Training Guide Administering Windows Server 2012 R2 (2014)
Chapter 6. Group Policy settings and preferences
Rather than having to configure settings such as mapped network drives and configured network printers on a per-computer basis, Group Policy enables you to centralize the configuration of a large number of computers. Even if you only work with server operating systems such as Exchange and SQL Server, you’ll need to interact with Group Policy on a regular basis. Rather than take you through every possible Group Policy setting, this chapter includes three lessons that take you through commonly used basic Group Policy settings, discuss how to extend Group Policy through the use of administrative templates, and show how to use the Group Policy preferences feature to minimize the need for logon and startup scripts.
Lessons in this chapter:
Lesson 1: Folder redirection, software installation, and scripts
Lesson 2: Administrative templates
Lesson 3: Group Policy preferences
Before you begin
To complete the practice exercises in this chapter:
You need to have deployed computers SYD-DC, MEL-DC, and ADL-DC, as described in the Introduction, using the evaluation edition of Windows Server 2012 R2.
Lesson 1: Folder redirection, software installation, and scripts
There are approximately 3,600 policies in a standard Group Policy Object (GPO). It is reasonable to say that few people, if anybody, knows exactly what they all do. As a server administrator, you’ll tend to specialize in the areas that you find interesting and useful. If you are responsible for managing client computers running the Windows 7, Windows 8, and Windows 8.1 operating systems, you’ll be interested in Group Policy items that you can use with client computers—specifically, redirecting folders; installing software; and controlling startup, shutdown, logon, and logoff scripts.
After this lesson, you will be able to:
Configure Folder Redirection.
Perform software installation.
Configure scripts using Group Policy.
Estimated lesson time: 45 minutes
Folder Redirection
In many organizations, such as call centers and student computer labs, computer users aren’t assigned a set computer. Not having a set computer provides challenges in terms of computer personalization and storage of user data. Folder Redirection enables you to redirect commonly used folders, such as the desktop and Start menu, from a local hard disk to a network location. The benefit is that by redirecting folders, users can get the same experience independently of which computer they sign on to. For example, you could redirect the desktop folder to a location on the network, and any file or folder that a user saved on the desktop would be automatically available on the desktop of any other computer that they signed on to in the domain.
You can also use Folder Redirection with offline files. When you do this, users have access to redirected folders if they are using a laptop or if the connection to the network is lost. It requires that you have Offline Files configured and that the user has made an initial connection to the network, but it provides another way to ensure that the user gets a consistent experience independent of which computer they sign on to.
You can configure Group Policy to redirect the following folders.
AppData(Roaming)
Desktop
Start menu
Documents
Pictures
Music
Videos
Contacts
Downloads
Links
Searches
Saved games
Folder Redirection policies are located in the User Configuration\Policies\Windows Settings\Folder Redirection node of a GPO, as shown in Figure 6-1.
FIGURE 6-1 Folder Redirection policies
Beyond providing a consistent user experience, Folder Redirection enables you to ensure that important user data is backed up. Rather than worrying about backing up individual client computers, you configure Folder Redirection and instead ensure that the server that hosts the redirected folders is subject to stringent data protection policies.
Real World: Backing up client data
In some organizations, up to 60 percent of the important data is stored on clients. People don’t think about it as a big risk because if you have 60 percent of your data spread across hundreds of clients, losing one client doesn’t mean losing much data. In reality, the loss of data on one client computer can cost an organization thousands, even tens of thousands, of dollars. User data stored on client machines is often worth more than the machine itself because it took someone who was getting paid a certain amount of money per hour, many hours to generate that data. Lose that data and the investment the organization made in generating that data may be lost.
You configure Folder Redirection on a per-folder basis. When you configure a Folder Redirection policy, you choose between the following options:
Basic This option enables you to redirect the folders of everyone subject to the policy to the same path. When you enable this option, you can configure the following options for the target folder location:
Create A Folder For Each User Under The Root Path This option is shown in Figure 6-2. The user’s folder is created automatically.
FIGURE 6-2 The Basic Folder Redirection setting
Redirect To The Following Location Use this when you want to redirect folders to a common shared location instead of to an individual one.
Redirect To The Local Userprofile Location Use this option to redirect to the local profile path on the computer. This option disables user redirection.
Advanced The Advanced option enables you to choose the same options as the Basic option, except that you can perform this action on the basis of an Active Directory security group. For example, members of the Research group might be redirected to \\FS1\FolderRedirection, and members of the Astronomy group might be redirected to \\FS2\FolderRedirection.
When configuring Folder Redirection for the Pictures, Music, And Videos folder, you can choose the Follow The Documents Folder option. When you do this, these folders become subfolders of the Documents folder.
Real World: Simplicity beats complexity
Having the Pictures, Music, And Videos folder follow the Documents folder simplifies the management of shared folders. On the other hand, most organizations that aren’t involved in producing music and video content have strict rules about the storage of that content on their servers and won’t configure redirection for these specific folders.
When creating the network shares that will host redirected folders, ensure that you set the following permissions to ensure that redirected folders can be created automatically:
Share Permissions For Root Folder
User’s Security Group: Read and Write
NTFS Permissions
User’s Security Group: List Folder/Read Data, Create Folders/Append Data
Local System: Full Control
When configuring Folder Redirection, keep the following in mind:
Enable Offline Files on all computers that are subject to Folder Redirection policies. Doing this ensures that redirected folders are available if network connectivity is lost. When you do this, ensure that Offline Folder functionality is also enabled at the shared folder level.
Ensure that redirected folders are hosted on a fault tolerant storage space or volume.
Ensure that the servers that host redirected folders are regularly backed up.
Redirection should occur only with shared folders within the same site. Although laptop computers subject to Folder Redirection policies may occasionally be used at branch office sites (in which case Offline Files functionality applies), do not configure Folder Redirection policies that redirect local folders to locations on remote networks.
To redirect a folder, perform the following steps:
1. Configure a shared folder with the appropriate permissions.
2. Create and edit a Group Policy that applies to the users whose folders you want to redirect.
3. In the User Configuration\Policies\Windows Settings\Folder Redirection node, right-click the first folder that you want to configure redirection for and click Properties.
4. Use the Setting drop-down menu to select the Basic or Advanced option and then configure the target folder location.
5. Repeat steps 3 and 4 for each folder that you want to redirect.
Note: Multiple logons required
The user has to sign on several times before redirection is fully configured. This process enables folders to be created by the process and also accounts for cached credentials.
Software installation
Getting software on to a user’s computers is a core task for IT professionals. In the era of Windows 95 and Windows NT 4.0, this usually meant travelling to the user’s computer with a box of diskettes or CD-ROMs. Rather than having to install software locally, you can use Group Policy to deploy software to users and computers. When you do this, the software is installed over the network and it is no longer necessary to visit each computer individually to install a program. Group Policy supports software deployment for applications that use the Windows Installer (.msi) format as well as in .exe format if you use specially prepared .zap files (see the following sections).
.msi files
.msi files represent packaged applications in Microsoft Windows Installer (MSI) format. Files in this format include the information necessary to instruct an operating system on how to install the application, repair the application, and remove the application. Applications installed from .msi files are more likely to uninstall cleanly than applications deployed in other manners because the packaging process involves recording the precise system changes that occur when the application is installed on a reference computer. Applications in MSI format can be deployed using Group Policy, but you can also install them manually or deploy them using management products such as Windows Intune or System Center 2012 R2 Configuration Manager.
Real World: Packaging applications
Packaging an application involves installing the application on a reference system using a traditional installer and then recording the changes the application makes to the system, including files, folders, settings, and the registry. There are third-party tools available that enable you to package applications that use installers in EXE format so that they can be deployed in MSI format. You can also use the App-V sequencer, available in the Microsoft Desktop Optimization Pack (MDOP) to create virtualized applications in MSI format, though running these requires the App-V client.
.zap files
You can use Group Policy to deploy files in EXE format through .zap files, which are files in text format that enable you to install software in EXE format using Group Policy under the following conditions:
The installation must complete without requiring elevated privileges.
The .zap file can only be published to users. You cannot use the Assigned deployment type for users or computers.
When published, the user must use the Programs And Features item in the Control Panel.
Because the installation cannot require elevated privileges, most applications in EXE format cannot use .zap files to deploy many applications because many applications require elevated privileges to install on computers running Windows Vista, Windows 7, Windows 8, or Windows 8.1.
The .zap files must include the following fields:
FriendlyName A simple name that enables you to identify the application.
SetupCommand Provides the path to the application installer.
For example, you need to install an application named CompanyApp. The installer for this application, Setup.exe, is located on the shared folder with the UNC path \\Sydney-FS\Deployment. A .zap file created to install this application would have the following format.
[Application]
FriendlyName = "CompanyApp"
SetupCommand = "\\Sydney-FS\Deployment\setup.exe"
Real World: Limitations and utility
The reason you’ve probably never heard of .zap files is because most .exe files require elevated privileges to install. As you don’t want average users signing on with privileged accounts, it means that .zap files are pretty limited in their utility.
You have two options when deploying software using Group Policy. You can assign an application, or you can publish the application, as shown in Figure 6-3. The Advanced option enables you to configure advanced published or assigned settings.
FIGURE 6-3 Publish or assign
Assign an application
Assigning an application means that the application installs automatically. How an application installs automatically depends on whether the application is assigned to a user or to a computer. If you assign an application to a computer, the application installs when the computer starts up. If you assign an application to a user, the application installs after the user signs on.
When you configure an application to be assigned, you can configure the following deployment options, shown in Figure 6-4:
Uninstall The Application When It Falls Out Of The Scope Of Management
Do Not Display This Package In The Add/Remove Programs Control Panel
Install This Application At Logon
FIGURE 6-4 Assigned application options
If you enable the option to uninstall the application when it falls out of the scope of management, the application will be removed in the event that the policy that caused it to be installed no longer applies. For example, if you used a policy to assign the application to an organizational unit (OU) that contained a user account, and the application was installed because the user associated with that account signed on, the application would be removed if a user associated with a user account in a different OU signed on.
Real World: Out of scope of management
If you want to ensure that an application is removed when a user signs off from a particular computer, you’re better off using App-V, which enables application streaming. This means that the application is delivered over the network automatically when a user who needs to access the application signs on. App-V is part of the MDOP.
Publishing applications
Applications can be published only to users, not computers. When you publish an application to a user, the application becomes available in the following ways:
If the user double-clicks a file extension associated with the application, the application installs automatically.
The user can choose to install the program through the Programs And Features item in Control Panel. The user does not require administrative privileges to perform this action.
Real World: Use Configuration Manager or Windows Intune
Software installation through Group Policy works in small environments, but the lack of reporting functionality means that you can’t really be sure whether an application has installed. In larger environments, you should consider deploying System Center 2012 R2 Configuration Manager or Windows Intune. These products enable you to verify that deployed software has installed to the target users or computers.
Software deployment recommendations
There are a few things to keep in mind when deploying software using Group Policy:
Ensure that the Everyone group has Read access at the network share level to the shared folder that hosts the installation files. In multisite organizations, consider using the Distributed File System (DFS) because it minimizes the chance that the installation will occur over a wide area network (WAN) link.
Consider creating a GPO for each application. This reduces the amount of effort required to track which GPO is associated with each application.
Link the GPO as close to the user or computer account as possible. For example, if you are deploying an application to users in the Astronomy OU, link the GPO to the Astronomy OU. If you then need to deploy the same application to users in another OU, link the same GPO to that OU.
If you need to deploy to only a small number of users, configure a security filter on the GPO and then link the GPO as close as possible to the user accounts.
Deploy commonly used applications in the installation image. Only use Group Policy to deploy applications that you have not included in the deployment image.
Performing software deployment
To assign an application, perform the following steps:
1. Place the application’s .msi file on a shared folder to which the Everyone group has read access.
2. Create a new GPO and link it at the appropriate location, such as to the OU that hosts the user or to computer accounts to which you want to deploy software.
3. If deploying to a user account, expand the User Configuration\Policies\Software Settings node and right-click Software Installation. If deploying to a computer account, expand the Computer Configuration\Policies\Software Settings node and right-click Software Installation.
4. Click New and click Package.
5. Navigate to the shared folder that hosts the package, select the package, and click Open. Ensure that you don’t navigate to the local address.
6. If you are performing deployment to a user, choose between Published and Assigned; otherwise, choose Published.
7. Right-click the software package and configure any advanced deployment options.
Quick check
Which one of the following options is possible: Publish or assign software to a computer through Group Policy?
Quick check answer
You can only assign software to a computer through Group Policy. You can’t publish software to a computer through Group Policy.
Upgrading packages
You can use a Group Policy software deployment to upgrade existing deployed packages. To do this, create a new software deployment using the upgraded package. When you have created the deployment, edit the properties of the new package. On the Upgrades tab, specify the package that you want to replace, as shown in Figure 6-5.
FIGURE 6-5 Upgrading an application
Real World: Test before putting into production
Each package can behave quite differently, and attempting to upgrade packages can lead to mixed results if you haven’t tested the process thoroughly. This is another area where I recommend using App-V over locally deployed packages. When you use App-V, a new version of the sequenced application is deployed rather than an attempt being made to upgrade the existing version of the package.
Scripts
As an experienced administrator, you know what a script is and how it works. You’ve probably even written a few of them yourself. Group Policy enables you to deploy scripts to users and computers. Most people use scripts with Group Policy to accomplish tasks that normally couldn’t be accomplished with Group Policy. In the past, this primarily involved tasks such as mapping printers and shared network drives, which can now be accomplished with Group Policy preferences. Scripts can be in any format that will run on the client. It may be necessary to configure the client to support scripts that are not in .bat, .cmd, or the Windows PowerShell format.
Real World: Group Policy preferences
I’ve heard speakers at TechED suggest that Group Policy preferences are a way to get rid of logon and startup scripts entirely. This is true in many cases, especially where scripts are used to map drives and printers. Sometimes you might have to use a script to do something, but if you use Group Policy preferences properly, it will be the exception rather than the rule.
There are four types of scripts you can configure using Group Policy:
Startup script This script executes when the computer starts up, but before a user logs on. You assign this script in a GPO that applies to the Computer account.
Logon script This script executes when the user logs on. You assign this script in a GPO that applies to the User account.
Logoff script This script executes when a user logs off. You assign this script in a GPO that applies to the User account. The Group Policy items for assigning logoff scripts are shown in Figure 6-6.
FIGURE 6-6 Assigning logon and logoff policies
Shutdown script This script executes when a computer shuts down. You assign this script in a GPO that applies to the Computer account.
Scripts assigned to the computer run using the rights and privileges assigned to the computer’s Local System account. Scripts assigned to the user run using the user’s rights and privileges. Scripts must be stored on shared folders on the network. You should be careful about assigning security permissions to these folders because if you enable people to modify the scripts hosted on shared folders, they can make modifications to other people’s computers. Microsoft recommends using the Netlogon share for storing scripts published through Active Directory, but you can use any appropriately configured share for this purpose.
To deploy scripts, perform the following steps:
1. Create a network share to which the Everyone group has only Read access.
2. Copy the script to be deployed to this share.
3. Edit the GPO that you want to use to deploy the script.
4. If you want to configure a logon or a logoff script, navigate to the User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff node).
5. If you want to configure a startup or a shutdown script, navigate to the Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown node).
6. Right-click the script type that you want to configure, and click Properties.
7. On the Script Properties page, shown in Figure 6-7, click Add to add a script in batch file format. If you are adding a Windows PowerShell script, select the PowerShell Scripts tab. If you want multiple scripts to run, you can use this tab to configure the order in which the scripts run.
FIGURE 6-7 Script policies
Lesson summary
Folder redirection enables you to redirect important folders on client computers to network locations.
You can use Folder Redirection with Offline Files to ensure that redirected folders are accessible when there is no network connectivity.
You can use Group Policy to install software in MSI and ZAP format.
ZAP format can only be used to install software that does not require elevated privileges to install.
You can assign software to computers and users. When you assign software, it installs the next time the computer starts or the user logs on.
You can publish software to users. This makes the software available to the user through Programs And Features.
You can configure start up, shut down, logon, and logoff scripts using Group Policy. These scripts can be in any scripting format understood by the client.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You are planning the deployment of scripts using Group Policy. You want to have a script run each time a user logs off that copies all their local files to a backup location on the network. Which of the following Group Policy items could you configure to accomplish this goal?
A. Startup script
B. Logoff script
C. Shutdown script
D. Logon script
2. A specific user who has the sole account in a specific OU always uses the same computer. The computer account is in an OU by itself. You want a particular software package to install the next time the user’s computer starts. Which of the following steps should you take to accomplish this goal?
A. Publish the package using the Computer Configuration\Policies\Software Settings node.
B. Assign the package using the Computer Configuration\Policies\Software Settings node.
C. Publish the package using the User Configuration\Policies\Software Settings node.
D. Assign the package using the User Configuration\Policies\Software Settings node.
3. You want to have three network drives automatically mapped each time a user signs on to the computer. This operation should occur using a script applied through Group Policy. Which of the following should you configure to accomplish this goal?
A. Startup script
B. Logoff script
C. Shutdown script
D. Logon script
4. You want to ensure that items such as folders and documents that a user stores on their desktop are available to them independently of which computer they sign on to in your organization’s AD DS domain. Which of the following Folder Redirection policies should you configure to accomplish this goal?
A. AppData(Roaming)
B. Desktop
C. Documents
D. Favorites
5. A specific user who has the sole account in a specific OU always uses the same computer. The computer account is also in an OU by itself. You want a particular software package to install the next time the user’s logs on. Which of the following steps should you take to accomplish this goal? (Choose all that apply.)
A. Assign the package using the User Configuration\Policies\Software Settings node.
B. Publish the package using the User Configuration\Policies\Software Settings node.
C. Assign the package using the Computer Configuration\Policies\Software Settings node.
D. Publish the package using the Computer Configuration\Policies\Software Settings node.
6. You want to ensure that a user’s Internet Explorer bookmarks are available to the user when they sign on to any computer in your organization’s Active Directory Domain Services (AD DS) domain. Which of the following Folder Redirection policies should you configure to accomplish this goal? (Choose all that apply.)
A. Favorites
B. Documents
C. Desktop
D. AppData(Roaming)
7. You want to force each computer that has an account in an Active Directory OU to perform a time synchronization against a specific time server each time the computer starts. You have created a script that performs this task. Which of the following steps must you take to ensure that the script is run in an appropriate manner? (Choose two. Each answer forms part of a complete solution.)
A. Create a GPO and apply it to the OU that hosts the computers.
B. Create a GPO and apply it to the domain.
C. Configure a policy in the Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown) node.
D. Configure a policy in the User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff) node.
8. You want a particular package to be available to users, but they need to install it using the Programs And Features item in Control Panel. Which of the following strategies could you use to accomplish this goal?
A. Publish the package using the User Configuration\Policies\Software Settings node.
B. Assign the package using the User Configuration\Policies\Software Settings node.
C. Publish the package using the Computer Configuration\Policies\Software Settings node.
D. Assign the package using the Computer Configuration\Policies\Software Settings node.
Lesson 2: Administrative templates
Administrative templates enable you to extend Group Policies so that you can use Group Policies to manage applications as well as operating system settings. For example, you can import an administrative template into a GPO that has settings related to a specific application. You can then use that extended GPO to apply those settings to users and computers just as you would operating system settings configured in a traditional GPO. In this lesson, you learn about administrative templates, and you’ll learn how to configure the Group Policy store so that you can import administrative templates and use them in GPOs. You’ll also learn about the ADMX Migrator and how to filter administrative templates so only relevant templates are displayed in the Group Policy Management Editor.
After this lesson, you will be able to:
Edit administrative template settings.
Import templates.
Use ADMX Migrator.
Use administrative template property filters.
Estimated lesson time: 60 minutes
Administrative templates
Administrative templates are stored in XML format in files that use the .admx extension. .admx files are language-neutral, and the language component is stored in a region-specific .adml file. .admx files are stored in the Windows\PolicyDefinitions folder, and .adml files are stored in a subfolder of the policy definitions folder.
Prior to the release of Windows Vista, administrative templates were in a non-XML format known as ADM. ADM files are still supported for Windows Server 2012 R2 GPOs. Most applications that run on the Windows 7, Windows 8, and Windows 8.1 clients were written after the release of Windows Vista. Those that do include administrative templates are likely to include them in ADMX format.
More Info: Managing .admx files
You can learn more about managing .admx files at http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx.
Administrative template settings
You edit the settings in administrative templates in the same manner that you edit other Group Policy item settings. Policies located in the Administrative Templates node are processed in the same manner as other Group Policy items. There are more than 1,500 administrative template policy items available in a Windows Server 2012 R2 GPO, and some of these policy items are shown in Figure 6-8. You can add additional settings by importing administrative templates into the central store. Administrative templates are often provided with applications, or they can be downloaded from the support websites of application vendors.
FIGURE 6-8 Administrative template settings
More Info: Administrative template settings
You can learn more about administrative template settings at http://technet.microsoft.com/en-us/library/cc771104.aspx.
Central store
To use administrative templates in ADMX format, you need to create a central store. When you create a central store, the administrative templates placed in that store will be available to all existing and new GPOs. Creating a central store is a manual process, and you need to copy new .admx and .adml files to the appropriate folders in the central store should you wish to use them with Group Policy in your organization. To create a central store, perform the following steps:
1. Log on to a domain controller in the domain with an account that has Domain Admin privileges.
2. Use File Explorer to open the following location: \\Domain.fqdn\Sysvol\Domain.fqdn\Policies. For example, for the contoso.com domain, this would be \\Contoso.com\Sysvol\Contoso.com\Policies.
3. Copy the C:\Windows\PolicyDefinitions folder and its contents to \\Domain.fqdn\Sysvol\Domain.fqdn\Policies. Figure 6-9 shows the result of this process for the domain contoso.com.
FIGURE 6-9 Group Policy store
To add templates to the central store so that they can be used with all Group Policies, you need to copy the .admx and the .adml files to separate locations. When you create the central store, a region-based subfolder is created. For computers in North America, this folder will be en-US. For computers in other regions, this subfolder uses the appropriate regional name. To import an administrative template, you need to perform the following steps:
1. Copy the .admx file to the \\Domain.fqdn\Sysvol\Domain.fqdn\Policies\PolicyDefinitions folder.
2. Copy the .adml file to the appropriate regional folder under \\Domain.fqdn\Sysvol\Domain.fqdn\Policies\PolicyDefinitions. For example, if contoso.com were located in North America, the location of this folder would be \\Contoso.com\Sysvol\Contoso.com\Policies\PolicyDefinitions\en-US.
Real World: Keep checking for updates
Microsoft and other vendors that provide administrative templates often update them when a service pack is released for the product the administrative template supports. For example, when a service pack is released for a new version of Microsoft Office, there is often an updated administrative template released as well. Administrative templates are not updated through Windows Update or Windows Server Update Services (WSUS). When a new administrative template does become available, you’ll need to manually copy the .admx and .adm files to the appropriate locations in the Group Policy store.
If you want to import a template in ADM format and you do not want to convert it to ADMX format, you can add a template in ADM format to a single GPO using the Group Policy Management Editor, which attaches the template to the GPO. To do this, open the GPO that you want to add the template to using the Group Policy Management Editor, and on the Action menu, click Add/Remove Templates. In the Add/Remove Templates dialog box, shown in Figure 6-10, click Add to add a template. You can use this process to remove an existing template attached to the GPO.
FIGURE 6-10 Importing an administrative template in ADM format
Quick check
Which folder should you copy when creating the Group Policy store?
Quick check answer
You should copy the C:\Windows\PolicyDefinitions folder when creating the Group Policy store.
ADMX Migrator
The ADMX Migrator is a tool that you can use to convert administrative templates in ADM format to ADMX format. The ADMX Migrator is a GUI-based program. ADMX Migrator also includes a command line tool that can be used to automate the migration of administrative templates to ADMX format. The ADMX Migrator also includes an ADMX editor for creating and editing administrative templates in ADMX format. The ADMX Migrator is shown in Figure 6-11.
FIGURE 6-11 ADMX Migrator
More Info: Download ADMX Migrator
To download ADMX Migrator, navigate to the following website at http://www.microsoft.com/en-in/download/details.aspx?id=15058.
Real World: Converting ADM to ADMX
The last update of the ADMX Migrator was in 2009. Most software does not ship with administrative templates, and software that runs on the Windows 8 operating system that does ship with administrative templates almost always provides them in ADMX format.
Filter property settings
There are more than 1,800 policy settings located in the Administrative Templates section of the Computer Configuration area of a default Windows Server 2012 GPO. There are more than 1,500 policy settings in the Administrative Templates section of the User Configuration area of a default Windows Server 2012 R2 GPO. Unless you know the precise location of the policy you are looking for, this can make searching for a policy related to a specific setting or policy tedious at best.
To simplify the process of locating relevant Group Policy items, you can filter settings in administrative templates to find specific policy settings. You can use the Filter Options dialog box, shown in Figure 6-12, to filter administrative template policies based on the following:
Managed, Configured, or Commented settings
Group Policy keywords in the Policy Name, Help Text, or Comments
Requirements filters to limit policies to specific products
FIGURE 6-12 Filtering administrative templates
To filter policies related to administrative templates, perform the following steps:
1. Open Group Policy Management Editor. From the Action menu, click Filter Options.
2. In the Filter Options dialog box, configure filters by choosing the following options:
Enable Keyword Filters Enter the keyword you want to search for.
Enable Requirement Filters Specify the product that you want to view administrative template settings for.
3. Click OK. On the Action menu, click Filter On.
4. Under the Administrative Templates node of the Computer Configuration setting and the User Configuration setting, only the filtered policies will be displayed.
5. Turn the filter off by removing the Filter On selection on the Action menu.
More Info: Filtering administrative templates
For more information about filtering administrative templates, see http://technet.microsoft.com/en-us/library/cc772295.aspx.
Lesson summary
Administrative templates enable you to extend Group Policy.
Administrative templates in XML format use the .admx file extension.
Older administrative templates use the ADM format.
You need to configure a Group Policy store before you can import administrative templates in ADMX format.
The .admx file of a template is language independent. The .adm file contains region-specific information.
You can use the ADMX Migrator to convert templates in ADM format to ADMX and ADML format.
You can use administrative template filters to reduce the number of policies displayed.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You are the administrator at contoso.com, and you want to configure the central store for Group Policy. Which of the following steps should you take to accomplish this goal?
A. Copy the C:\Windows\PolicyDefinitions folder and its contents to \\Contoso.com\Sysvol\Contoso.com\Policies.
B. Copy the \\Contoso.com\Sysvol\Contoso.com\Policies folder and its contents to the C:\Windows\PolicyDefinitions folder.
C. Copy the C:\Windows\SYSVOL folder and its contents to \\Contoso.com\Sysvol\Contoso.com\Policies.
D. Copy the \\Contoso.com\Sysvol\Contoso.com\Policies folder and its contents to C:\Windows\SYSVOL folder.
2. You are the systems administrator of contoso.com in North America, and you need to import a new administrative template into the Group Policy store. The administrative template has two files: Application.admx and Application.adml. Which of the following steps should you take to import the administrative template? (Choose two. Each answer forms part of a complete solution.)
A. Copy Application.admx to \\Contoso.com\Sysvol\Contoso.com\Policies\PolicyDefinitions.
B. Copy Application.adml to \\Contoso.com\Sysvol\Contoso.com\Policies\PolicyDefinitions\.
C. Copy Application.admx to \\Contoso.com\Sysvol\Contoso.com\Policies\PolicyDefinitions\en-US.
D. Copy Application.adml to \\Contoso.com\Sysvol\Contoso.com\Policies\PolicyDefinitions\en-US.
Lesson 3: Group Policy preferences
Group Policy preferences enable you to configure settings, such as mapped drives and printers (which previously could be configured only through logon scripts) to be configured directly through Group Policy. Group Policy preferences are more reliable because they are reapplied when Group Policy applies. In this lesson, you will learn how to configure printers, network drive mappings, power plan options, and other settings using Group Policy preferences.
After this lesson, you will be able to use Group Policy preferences to configure:
Printers
Mapped network drives
Power plans
Registry settings
Internet Explorer settings
Estimated lesson time: 60 minutes
Group Policy preference settings
Group Policy preferences enable you to configure many features that in the past had to be configured through the use of startup and logon scripts. Group Policy preferences differ from other Group Policy settings in the following ways:
Preference settings are not enforced, whereas Group Policy settings disable the ability for the user to change a setting.
Group Policy preferences are not removed if the policy no longer applies. A user can manually remove a configuration setting applied through Group Policy preferences.
When configuring Group Policy preferences, there is a series of options that are common to all items, shown in Figure 6-13.
FIGURE 6-13 Common items settings
Stop processing items in this extension if an error occurs. If a problem occurs, no preferences from this GPO will be applied to the target user or computer.
Run in logged-on user’s security context (user policy option). When the Group Policy preference is in a GPO applied to a computer account, it runs using the Local System account’s privileges. Enabling this option means that a Group Policy preference applied to a computer account will run using the signed-on user’s security context.
Remove this item when it is no longer applied. When enabled, the setting will be removed if the policy that applied the setting is no longer in effect. If a policy is created without this option and applied to the computer, and then this setting is changed, it will not affect the computer. The default behavior is for these settings to persist even though they can be modified by the user.
Apply once and do not reapply. When this option is enabled, the preference applies only at logon or startup. Otherwise, the preference is reapplied when Group Policy refreshes.
Real World: Testing Group Policy preferences
The more complex the GPO, the more likely something is to not work as expected. Verify that each option works before you add additional options, rather than adding everything at the beginning and then trying to figure out why some of them didn’t work.
Item-level targeting
Item-level targeting enables you to specify when a specific preference should apply. For example, you can use item-level targeting to ensure that a preference only applies to some, but not all, users and computers that are subject to the policy. You can configure item-level targeting based on the following categories:
Battery Present
Computer Name
CPU Speed
Date Match
Disk Space
Domain
Environment Variable
File Match
IP Address Range
Language
LDAP Query
MAC Address Range
MSI Query
Network Connection
Operating System
Organizational Unit
PCMCIA Present
Portable Computer
Processing Mode
RAM
Registry Match
Security Group
Site
Terminal Session
Time Range
User
WMI Query
It is also possible to mix and match these categories. For example, you could configure item-level targeting so that a Group Policy preference applies only if the computer is running the Windows 8 operating system, has more than 4 gigabytes (GB) of RAM, has a CPU speed greater than 1 gigahertz (GHz), and there is more than 80 GB free on the system drive. This set of targeting categories is shown in Figure 6-14.
FIGURE 6-14 Targeting Editor categories
Real World: Item-level targeting
Item-level targeting enables you to be specific in the way you apply Group Policy preferences. It enables you to accomplish graphically what you might have only been able to accomplish using complex Windows Management Instrumentation (WMI) queries. If you use Group Policy preferences on a regular basis, you may want to consider moving to Microsoft System Center 2012 R2 Configuration Manager. In Configuration Manager, you can create collections that enable you to define groups of computers on the basis of the properties of the system, such as operating system version, CPU speed, free disk space, and total random access memory (RAM).
Mapping network drives
One of the most common uses of logon scripts in enterprise environments is to map network drives. With Group Policy preferences, you can map network drives to occur within Group Policy without requiring the use of a net use command in a logon script.
To configure Group Policy preferences to map network drives, perform the following steps:
1. Locate the Drive Maps item under Preferences\Windows Settings in the User Configuration area of a GPO. Drive Maps is a Group Policy preference that can’t be configured through the Computer Configuration area.
2. Right-click Drive Maps, click New, and then click Mapped Drive.
3. In the New Drive Properties dialog box, shown in Figure 6-15, enter the information necessary to connect the user’s drive.
FIGURE 6-15 Mapping a network drive
When setting up a mapped network drive, you can configure the following options:
Action The default is Update, but can also be set to Create, Replace, or Delete. This option determines what happens with the mapping. Update means that if the setting is in place, reset it with the configured settings. In most cases, the configured settings will be the same as what is already in place.
Location The network share to which the drive will map.
Reconnect Enable this option if you want to reconnect a mapped drive that the user has disconnected.
Label As Provides the mapped network drive with a volume label.
Drive Letter You can choose between assigning the first available drive letter or whether a specific drive letter is associated with the mapped drive.
Connect As Use this option if you want the drive mapped with a specific set of credentials.
Hide/Show This Drive Determines whether the drive is visible in File Explorer.
Hide/Show All Drives Determines whether all drives are visible in File Explorer.
You can also configure the common properties for each item and item-level targeting. Because you can perform item-level targeting based on security group, you can use the Drive Maps Group Policy preferences item in a single GPO applied at the domain level to configure drive mapping based on security groups for all users in the organization.
Real World: Drive mapping
Many organizations have convoluted scripts that perform the task of determining a user’s security group membership and then assigning appropriate network drives. Using Group Policy preferences takes almost all the complexity out of that scenario.
Configuring printers
With Group Policy preferences, you can map network printers to computers. When you map a printer using Group Policy preferences, you can choose whether to set the mapped printer as the default printer or configure the mapped printer only as a default printer if a local printer is not present.
Although you can use either the Computer Configuration or the User Configuration areas of a GPO to map a printer, you can use only the User Configuration area to map a printer shared off another computer. You can use both areas to map local and TCP/IP printers. To use Group Policy preferences to map a printer, perform the following steps:
1. Navigate to the Preferences\Control Panel Settings node, right-click Printers, and click New. Then choose between Shared Printer, TCP/IP Printer, and Local Printer. Local printers must be connected to the computer and shared printers must be shared from a computer and be addressable using a Universal Naming Convention (UNC) path.
2. In the New Shared Printer Properties dialog box, shown in Figure 6-16, choose between Update/Replace, Create, and Delete. Enter the network address of the printer and whether the printer should be configured as a default printer.
FIGURE 6-16 Mapping a printer
Real World: Printer drivers
Although computers running Windows 8 will automatically connect to WSUS or Windows Update to locate a driver, this is not the case with earlier versions of Windows Client operating systems. You may need to use Group Policy or your organization’s management software to deploy drivers to these computers.
Windows 8 clients will attempt to retrieve the printer driver either from their local driver store, from the local WSUS server or from Windows Update. In previous versions of the Windows Client operating system, the client computer attempted to obtain printer driver software from the server that hosted the shared printer.
Quick check
Where do client computers running the Windows 8 or Windows 8.1 operating system obtain drivers for network printers?
Quick check answer
Client computers running the Windows 8 or Windows 8.1 operating system will check if a printer driver is locally installed. The client will then check the local WSUS server or Windows Update to find the driver.
Configuring power options
Power options enable you to configure how computers with compatible hardware use power. Power options also enable you to configure how laptop computers react when someone closes the lid or when the computer resumes operation after hibernation. When configuring a power option, you need to choose one of the following:
Power Options (Windows XP)
Power Schemes (Windows XP)
Power Plans (at least Windows 7)
When configuring power options, use item-level targeting to configure the following:
Target operating systems. For example, you can use item-level targeting to ensure that the Power Options (Windows XP) and Power Scheme (Windows XP) settings are processed by computers running Windows XP. These options don’t negatively affect computers running Windows Vista, Windows 7, Windows 8, or Windows 8.1 but it’s good practice to apply operating system-specific settings only to those operating systems.
Different power options at different times of the day. You can apply settings that enable high performance during office hours and then apply power saving plans for out-of-office hours. For example, you can configure settings so that if someone doesn’t interact with the computer during office hours, they have more time before the computer goes into hibernation (compared with someone who doesn’t interact with the computer after business hours).
When configuring power options, it is important to understand the difference between standby and hibernation. It is also important to recognize that not all computers support these advanced power options.
When a computer is in standby, the computer is in a low power state, but the data required to resume normal operation is stored in RAM. This has the benefit of enabling the computer to quickly return from standby to full operation. The drawback of this mode is that it requires more electricity than hibernation mode.
When a computer is hibernating, the data required to resume normal operation is stored in a special location on the hard disk. The computer can resume without performing a full startup operation, and instead loads the contents of the special location on the hard disk straight into memory.
Real World: Windows Vista power plans
If you have any computers in your environment running Windows Vista, they can use the Windows 7 Power Plan option.
Power Options (Windows XP)
You use this item, shown in Figure 6-17, only when you want to configure power settings for computers running Windows XP. This item enables you to configure the following items:
Always Show Icon On The Taskbar
Prompt For Password When The Computer Resumes From Standby
Enable Hibernation
Power Buttons:
When I Close The Lid Of My Portable Computer This option determines how a laptop computer with a lid reacts when the lid is closed. The options are Do Nothing, Stand By, and Hibernate.
When I Press The Power Button On My Computer This option determines how a computer reacts when the power button is pressed. The options are Do Nothing, Ask Me What To Do, Stand by, Shutdown, and Hibernate.
When I Press The Sleep Button On My Computer This option determines how a computer reacts when the sleep button is pressed. The options are Do Nothing, Ask Me What To Do, Stand By, Shutdown, and Hibernate.
FIGURE 6-17 Power Options (Windows XP)
Power Scheme (Windows XP)
Power Scheme also applies to computers running Windows XP. Power schemes differ from power options because they enable you to specify when a particular computer will have its monitor turned off, be put into standby, or put into hibernation. You can configure different settings for when the computer is plugged in to main power or is running off batteries.
You can configure the following options in Windows XP Power Scheme:
Power Scheme Enables you to choose a power scheme to configure. The options are Home/Office Desk, Portable/Laptop, Presentation, Always On, Minimal Power Management, and Max Battery (see Figure 6-18).
Turn Off Monitor
Turn Off Hard Disks
System Standby
System Hibernates Specifies the amount of time before a supported computer enters hibernation.
FIGURE 6-18 Configuring a power scheme
Power Plans
Power Plans enable you to configure settings for computers running Windows Vista, Windows 7, and Windows 8. Rather than just being limited to determining what happens to a computer when a power button is pressed or the computer isn’t used for a specific amount of time, Power Plans enable you to configure additional options including PCI Express settings and processor power management. Using a Power Plan, shown in Figure 6-19, you can configure the following settings for both on battery and plugged-in modes:
Additional Settings Enables you to configure whether a password is required on wakeup.
Hard Disk Enables you to specify how long before the hard disk drive is powered down.
Sleep Enables you to configure the following settings: Sleep After, Enable Hybrid Sleep, and Hibernate After. Sleep functions the same way that Stand By mode does in the settings for computers with the Windows XP operating system. The computer needs to support these advanced power options for them to be enforced by this policy.
Power Buttons And Lid Enables you to configure settings for lid close action, power button action, and Start menu power button. Options are Do Nothing, Sleep, Hibernate, and Shut Down.
PCI Express Enables you to configure Link State Power Management for PCI Express components that support power management. Settings include Off, Moderate Power Savings, and Maximum Power Savings.
Processor Power Management Configures settings for minimum processor state and maximum processor state as a percentage. For example, you can configure the processor to work at 50 percent of maximum capacity when the computer is on battery.
Display Configures settings for how long to wait before turning the display off when the user has not interacted with the computer.
Battery Configures critical battery action, low battery level, critical battery level, low battery notification, and low battery action. You configure the level settings as a percentage. The action setting can be set to Do Nothing, Sleep, Hibernate, or Shutdown.
FIGURE 6-19 Windows 7 Power Plan
Real World: Power option configuration
System Center 2012 R2 Configuration Manager offers more advanced power options than Group Policy preferences. System Center 2012 R2 Configuration Manager also enables you to generate power utilization reports, enabling you to see the impact of power options on power consumption.
Configuring the registry
You can use Group Policy preferences to configure registry settings by adding settings, deleting settings, or modifying existing settings. You can use an existing computer’s registry settings as the basis for the settings that you want to configure, or you can configure the settings manually, as shown in Figure 6-20. You can configure registry settings using the Computer Configuration or User Configuration areas of a GPO.
FIGURE 6-20 Use Group Policy preferences to configure Remote Desktop settings
Real World: Extra care required
Direct registry modification is a process you should undertake reluctantly and direct registry modification across a large number of computers even more so. You are most likely to use this type of Group Policy preferences when you need to respond quickly to a security threat. Vendors often suggest registry fixes as responses to security alerts while they test and develop a software-based solution. In this situation, you have the option of waiting for the software solution or using Group Policy to deploy the registry modification. Each strategy has benefits and drawbacks, and the correct choice for one organization will be the incorrect choice for another.
Internet options
You can use Group Policy preferences to configure Internet options for the following versions of Internet Explorer:
Internet Explorer 5 and 6
Internet Explorer 7
Internet Explorer 8 and 9
Internet Explorer 10 and 11
The Group Policy preferences settings for each version of Internet Explorer appear in the same manner as the Internet Explorer item in the Control Panel does. Figure 6-21 shows the Group Policy preferences settings for Internet Explorer 10. You use the Internet Explorer 10 settings to configure Group Policy preference settings for Internet Explorer 11.
FIGURE 6-21 Use Group Policy preferences to configure Internet Explorer settings
Local Users And Groups
The Local Users And Groups option enables you to configure and create accounts for local users, as shown in Figure 6-22, and populate local groups. You can use this option to create, update, replace, and delete user accounts. When configuring local users, you should configure the password so that it is changed at next logon because this password is stored in the System Volume (SYSVOL) container in an unencrypted format. Because of this security risk, you should avoid using Group Policy preferences to populate computers with privileged local user accounts.
FIGURE 6-22 Adding a local user with Group Policy preferences
You can use the New Local Group Group Policy preference to configure the membership of local groups. You can use this policy to populate and control membership of the local Administrators group on each computer, as shown in Figure 6-23. You can also use this policy to perform the following tasks:
Add users to a local group
Remove users from a local group
Delete all group members, including both users and member groups
FIGURE 6-23 Configuring a local group using Group Policy preferences
Additional settings
As you can see in Figure 6-24, there are many additional settings that you can configure using Group Policy preferences. These settings are split into Windows settings and Control Panel settings. Settings not covered earlier are covered in this section.
FIGURE 6-24 Group Policy preferences
Windows settings
The Group Policy preferences settings located in the Windows Settings area enable you to do the following:
Applications Enables you to configure application related settings. Applications must support Group Policy preferences before settings can be configured in this manner.
Environment Enables you to configure environment variables (for example, configuring the temporary directory variable).
Files Enables you to update files using a source and destination file. This enables you to populate computers with important files, such as ensuring that Human Resources directives on the correct utilization of the staff kitchen and coffee machine are copied to the policy documents directory on every user’s desktop.
Folders Enables you to create, update, replace, or delete a folder and its contents. Figure 6-25 shows this Group Policy preference. For example, you can use Group Policy preferences to ensure that the temporary directory was automatically scrubbed each time the preference applied.
FIGURE 6-25 Deleting folder contents
Ini Files Enables you to update .ini files with specific properties and values. When using this setting, it is important to ensure that changes made to the .ini file do not stop it from being read by the computer.
Shortcuts Enables you to create shortcuts for use with desktop items, including the destination path and how the application triggered by the shortcut will be run. It is also possible for you to configure the location of a shortcut icon, as shown in Figure 6-26.
FIGURE 6-26 Shortcut settings
Control Panel settings
Additional Group Policy preferences settings can also be configured through the Control Panel settings node. This node includes settings that would normally be configured through a client computer’s Control Panel.
You can configure the following settings using this Control Panel:
Data Sources Enables you to configure Open Database Connectivity (ODBC) data sources. Configure this when clients need special connections configured to databases.
Devices Enables you to configure whether devices are enabled or blocked. Figure 6-27 shows a Microsoft PS/2 mouse being blocked.
FIGURE 6-27 New device settings
Folder Options When you configure folder options, you can configure a different set of options, for Windows XP or for computers running Windows Vista, Windows 7, Windows 8, or Windows 8.1. Folder options control how the contents of folders are displayed in File Explorer. For example, you can configure folder options to show hidden files and folders, to show encrypted and compressed NTFS files in a special color, and to hide protected operating system files. Figure 6-28 shows this Group Policy preference.
FIGURE 6-28 Folder options
Network Options Use the Network Options Group Policy preference to configure VPN and dial-up connection settings for computers.
Regional Options Use the Regional Options Group Policy preferences to specify the numbers, currency, time, date and other regional settings such as language.
Scheduled Tasks You can use the Scheduled Tasks Group Policy preference to configure scheduled and immediate tasks. A scheduled task runs at a specific date and time configured according to the schedule. An immediate task, shown in Figure 6-29, enables you to run a specific task each time the Group Policy preference refreshes.
FIGURE 6-29 Running a new task
Start Menu This option enables you to configure how the Start menu appears on computers running Windows client operating systems up to and including Windows 7. Using this option, you can configure whether the Computer, Control Panel, Documents, Favorites, and Games are displayed. You can also configure how many programs are displayed on the Start menu and how many recent items are displayed.
Lesson summary
Group Policy preferences configure settings that can later be changed by users.
Group Policy preferences are commonly used to set mapped network drives and printer settings.
Item-level targeting enables the properties of the environment to be checked during the application of Group Policy preference items.
You can configure Group Policy preferences so that users can’t change applied settings.
Use time-based item-level targeting to apply different power settings at different times of the day.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You are configuring Power Options Group Policy preferences. You want this power plan to apply only between midnight and 6 A.M. Which of the following item-level targeting options can you configure to accomplish this goal?
A. Security Group
B. Time Range
C. Operating System
D. Disk Space
2. You want to add a specific user account to all computers in an OU. Which Group Policy preferences item can you configure to accomplish this goal?
A. Folder
B. Devices
C. Internet Settings
D. Local Users And Groups
3. You want to configure a drive map, but this drive map should be configured only for computers used by executives. Which of the following item-level targeting options can you configure to accomplish this goal?
A. Disk Space
B. Operating System
C. Time Range
D. Security Group
4. You want to delete the contents of the C:\Windows\Temp folder on a number of computers in your organization each time Group Policy refreshes. Which of the following Group Policy preferences can you configure to accomplish this goal?
A. Local Users And Groups
B. Folder
C. Devices
D. Internet Settings
5. A particular set of environment variables should apply only to computers running the Windows 7 operating system, not to computers running Windows Vista or Windows 8. Which of the following item-level targeting options should you configure when setting up Group Policy preferences to apply these environment variables?
A. Time Range
B. Operating System
C. Security Group
D. Disk Space
6. You want to block users from using a specific type of USB storage drive on computers in your organization. Which of the following Group Policy preferences can you configure to accomplish this goal?
A. Internet Settings
B. Devices
C. Folder
D. Local Users And Groups
7. You are configuring a Group Policy preference immediate task to clean out the temporary directory only if the computer has less than 20 GB free space. Which of the following item-level targeting options can you configure to accomplish this goal?
A. Security Group
B. Time Range
C. Operating System
D. Disk Space
8. You want to configure VPN settings on a large number of client computers in your organization. Which of the following Group Policy preferences can you use to accomplish this goal?
A. Local Users And Groups
B. Folder
C. Devices
D. Internet Settings
Practice exercises
The goal of this section is to provide you with hands-on practice with the following:
Configuring Folder Redirection using Group Policy
Configuring startup, shutdown, logon, and logoff scripts using Group Policy
Configuring the Group Policy store
Enabling Group Policy filtering
Creating local users using Group Policy preferences
Mapping network drives using Group Policy preferences
Creating power plans using Group Policy preferences
To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the virtual machines to this initial state prior to beginning these exercises.
Exercise 1: Prepare Folder Redirection and scripts
In this exercise, you prepare a server to host folders for Folder Redirection and Group Policy–related scripts. To complete this exercise, perform the following steps:
1. Sign on to SYD-DC as Contoso\Administrator.
2. Click File Explorer on the taskbar and navigate to the root folder of volume C:.
3. Click the New Folder item on the title bar. Type the name of the new folder as FolderRedirection.
4. Right-click the FolderRedirection folder, click Share With, and then click Specific People.
5. In the File Sharing dialog box, click the down arrow next to Add and click Everyone.
6. Click Add and click the arrow next to Read. Set the Everyone group’s permission to Read/Write, click Share, and click Done.
7. Right-click the FolderRedirection folder and click Properties.
8. Click the Sharing tab, click Advanced Sharing, and click Caching.
9. In the Offline Settings dialog box, shown in Figure 6-30, click All Files And Programs That Users Open From The Shared Folder Are Automatically Available Offline and click OK.
FIGURE 6-30 Offline settings
10. Click OK to close the Advanced Sharing dialog box and click Close to close the FolderRedirection Properties dialog box.
11. On the title bar of the Local Disk (C:) Window, click New Folder. Name the new folder Scripts.
12. Right-click the Scripts folder, click Share With, and click Specific People.
13. Click the down arrow next to Add, click Everyone, and then click Add.
14. Click Share and click Done.
15. Open the Scripts folder. Right-click in the empty space, click New, and click Text Document. Type the name Logon and press Enter.
16. Repeat step 14 and create files named Logoff, Startup, and Shutdown.
17. Click the View menu and click File Name Extensions.
18. Right-click each file and rename them as follows:
Logoff.txt to Logoff.bat
Logon.txt to Logon.bat
Shutdown.txt to Shutdown.bat
Startup.txt to Startup.bat
Exercise 2: Configure Folder Redirection
In this exercise, you configure Folder Redirection. To complete this exercise, perform the following steps:
1. In Server Manager, click the Tools menu, and then click Group Policy Management. The Group Policy Management Console (GPMC) opens.
2. In the GPMC, expand the Forest:Contoso.com node, then the Domains node, then the Contoso.com node, and then the Group Policy Objects node.
3. Right-click the Group Policy Objects node, and click New.
4. In the New GPO dialog box, shown in Figure 6-31, type the name FolderRedirection and click OK.
FIGURE 6-31 New GPO dialog box
5. Right-click the FolderRedirection policy and click Edit. The Group Policy Management Editor opens.
6. In the Group Policy Management Editor, expand the User Configuration\Policies\Windows Settings\Folder Redirection node.
7. Right-click the Documents folder, and click Properties.
8. Configure the following settings, as shown in Figure 6-32, and click OK.
Setting: Basic - Redirect Everyone’s Folder To The Same Location
Target Folder Location: Create A Folder For Each User Under The Root Path
Root Path: \\SYD-DC\FolderRedirection
FIGURE 6-32 Redirecting the Documents folder
9. When prompted with the Warning dialog box, click Yes.
10. Right-click the Pictures folder and click Properties.
11. In the Pictures Properties dialog box, shown in Figure 6-33, configure the Setting to Follow The Documents Folder, and click OK.
FIGURE 6-33 Redirecting the Pictures folder
12. Click Yes when presented with the warning.
13. Right-click the Music folder, and click Properties.
14. In the Music Properties dialog box, configure Setting to Follow The Documents folder, and click OK.
15. Click Yes when presented with the warning.
16. Repeat steps 13 through 15 for the Videos folder.
17. Right-click the AppData(Roaming) folder and click Properties.
18. In the AppData(Roaming) Properties folder, configure the Setting drop-down menu to Advanced – Specify Locations For Various User Groups.
19. Click Add. In the Specify Group And Location dialog box, shown in Figure 6-34, configure the following settings and click OK:
Security Group Membership: CONTOSO\Domain Users
Target Folder Location: Create A Folder For Each User Under The Root Path
Root Path: \\SYD-DC\FolderRedirection
FIGURE 6-34 Advanced redirection settings
20. Click OK to close the AppData(Roaming) Properties folder.
21. Click Yes in the Warning dialog box.
Exercise 3: Configure Group Policy scripts
In this exercise, you configure Group Policy scripts. To complete this exercise, perform the following steps:
1. Click the Scripts (Logon/Logoff) node.
2. Right-click the Logon item and click Properties.
3. In the Logon Properties dialog box, click Add.
4. In the Add A Script dialog box, type \\syd-dc\scripts\logon.bat in the Script Name area as shown in Figure 6-35, and click OK.
FIGURE 6-35 Logon script settings
5. Click OK to close the Logon Properties dialog box. You can now right-click Logoff and click Properties; then continue.
6. In the Logoff properties dialog box, click Add.
7. In the Add A Script dialog box, type \\syd-dc\scripts\logoff.bat in the Script Name area and click OK.
8. Click OK to close the Logoff Properties dialog box.
9. Navigate to the Computer Configuration\Policies\Windows Settings\Scripts node.
10. Right-click Startup and click Properties.
11. In the Startup Properties dialog box, click Add.
12. In the Add A Script dialog box, type \\syd-dc\scripts\startup.bat in the Script Name area and click OK.
13. Click OK to close the Startup Properties dialog box.
14. Right-click Shutdown and click Properties.
15. In the Shutdown Properties dialog box, click Add.
16. In the Add A Script dialog box, type \\syd-dc\scripts\shutdown.bat in the Script Name area and click OK.
17. Click OK to close the Shutdown Properties dialog box.
18. Close the Group Policy Management Editor.
Exercise 4: Configure the central store and administrative template filtering
In this exercise, you configure the central store and perform administrative template filtering. To complete this exercise, perform the following steps:
1. Use File Explorer to open the following location: \\Contoso.com\Sysvol\Contoso.com\Policies.
2. Open a second File Explorer window and navigate to the C:\Windows folder.
3. Right-click the PolicyDefinitions folder and click Copy.
4. Switch to the File Explorer window that is open on \\Contoso.com\Sysvol\Contoso.com\Policies.
5. Right-click in an empty area and click Paste.
6. Open the GPMC.
7. Right-click the Forest: Contoso.com\Domains\Contoso.com\Group Policy Objects node and click New.
8. In the New GPO dialog box, type the name Template Check and click OK.
9. Right-click the Template Check GPO and click Edit.
10. Click the Computer Configuration\Policies\Administrative Templates node, click the Action menu, and click Filter Options.
11. Check Enable Keyword Filters. In the Filter For Word(s) text box, type Biometrics.
12. Check Enable Requirements Filters and then click Windows 8.1 Operating Systems, as shown in Figure 6-36. Click OK.
FIGURE 6-36 Logon script settings
13. Click the Computer Configuration\Policies\Administrative Templates\All Settings node and verify that only three policy items are listed.
Exercise 5: Configure Group Policy preferences
In this exercise, you configure Group Policy preferences. To complete this exercise, perform the following steps:
1. In Server Manager, click the Tools menu, and click Active Directory Users And Computers.
2. Click the Users container. In the toolbar, click the Create A New Group In The Current Container button.
3. In the New Object – Group dialog box, shown in Figure 6-37, type the name Research and click OK.
FIGURE 6-37 New security group
4. In the toolbar, click the Create A New Group In The Current Container button.
5. In the New Object – Group dialog box, type the name Development and click OK.
6. Close Active Directory Users And Computers.
7. Click File Explorer in the taskbar and navigate to the root folder of volume C:.
8. Click the New Folder icon in the title bar. Name the folder ResearchShare.
9. Right-click the ResearchShare folder, click Share With, and click Specific People.
10. In the File Sharing dialog box, type the name Contoso\Research and click Add.
11. Click the Read permission next to Research and click Read/Write, as shown in Figure 6-38.
FIGURE 6-38 New security group
12. Click Share, and click Done.
13. Now it is time to deal with the title bar.
14. Click the New Folder icon in the title bar. Name the folder DevelopmentShare.
15. Right-click the DevelopmentShare folder, click Share With, and click Specific People.
16. In the File Sharing dialog box, type the name Contoso\Development and click Add.
17. Click the Read permission next to Development and click Read/Write. Click Share and click Done.
18. From the Tools menu of Server Manager, click Group Policy Management Console.
19. Right-click the Forest: Contoso.com\Domains\contoso.com\Group Policy Objects node and click New.
20. In the New GPO dialog box, type the name GPPTest and click OK.
21. Right-click the GPPTest GPO and click Edit.
22. In the Group Policy Management Editor, expand Computer Configuration\Preferences\Control Panel Settings and click Local Users And Groups.
23. Right-click Local Users And Groups, click New, and click Local User.
24. In the New Local User Properties dialog box, shown in Figure 6-39, configure the following settings and click OK:
Action: Create
User name: Generic_User
Full name: Generic User
Password: Pa$$w0rd
Confirm Password: Pa$$w0rd
User Must Change Password At Next Logon
Account Never Expires
FIGURE 6-39 New local user
25. In the Password warning dialog box, click OK.
26. Right-click Local Users And Groups, click New, and click Local Group.
27. In the New Local Group Properties dialog box, configure the following settings, as shown in Figure 6-40, and click OK:
Action: Create
Group name: Generic_Group
Members: Generic_User
FIGURE 6-40 New security group
28. In the Group Policy Management Editor, expand the User Configuration\Preferences\Windows Settings node.
29. Right-click Drive Maps, click New, and click Mapped Drive.
30. In the New Drive Properties dialog box, shown in Figure 6-41, configure the following settings and then click the Common tab.
Action: Update
Location: \\SYD-DC\ResearchShare
Use: R:
FIGURE 6-41 New drive properties
31. In the Common tab, click Item-level Targeting, and then click Targeting.
32. In the Targeting Editor, click New Item and click Security Group. In the Group name, type Contoso\Research, as shown in Figure 6-42, and click OK.
FIGURE 6-42 Targeting Editor
33. Click OK to close the New Drive Properties dialog box.
34. Right-click Drive Maps, click New, and click Mapped Drive.
35. In the New Drive Properties dialog box, configure the following settings and then click the Common tab:
Action: Update
Location: \\SYD-DC\DevelopmentShare
Use: V:
36. On the Common tab, click Item-level targeting, and then click Targeting.
37. In the Targeting Editor, click New Item, and click Security Group. In the Group name, type Contoso\Development and click OK. Click OK to close the New Drive Properties dialog box.
38. Select the User Configuration\Preferences\Control Panel Settings\Power Options node.
39. Right-click the Power Options node, click New, and click Power Plan (At least Windows 7).
40. In the New Power Plan (At Least Windows 7) Properties dialog box, expand the Sleep node and configure the following settings for the Balanced power plan, as shown in Figure 6-43, and then click the Common tab.
Sleep After: On Battery (Minutes): 10
Sleep after: Plugged In (Minutes): 20
Hibernate After: On Battery (Minutes): 20
Plugged In (Minutes): 30
FIGURE 6-43 Power plan
41. On the Common tab, click Item-level Targeting, and click Targeting.
42. In the Targeting Editor, click New Item, and click Time Range.
43. In the Targeting Editor dialog box, set the range to between 6 P.M. and 7 A.M., as shown in Figure 6-44, and click OK.
FIGURE 6-44 Power plan
44. Click OK twice and close the Group Policy Management Editor.
Suggested practice exercises
The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.
Exercise 1 Configure Folder Redirection for the Favorites, Contacts, Links, Searches, and Saved Games folders. Redirect these folders to the \\SYD-DC\FolderRedirection network shared folder.
Exercise 2 Download the Microsoft Office 2013 administrative template from Microsoft’s website. Import this template into the Group Policy store that you created in Exercise 2.
Exercise 3 Use Group Policy preferences to automatically delete the contents of the C:\Windows\Temp folder each time a user signs on to a computer.
Answers
This section contains the answers to the lesson review questions in this chapter.
Lesson 1
1. Correct answer: B
A. Incorrect. Startup scripts run when the computer starts. You want to perform this action when the user logs off.
B. Correct. Logoff scripts run when the user logs off. You use a logoff script to ensure that the user’s files were copied to the backup location when the user logged off from the computer.
C. Incorrect. Shutdown scripts run when the computer shuts down. You want to perform this action when the user logs off.
D. Incorrect. Logon scripts run when the user logs on to the computer. You want to perform this action when the user logs off.
2. Correct answer: B
A. Incorrect. You can’t publish packages to computers. You can only publish packages to users.
B. Correct. It installs the package the next time the computer starts.
C. Incorrect. Publishing the package to the user makes the package available in Add And Remove Programs.
D. Incorrect. Assigning the package means the package installs the next time the user logs on.
3. Correct answer: D
A. Incorrect. Startup scripts run when the computer starts. You configure a logon script to accomplish the goal.
B. Incorrect. Logoff scripts run when the user logs off. You configure a logon script to accomplish the goal.
C. Incorrect. Shutdown scripts run when the computer shuts down. You configure a logon script to accomplish the goal.
D. Correct. Logon scripts run when the user logs on to the computer. You configure a logon script to accomplish the goal.
4. Correct answer: B
A. Incorrect. The AppData(Roaming) folder stores application-specific data.
B. Correct. The Desktop folder stores all the items a user places on the desktop.
C. Incorrect. The Documents folder is the default location for a user’s documents.
D. Incorrect. The Favorites folder stores a user’s Internet Explorer favorites.
5. Correct answer: A
A. Correct. Assigning the package means the package installs the next time the user logs on.
B. Incorrect. Publishing the package to the user makes the package available in Add And Remove Programs
C. Incorrect. It installs the package the next time the computer starts.
D. Incorrect. You can’t publish packages to computers. You can only publish packages to users.
6. Correct answer: A
A. Correct. The Favorites folder stores a user’s Internet Explorer favorites.
B. Incorrect. The Documents folder is the default location for a user’s documents.
C. Incorrect. The Desktop folder stores all the items a user places on the desktop.
D. Incorrect. The AppData(Roaming) folder stores application-specific data.
7. Correct answers: A and C
A. Correct. You should configure a GPO and apply it to the OU that hosts the computers.
B. Incorrect. You should not apply this policy at the domain level. You should configure a GPO and apply it to the OU that hosts the computers.
C. Correct. You must configure a startup script.
D. Incorrect. You must configure a startup script.
8. Correct answer: A
A. Correct. Publishing the package to the user makes the package available in Add And Remove Programs.
B. Incorrect. Assigning the package means the package installs the next time the user logs on.
C. Incorrect. You can’t publish packages to computers. You can only publish packages to users.
D. Incorrect. It installs the package the next time the computer starts.
Lesson 2
1. Correct answer: A
A. Correct. If you were the administrator at contoso.com, you would copy the C:\Windows\PolicyDefinitions folder and its contents to \\Contoso.com\Sysvol\Contoso.com\Policies to create the Group Policy store.
B. Incorrect. If you were the administrator at contoso.com, you would copy the C:\Windows\PolicyDefinitions folder and its contents to \\Contoso.com\Sysvol\Contoso.com\Policies to create the Group Policy store.
C. Incorrect. If you were the administrator at contoso.com, you would copy the C:\Windows\PolicyDefinitions folder and its contents to \\Contoso.com\Sysvol\Contoso.com\Policies to create the Group Policy store.
D. Incorrect. If you were the administrator at contoso.com, you would copy the C:\Windows\PolicyDefinitions folder and its contents to \\Contoso.com\Sysvol\Contoso.com\Policies to create the Group Policy store.
2. Correct answer: A and D
A. Correct. The .admx file needs to go in the PolicyDefinitions folder. The .adml file needs to go in the associated regional folder, which for North America is en-US.
B. Incorrect. The .admx file needs to go in the PolicyDefinitions folder. The .adml file needs to go in the associated regional folder, which for North America is en-US.
C. Incorrect. The .admx file needs to go in the PolicyDefinitions folder. The .adml file needs to go in the associated regional folder, which for North America is en-US.
D. Correct. The .admx file needs to go in the PolicyDefinitions folder. The .adml file needs to go in the associated regional folder, which for North America is en-US.
Lesson 3
1. Correct answer: B
A. Incorrect. The Security Group item-level targeting option enables you to have Group Policy preferences apply only if the computer or user is found to be a member of a specific security group.
B. Correct. The Time Range item-level targeting option enables you to have a Group Policy preference apply only if the time is currently in the specified range.
C. Incorrect. The Operating System item-level targeting option enables you to have Group Policy preferences apply only if the operating system matches one of the operating systems specified.
D. Incorrect. The Disk Space item-level targeting option enables you to have Group Policy preferences apply only if a certain amount of free disk space exists.
2. Correct answer: D
A. Incorrect. You can use the Folder Options Group Policy preference to create or delete folders, or to delete the contents of folders.
B. Incorrect. You can use the Devices Group Policy preference to enable or block specific devices.
C. Incorrect. You can use the Internet Settings Group Policy preference to configure dial-up and VPN settings.
D. Correct. You can use the Local Users And Groups option to add and remove local users, or modify the membership of local groups.
3. Correct answer: D
A. Incorrect. The Disk Space item-level targeting option enables you to have Group Policy preferences apply only if a certain amount of free disk space exists.
B. Incorrect. The Operating System item-level targeting option enables you to have Group Policy preferences apply only if the operating system matches one of the operating systems specified.
C. Incorrect. The Time Range item-level targeting option enables you to have a Group Policy preference apply only if the time is currently in the specified range.
D. Correct. The Security Group item-level targeting option enables you to have Group Policy preferences apply only if the computer or user is found to be a member of a specific security group. In this case, you would add the computers used by executives to a security group.
4. Correct answer: B
A. Incorrect. You can use the Local Users And Groups option to add and remove local users, or modify the membership of local groups.
B. Correct. You can use the Folder Options Group Policy preference to create or delete folders, or to delete the contents of folders.
C. Incorrect. You can use the Devices Group Policy preference to enable or block specific devices.
D. Incorrect. You can use the Internet Settings Group Policy preference to configure dial-up and VPN settings.
5. Correct answer: B
A. Incorrect. The Time Range item-level targeting option enables you to have a Group Policy preference apply only if the time is currently in the specified range.
B. Correct. The Operating System item-level targeting option enables you to have Group Policy preferences apply only if the operating system matches one of the operating systems specified.
C. Incorrect. The Security Group item-level targeting option enables you to have Group Policy preferences apply only if the computer or user is found to be a member of a specific security group.
D. Incorrect. The Disk Space item-level targeting option enables you to have Group Policy preferences apply only if a certain amount of free disk space exists.
6. Correct answer: B
A. Incorrect. You can use the Internet Settings Group Policy preference to configure dial-up and VPN settings.
B. Correct. You can use the Devices Group Policy preference to enable or block specific devices.
C. Incorrect. You can use the Folder Options Group Policy preference to create or delete folders, or to delete the contents of folders.
D. Incorrect. You can use the Local Users And Groups option to add and remove local users, or modify the membership of local groups.
7. Correct answer: D
A. Incorrect. The Security Group item-level targeting option enables you to have Group Policy preferences apply only if the computer or user is found to be a member of a specific security group.
B. Incorrect. The Time Range item-level targeting option enables you to have a Group Policy preference apply only if the time is currently in the specified range.
C. Incorrect. The Operating System item-level targeting option enables you to have Group Policy preferences apply only if the operating system matches one of the operating systems specified.
D. Correct. The Disk Space item-level targeting option enables you to have Group Policy preferences apply only if a certain amount of free disk space exists.
8. Correct answer: D
A. Incorrect. You can use the Local Users And Groups option to add and remove local users, or modify the membership of local groups.
B. Incorrect. You can use the Folder Options Group Policy preference to create or delete folders, or to delete the contents of folders.
C. Incorrect. You can use the Devices Group Policy preference to enable or block specific devices.
D. Correct. You can use the Internet Settings Group Policy preference to configure dial-up and VPN settings.