronization 672

      Making Offline Files Available 673

      Inside Windows 10 File Synchronization 676

      Handling Conflicts 684

      Client Configuration of Offline Files 686

      Using Folder Redirection and Offline Files over Slow Links 694

      Synchronizing over Slow Links with Redirected My Documents 695

      Synchronizing over Slow Links with Regular Shares 697

      Teaching Windows 10 How to React to Slow Links 698

      Using Group Policy to Configure Offline Files (User and Computer Node) 702

      Troubleshooting Sync Center 710

      Turning Off Folder Redirection’s Automatic Offline Caching for Desktops 712

      Final Thoughts 720

      Chapter 11 The Managed Desktop, Part 2: Software Deployment via Group Policy 723

      Group Policy Software Installation (GPSI) Overview 724

      The Windows Installer Service 726

      Understanding .MSI Packages 726

      Utilizing an Existing .MSI Package 727

      Assigning and Publishing Applications 732

      Assigning Applications 732

      Publishing Applications 733

      Rules of Deployment 734

      Package-Targeting Strategy 734

      Advanced Published or Assigned 745

      The General Tab 746

      The Deployment Tab 746

      The Upgrades Tab 750

      The Categories Tab 752

      The Modifications Tab 752

      The Security Tab 754

      Default Group Policy Software Installation Properties 755

      The General Tab 755

      The Advanced Tab 756

      The File Extensions Tab 757

      The Categories Tab 757

      Removing Applications 757

      Users Can Manually Change or Remove Applications 758

      Automatically Removing Assigned or Published .MSI Applications 758

      Forcibly Removing Assigned or Published .MSI Applications 759

      Using Group Policy Software Installation over Slow Links 761

      MSI, the Windows Installer, and Group Policy 764

      Inside the MSIEXEC Tool 764

      Patching a Distribution Point 765

      Affecting Windows Installer with Group Policy 767

      Deploying Office 2010 and Later Using Group Policy (MSI Version) 771

      Steps to Office 2013 and 2016 Deployment Using Group Policy 772

      Result of Your Office Deployment Using Group Policy 782

      Installing Office Using Click-to-Run 783

      Getting Office Click-to-Run 784

      Installing Office Click-to-Run by Hand 784

      Deploying Office Click-to-Run via Group Policy 786

      System Center Configuration Manager vs. Group Policy (and Alternatives) 793

      Final Thoughts 796

      Chapter 12 Finishing Touches with Group Policy: Scripts, Internet Explorer, Hardware Control, Printer Deployment, Local Admin Password Control 797

      Scripts: Logon, Logoff, Startup, and Shutdown 798

      Non-PowerShell-Based Scripts 798

      Deploying PowerShell Scripts to Windows 7 and Later Clients 801

      Managing Internet Explorer with Group Policy 802

      Managing Internet Explorer with Group Policy Preferences 803

      Internet Explorer’s Group Policy Settings 805

      Understanding Internet Explorer 11’s Enterprise Mode 806

      Managing Internet Explorer 11 Using PolicyPak Application Manager 808

      Restricting Access to Hardware via Group Policy 808

      Group Policy Preferences Devices Extension 809

      Restricting Driver Access with Policy Settings 814

      Getting a Handle on Classes and IDs 815

      Restricting or Allowing Your Hardware via Group Policy 817

      Understanding the Remaining Policy Settings for Hardware Restrictions 819

      Assigning Printers via Group Policy 821

      Zapping Down Printers to Users and Computers (a Refresher) 821

      Implementing Rotating Local Passwords with LAPS 830

      What to Install from LAPS 831

      Extending the Schema and Setting LAPS Permissions 832

      Using a Group Policy Object to Manage LAPS 835

      Using LAPS Management’s Tools: Fat Client and PowerShell 836

      Final Thoughts for This Chapter and for the Book 838

      Appendix A Scripting Group Policy Operations with Windows PowerShell 839

      Using PowerShell to Do More with Group Policy 840

      Preparing for Your PowerShell Experience 841

      Getting Started with PowerShell 842

      Documenting Your Group Policy World with PowerShell 846

      Setting GPO Permissions 867

      Manipulating GPOs with PowerShell 870

      Performing a Remote GPupdate (Invoking GPupdate) 880

      Replacing Microsoft’s GPMC Scripts with PowerShell Equivalents 881

      Final Thoughts 883

      Appendix B Group Policy and VDI 885

      Why Is VDI Different? 886

      Tuning Your Images for VDI 887

      Specific Functions to Turn Off for VDI Machines 888

      Group Policy Settings to Set and Avoid for Maximum VDI Performance 889

      Group Policy Tweaks for Fast VDI Video 891

      Tweaking RDP Using Group Policy for VDI 891

      Tweaking RemoteFX using Group Policy for VDI 892

      Managing and Locking Down Desktop UI Tweaks 893

      Final Thoughts for VDI and Group Policy 894

      Appendix C Advanced Group Policy Management 897

      The Challenge of Group Policy Change Management 898

      Architecture and Installation of AGPM 899

      AGPM Architecture 899

      Installing AGPM 900

      What Happens after AGPM Is Installed? 906

      GPMC Differences with AGPM Client 906

      What’s With All the Access Denied Errors? 908

      Does the World Change Right Away? 908

      Understanding the AGPM Delegation Model 908

      AGPM Delegation Roles 909

      AGPM Common Tasks 912

      Understanding and Working with AGPM’s Flow 914

      Controlling Your Currently Uncontrolled GPOs 915

      Creating a GPO and Immediately Controlling It 918

      Check Out a GPO 919

      Viewing Reports about a Controlled GPO 921

      Editing a Checked-Out Offline Copy of a GPO 921

      Performing a Check In of a Changed GPO 923

      Deploying a GPO into Production 924

      Making Additional Changes to a GPO and Labeling a GPO 926

      Using History and Differences to Roll Back a GPO 927

      Using “Import from Production” to Catch Up a GPO 931

      Uncontrolling, Restoring, and Destroying a GPO 932

      Searching for GPOs Using the Search Box 934

      AGPM Tasks with Multiple Admins 935

      E‑mail Preparations and Configurations for AGPM Requests 936

      Adding Someone to the AGPM System 939

      Requesting the Creation of New Controlled GPO 943

      Approving or Rejecting a Pending Request 944

      Editing the GPO Offline via Check Out/Check In 946

      Requesting Deployment of the GPO 946

      Analyzing a GPO (as a Reviewer) 948

      Advanced Configuration and Troubleshooting of AGPM 950

      Production Delegation 950

      Auto-Deleting Old GPO Versions 951

      Export and Import of Controlled GPOs between Forests and/or Domains 951

      Troubleshooting AGPM Permissions 953

      Leveraging AGPM Templates 955

      Changing Permissions on GPO Archives 958

      Backing Up, Restoring, and Moving the AGPM Server 959

      Changing the Port That AGPM Uses 962

      Events from AGPM 963

      Leveraging the Built-in AGPM ADMX Template 963

      Final Thoughts 968

      Appendix D Security Compliance Manager 969

      SCM: Installation 970

      SCM: Getting Around 972

      SCM: Usual Use Case 974

      Importing Existing GPOs 980

      Comparing and Merging Baselines 980

      LocalGPO Tool 983

      Installing SCM’s LocalGPO Tool 984

      Using SCM’s LocalGPO 985

      Final Thoughts on LocalGPO and SCM 989

      Appendix E Microsoft Intune and PolicyPak Cloud 991

      Microsoft Intune 991

      Getting Started with Microsoft Intune 992

      Using Microsoft Intune 995

      Setting Up Microsoft Intune Groups 995

      Setting Up Policies Using Microsoft Intune 996

      Microsoft Intune and Group Policy Conflicts 997

      Final Thoughts on Microsoft Intune 998

      PolicyPak Cloud 998

      PolicyPak Cloud 101 999

      Understanding PolicyPak Cloud Policies 999

      Creating and Using PolicyPak Cloud Groups 1001

      Joining PolicyPak Cloud 1001

      Final Thoughts on PolicyPak Cloud 1003

      Final Thoughts on Microsoft Intune and PolicyPak Cloud 1003

      Index 1005

    Recently viewed products

    © 2026 Book Curl

      • American Express
      • Apple Pay
      • Diners Club
      • Discover
      • Google Pay
      • Maestro
      • Mastercard
      • PayPal
      • Shop Pay
      • Union Pay
      • Visa

      Login

      Forgot your password?

      Don't have an account yet?
      Create account