Implementing Group Policy - Training Guide Installing and Configuring Windows Server 2012 R2 (2014)

Training Guide Installing and Configuring Windows Server 2012 R2 (2014)

Chapter 10. Implementing Group Policy

Group Policy has been the primary method for managing the configuration of Microsoft Windows client and server systems since Windows 2000. Most administrators are familiar with the basics of Group Policy, but implementing this technology effectively in a large enterprise environment requires proper planning.

Windows Server 2012 and Windows Server 2012 R2 introduce a number of improvements in how Group Policy is processed and how it can be managed. For example, you can now perform a remote refresh of Group Policy on targeted computers without logging on to the computers to run the Gpupdate.exe command. Hundreds of new policies have been added for managing different features of the Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 operating systems, and you can deploy and enforce these settings to target computers by configuring Group Policy Objects (GPOs) in the usual way. New Starter GPOs simplify the tasks of enabling the remote Group Policy refresh capability and collecting Resultant Set of Policy (RSoP) information from computers targeted by Group Policy. And the NetSecurity module for Windows Firewall with Advanced Security introduced in Windows Server 2012 enables you to configure firewall profiles and rules in GPOs. In this chapter, you learn about these new Group Policy capabilities and how to plan, configure, and manage Group Policy using standard tools, including Windows PowerShell.

Lessons in this chapter:

Image Lesson 1: Planning, configuring, and managing Group Policy

Image Lesson 2: Managing Group Policy using Windows PowerShell

Image Lesson 3: Implementing Group Policy preferences

Before you begin

To complete the practice exercises in this chapter

Image You need to know how to perform a clean install of Windows Server 2012 R2 and perform initial configuration tasks like configuring the server’s TCP/IP settings for Internet connectivity.

Image You need to know how to promote a server running Windows Server 2012 R2 as a domain controller.

Image You also should have at least rudimentary knowledge of using Windows PowerShell.

Lesson 1: Planning, implementing, and managing Group Policy

Before you deploy Group Policy in an enterprise environment, you need to design and prepare the infrastructure. This lesson provides guidance in the areas of planning and implementing Group Policy in an Active Directory environment based on Windows Server 2012 or Windows Server 2012 R2.


After this lesson, you will be able to:

Image Take Group Policy into consideration when designing a hierarchy of organizational units (OUs) in Active Directory.

Image Configure a central store for Group Policy administrative template files used in a domain.

Image Create new Starter GPOs and use them to create GPOs for a production environment.

Image Perform a remote refresh of Group Policy on computers in an OU.

Image Understand and configure security settings you can configure using Group Policy.

Estimated lesson time: 30 minutes


Planning for Group Policy

Planning for an implementation of Group Policy in an enterprise environment involves a number of different tasks and considerations, including the following:

Image Understanding policies versus preferences

Image Designing an OU structure that supports Group Policy

Image Configuring a central store for policy definition files

Image Creating and using Starter GPOs

Image Understanding how to remotely refresh Group Policy


More Info: Deployment guide

The sections in this lesson cover only a few of the many issues associated with planning for Group Policy deployment. For additional information, see “Group Policy Planning and Deployment Guide” at http://technet.microsoft.com/en-us/library/cc754948(WS.10).aspx.


Understanding policies vs. preferences

Before you implement Group Policy in your Active Directory environment, you need to understand the difference between policies and preferences. Group Policy allows administrators to deploy two types of settings:

Image Managed settings These are configuration settings that the organization considers mandatory and that must be strictly enforced. Managed settings are pushed out to targeted user accounts or computers, and they are periodically refreshed to ensure they remain enforced.

An example of a managed setting might be a corporate-branded desktop background that the company requires on all employees’ computers.

A standard user (a user without administrative rights) cannot modify a managed setting. Although users who are local administrators on their computers might be able to temporarily change a managed setting, the setting will be reapplied the next time the user logs on, the next time the computer restarts, or during a periodic background refresh of Group Policy.

Image Unmanaged settings These are configuration settings that the organization does not consider mandatory but might consider recommended or advisable. Unmanaged settings are pushed out to targeted user accounts or computers, but unlike managed settings, which are always enforced, unmanaged settings can be modified by users if they want to do so.

An example of an unmanaged setting is a mapped drive. Because this setting is unmanaged, a user (even a standard user) can delete the mapped drive. The mapped drive might reappear when the user next logs on, depending upon how the administrator has configured the unmanaged setting.

Image

In Group Policy, managed settings are called policies and unmanaged settings are called preferences. Figure 10-1 shows that a Group Policy Object (GPO) has several types of policies and preferences, some of them per-machine and the others per-user.

Image

FIGURE 10-1 A Group Policy Object has both managed and unmanaged settings (policies and preferences).

Some of the other differences between policies and preferences include the following:

Image A policy disables its associated user interface item on the user’s computer; a preference does not.

Image

Image A policy is removed when the GPO goes out of scope—that is, when the user or computer is no longer targeted by the GPO. A preference, however, remains configured for the targeted user or computer even when the GPO goes out of scope. Another way of saying this is that preferences tattoo the registry on the client computer but policies do not tattoo the registry on the client computer.

Image When a policy is applied, the original registry settings on the client computer are not changed. Instead, the policy is stored in a special policy-aware section of the registry on the client. If the policy is later removed, the client’s original registry settings are restored. Another way of saying this is that a policy supersedes the corresponding configuration setting in the user interface on the client. With preferences, however, the original registry settings on the client are overwritten and removing the preference does not restore the original setting. In other words, a preference actually modifies the corresponding configuration setting in the user interface on the client. Because of this difference, policies can be effective only for features of Windows operating systems and applications that are Group Policy–aware, but preferences can be effective for any features of Windows operating systems and applications as long as the appropriate preference extension is loaded.

Image Policies can be configured in both domain and local GPOs; preferences can be configured only in domain GPOs.

Image A preference can be applied only once if desired; policies are always periodically refreshed.

Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 include hundreds of new policies you can use to manage the new features of these platforms. Some of the new types of policies introduced in these platforms include policy settings for managing features such as the following:

Image Apps (for example, to configure how apps are displayed and searched for from the Start screen)

Image Automatic sign-in (for example, to control whether a device will automatically sign-in the last interactive user after Windows Update restarts the system)

Image BitLocker Volume Encryption

Image BranchCache (for example, to configure peer-to-peer caching)

Image Credential provider (for example, to configure Picture Password sign-in)

Image Desktop personalization (for example, to configure Lock screen and Start screen background)

Image Device driver setup and compatibility settings

Image DNS Client settings (for example, to configure smart protocol reordering and response preferences)

Image External boot options for Windows To Go

Image File History settings

Image Hotspot authentication

Image Internet Explorer 10 and Internet Explorer 11 customization (includes over 150 new settings)

Image Kerberos armoring

Image Logon scripts (for example, to configure the Group Policy client waits after logon before running scripts)

Image Managing enterprise installation of Windows 8 apps

Image Microsoft accounts (for example, to control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in)

Image Multimonitor display (for example, to allow the Start screen to appear on the display the user is using when he or she presses the Windows key)

Image Folder Redirection (for example, to configure redirection only on a user’s primary computer)

Image Remote Desktop Services (for example, to configure RDP 8.0 and RemoteFX)

Image Windows Explorer user-interface settings

Image Printing (for example, to configure the v4 simplified print-provider architecture)

Image Start-screen customization (for example, to configure whether to show Run As Different User on the Start screen)

Image Sync Your Settings (for example, to sync to OneDrive)

Image TCP/IP (for example, to configure Internet Protocol version 6 [IPv6] stateless autoconfiguration)

Image The Trusted Platform Module (TPM) (for example, to configure a backup of TPM to Active Directory)

Image User interface customization (for example, to turn off switching between recent apps)

Image User profile roaming (for example, to allow roaming only on a user’s primary computer)

Image VSS Provider Shadow Copies (for the File Server role service)

Image Windows OneDrive (for example, to configure the behavior of Windows OneDrive for users)

Image Windows PowerShell execution policy

Image Windows Runtime apps (for example, to allow an application to revoke access to all content on the device that is protected by a particular enterprise)

Image Windows Store (to turn it on or off)

Image Windows Update (for example, to configure the behavior Windows Update in your environment)

Image Wireless WAN (for example, to configure cost policies for 3G/4G networks)

Image Work Folders

See the sidebar titled “A few new policy settings” for examples of some helpful new Group Policy settings introduced in Windows Server 2012 R2.


New policy settings

Windows Server 2012 R2 introduces a number of new Group Policy settings applicable only to computers running Windows Server 2012 R2, Windows 8.1, or Windows RT 8.1. Three policy settings that might be of interest to many administrators are described in this sidebar.

Do not connect to any Windows Update Internet locations

This policy setting is located at

Computer Configuration\Windows Components\Windows Update

Enabling this policy will disable that functionality and may cause connection to public services such as the Windows Store to stop working.

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Note that this policy applies only when this PC is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy.

Configure Logon Script Delay

This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. It is located at

Computer Configuration\System\Group Policy

By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention.

If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts.

If you disable this policy setting, Group Policy will run scripts immediately after logon.

If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts.

Enter 0 to disable Logon Script Delay.

Sign-in last interactive user automatically after a system-initiated restart

This policy setting controls whether a device will automatically sign in the last interactive user after Windows Update restarts the system. It is located at

Computer Configuration\Windows Components\Windows Logon Options

If you enable or do not configure this policy setting, the device securely saves the user’s credentials (including the user name, domain, and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed in and the session is automatically locked with all the lock screen apps configured for that user.

If you disable this policy setting, the device does not store the user’s credentials for automatic sign-in after a Windows Update restart. The user’s lock screen apps are not restarted after the system restarts.



More Info: Group Policy settings reference

For more information about new and existing policies in Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, download the appropriate Microsoft Excel workbook from “Group Policy Settings Reference For Windows And Windows Server” athttp://www.microsoft.com/en-us/download/details.aspx?id=25250.


Group Policy and Active Directory design

Group Policy delivers and enforces policies to targeted objects such as users and computers by creating GPOs and linking them to Active Directory domains, OUs, or sites that contain these objects. The way you design your Active Directory structure can thus have a significant impact on your ability to deploy, manage, and maintain your Group Policy infrastructure.

Most of your Group Policy planning efforts should involve designing the hierarchy of OUs for each of the domains in your forest. You should consider the following issues when designing such an OU structure:

Image Manageability Your implementation of Group Policy should be as easy to administer as possible.

Image Delegation You might want to delegate administrative control for specific OUs to specific users or groups in your IT department.

Image Inheritance When a GPO is linked to a domain, the GPO applies to the users and computers in every OU and child OU in the domain. And when a GPO is linked to an OU, the GPO applies to the users and computers in every child OU of that OU.

Image Precedence When multiple GPOs that apply to a user or computer have the same policy configured, the order in which GPOs are applied determines their precedence. By default, GPOs are applied in the following order of precedence:

1. GPOs linked to the site where the user or computer resides

2. GPOs linked to the domain where the user or computer resides

3. GPOs linked to the OU where the user or computer resides

4. GPOs linked to the child OU where the user or computer resides

Also, when multiple GPOs are linked to a specific site, domain, or OU, the link order can be modified. Inheritance also can be enforced or blocked on a per-link basis, and GPOs can be selectively targeted to users in specific security groups or computers of specific types by using security filtering or Windows Management Instrumentation (WMI) filtering.

Meeting all of the preceding requirements can be challenging for organizations that have multiple branch offices, special categories of users or devices, or a complex organizational chart. A good place to start when designing an OU structure that supports Group Policy is to do something similar to what is shown in Figure 10-2. The basic elements of this OU structure are as follows:

Image Each geographical location, including the head office and any branch offices, is represented by a first-level OU in the domain.

Image Second-level OUs are created beneath the head office OU to represent different kinds of users (administrators, ordinary users) and systems (client computers, servers).

Image The second-level Computers OU contains two child OUs representing desktop and laptop computers. The Servers OU also contains child OUs for each type of server in the environment.

Image

FIGURE 10-2 This is an example of an OU structure designed for Group Policy.

If different departments in your organization have different requirements, you could modify the OU structure shown in Figure 10-2 by including a new level of departmental OUs (Sales, HR, and so on) in between the first-level and second-level OUs described.

From the perspective of implementing and managing Group Policy, the advantages of the preceding approach to OU design include the following:

Image The OU structure is easy to understand and visualize, and your GPO infrastructure will match this simple hierarchy. Keeping things simple is a key to having a manageable environment.

Image Delegation of administration is easy to implement. For example, if you delegate the authority to perform Group Policy modeling analyses of objects in the Computers OU by assigning the appropriate permissions to the Support group, the group will automatically be able to perform the same task for objects in the Desktops and Laptops OUs, which are child OUs of the Computers OU.

Image GPOs linked to deeply nested OUs can have fewer policies to configure than their parent OUs. For example, the GPO linked to the Computers OU could enforce the policies that apply to all types of computers, including both desktops and laptops. The GPOs linked to the child OUs (Desktops, Laptops) would then only have the few policies configured that apply to those specific types of systems. Group Policy inheritance will then ensure that the settings in the GPO linked to the Computers OU will be processed by computers in both the Desktops and Laptops OUs.

Configuring a central store

Prior to Windows Vista and Windows Server 2008, all of the default administrative template files (.adm files) were added to the ADM folder of each GPO on a domain controller. Because GPOs are stored in the SYSVOL folder on domain controllers and each GPO typically occupies about 2 MB of disk space, the more GPOs there were in the environment, the greater the size of the SYSVOL folder was. This condition was sometimes referred to as “SYSVOL bloat.” Furthermore, because the contents of the SYSVOL folder are automatically replicated to all domain controllers in the domain, this problem was multiplied considerably.

Beginning with Windows Vista and Windows 2008, however, this situation has changed in two ways:

Image A new XML-based format for administrative template files called ADMX has replaced the earlier ADM format used for defining registry-based policies in GPOs. An associated format called ADML supports the multilingual display of policies.

Image All of the policy definition files (.admx and .adml files) for a domain can be stored in a central store in SYSVOL. This means only one copy of each ADMX template needs to be stored in SYSVOL (instead of a copy of each ADM template for every GPO in the domain).

You can create a central store for a domain by performing the following procedure:

1. Create a folder named PolicyDefinitions in the following UNC path on a domain controller in the domain:

\\domain_name\SYSVOL\domain_name\policies

For example, for the corp.fabrikam.com domain, you would create the following folder:

\\corp.fabrikam.com\SYSVOL\corp.fabrikam.com\policies\PolicyDefinitions

2. Copy all of the files from the %systemroot%\PolicyDefinitions folder on a Windows 8–based administrative workstation to the PolicyDefinitions folder on a domain controller. Alternatively, you can download the “Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2” at http://www.microsoft.com/en-us/download/details.aspx?id=41193 and copy them to the PolicyDefinitions folder on a domain controller.

3. Wait for SYSVOL to replicate the changes to all domain controllers in the domain.

Using Starter GPOs

Starter GPOs are basically templates you can use for quickly creating preconfigured GPOs. By creating and configuring a suitable collection of Starter GPOs, you can significantly accelerate the process of implementing Group Policy within a large, distributed environment.

Starter GPOs can be created, edited, imported, exported, backed up, and restored. They can contain only Administrative Template policies, not preferences or other settings such as security settings.

Before you can use Starter GPOs, you must create the Starter GPOs folder for the domain. You can do this by performing the following steps:

1. Select the Starter GPOs node under a domain node in the Group Policy Management Console (GPMC).

2. Click the Create Starter GPOs Folder button in the details pane.

When you perform the preceding steps, a folder named StarterGPOs is created in the SYSVOL share of the domain controllers in the domain. This folder is initially populated with a collection of read-only System Starter GPOs that provide baseline settings for Enterprise Client (EC) and Specialized Security Limited Functionality (SSLF) environments running older versions of Windows client operating systems.


Note: Getting updated security baselines

For the latest security baselines for Microsoft products, including Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, download the “Microsoft Security Compliance Manager” at http://www.microsoft.com/en-us/download/details.aspx?id=16776.


To create a new Starter GPO, perform the following steps:

1. Right-click the Starter GPOs node and select New.

2. Type a descriptive name for your Starter GPO and add an optional comment if desired.

After you have created a new Starter GPO, you need to configure it by following these steps:

1. Right-click the Starter GPO and select Edit to open the Group Policy Starter GPO Editor.

2. Configure the Administrative Template policies as desired.

After you have configured a Starter GPO, you can use it to create new GPOs for the domain. To do this, follow this procedure:

1. Right-click the Starter GPO and select New GPO From Starter GPO:

Image

2. Type a descriptive name for your new GPO:

Image

The new GPO will be created unlinked to any container in Active Directory. By expanding the Group Policy Objects node and selecting the new GPO, you can use the Settings tab to verify that the central store is functioning properly. (See Figure 10-3.) You can link the new GPO to an OU by dragging it onto the node representing the OU.

Image

FIGURE 10-3 The HQ-Desktops GPO has been created.


Note: Verifying the central store

You can also verify that the central store is functioning properly by using Group Policy Management Editor to open any GPO linked in your domain. If you expand the Policies node beneath either Computer Configuration or User Configuration and you see that the Administrative Templates node has been renamed as Administrative Templates: Policy Definitions (ADMX Files) Retrieved From The Central Store, you know that you have properly configured your central store.


Group Policy caching

Group Policy caching (or policy caching) is a new feature of Group Policy introduced in Windows Server 2012 R2. Policy caching can significantly reduce the amount of time it takes to process Group Policy on a client. Policy caching is only supported for Windows Server 2012 R2, Windows 8, and Windows 8.1, so if your Active Directory environment is still based on Windows Server 2012, then you won’t be able to implement this feature.

Policy caching works by having the client download the policy from a domain controller and save a copy of the policy to a local store on the client. Then, when the next Group Policy processing occurs, the client can apply the policy cached in the local store instead of having to download the policy again from the network.

By speeding up Group Policy processing, policy caching can shorten boot times for clients. This can be especially helpful in scenarios in which the network connection experiences latency or is connecting from off-premises over the Internet—for example, in a DirectAccess scenario. Note that policy caching only works when Group Policy is running in synchronous mode.

Policy caching is disabled by default in Windows Server 2012 R2. To enable and configure policy caching, configure the policy setting named Enable Group Policy Caching For Servers, which can be found under

Computer Configuration\Policies\Administrative Templates\System\Group Policy

Refreshing Group Policy

In previous versions of Windows, if you wanted to force a refresh of Group Policy for a computer you had to run the Gpupdate.exe command locally on the computer targeted by the GPO. This made it difficult for administrators to ensure that any new Group Policy settings they configured were applied immediately to the computers targeted by the GPO.

Beginning with Windows Server 2012, however, you can remotely force a refresh of Group Policy. This remote refresh capability allows you to update Group Policy for all computers within an OU with GPOs linked to it. To do this, follow these steps:

1. Right-click the desired OU in the GPMC and select Group Policy Update.

2. Read the confirmation prompt and click Yes if you want Group Policy to be refreshed for computers targeted by the GPOs linked to the OU:

Image

When the progress bar on the Remote Group Policy update Results dialog box indicates Completed, Group Policy update will be forced for all computers in the OU and also for computers in any OUs beneath the OU.


Note: Remote refresh and Windows PowerShell

You can also use Windows PowerShell to perform a remote refresh of Group Policy. This is described in Lesson 2 of this chapter.



Note: Remote refresh for users and computers

When you perform a remote refresh of Group Policy, both user and computer policies will be refreshed on the targeted computers.


Configuring security settings

As Figure 10-4 shows, Group Policy for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 includes numerous types of security settings. Most of these policies are per-machine settings found under Computer Configuration\Policies\Windows Settings \Security Settings in the Group Policy Management Editor, but two types of policies are found under User Configuration\Policies\Windows Settings\Security Settings as the figure shows.

Image

FIGURE 10-4 Group Policy includes numerous types of security settings for computers (above) and users (below).

The following sections briefly discuss some of these categories of security settings, including these:

Image User Rights Assignment

Image Security Options

Image User Account Control

Image Audit Policy

Image Advanced Audit Policy Configuration

Image AppLocker

Image Software Restriction Policies

Image Windows Firewall with Advanced Security

User Rights Assignment

User Rights Assignment settings are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and you can use them to control the user rights assigned to users or security groups for computers targeted by the GPO. You can use these policies to specify users and security groups who should have rights to perform different kinds of tasks affecting the security of your Windows clients and servers. For example, you can control who can

Image Access computers from the network.

Image Log on locally.

Image Shut down the system.

You can also specify who should have rights to perform critical administrative tasks, such as backing up and restoring files and directories, taking ownership of files and objects, and forcing the shutdown from a remote computer.

User Rights Assignment settings are unchanged from those in Windows 7 and Windows Server 2008 R2.

Security Options

Security Options settings are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, and you can use them to control a wide variety of security options for computers targeted by the GPO. For example, you can

Image Force users to log off when their logon hours expire.

Image Disable Ctrl+Alt+Del for logon to force smartcard logon.

Image Force computers to halt when auditing cannot be performed on them.

Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 include four new policies in this category:

Image Accounts: Block Microsoft accounts This policy prevents users from adding new Microsoft accounts on this computer.

Image Interactive logon: Machine account threshold The computer lockout policy is enforced only on computers that have BitLocker enabled for protecting operating system volumes. You should ensure that appropriate recovery password backup policies are enabled.

Image Interactive logon: Machine inactivity limit Windows notices the inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit the screen saver will run, locking the session.

Image Microsoft network server: Attempt S4U2Self to obtain claim information This security setting is used to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain.

User Account Control

User Account Control (UAC) settings are a subset of the Security Options settings described in the previous section. There are 10 policies that you can use to configure the behavior of UAC on computers targeted by Group Policy, and these policies are the same as those in Windows 7 and Windows Server 2008 R2. For detailed information about each UAC policy, see “UAC Group Policy Settings and Registry Key Settings” at http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx.

One thing that has changed beginning with Windows 8 and Windows Server 2012 is that it is no longer possible to completely disable UAC on the computer. This is because the infrastructure that supports running Windows 8 apps requires UAC. As a result, disabling UAC is no longer supported on Windows 8.

Audit Policy

Policies for basic auditing, which are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy, allow you to audit account logon events, privilege use, and other user or system activity.

Advanced Audit Policy Configuration

Policies for advanced auditing, which are found under Computer Configuration\Policies \Windows Settings\Security Settings\Advanced Audit Policy Configuration, perform auditing functions similar to those performed by the basic audit policies found under Local Policies \Audit Policy. However, the advanced audit policies allow you to be more selective about the number and types of events you want to audit. For example, basic audit policy provides a single setting for auditing account logons, but advanced audit policy provides four separate settings for this purpose.

One new type of advanced audit policy (Audit Removable Storage) is shown in Figure 10-5. This new policy enables you to track the usage of removable storage devices. If you enable this policy in a GPO that targets users, an audit event is generated each time a user attempts to access a removable storage device. This policy logs two types of audit events:

Image Success audits (Event 4663) record successful attempts to write to or read from a removable storage device.

Image Failure audits (Event 4656) record unsuccessful attempts to access removable storage device objects.

Image

FIGURE 10-5 The new Audit Removable Storage policy enables you to track the usage of removable storage devices.


More Info: Auditing improvements

For more information about auditing improvements introduced in Windows 8 and Windows Server 2012, see “What’s New in Security Auditing” at http://technet.microsoft.com/en-us/library/hh849638.


AppLocker

You can use AppLocker to control which applications and files users can run on their computers. AppLocker was introduced in Windows 7 and Windows Server 2008 R2, and its policies are found under Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker.


More Info: AppLocker

For more information on AppLocker in Windows Server 2012 and Windows Server 2012 R2, see "Applocker Overview" at http://technet.microsoft.com/en-us/library/hh831440.aspx.


Software Restriction Policies

The Software Restriction Policies (SRP) feature was introduced in Windows XP and Windows Server 2003 to provide administrators with a policy-driven mechanism to identify programs running on machines in a domain and to control how those programs can execute. SRP settings are found under both Computer Configuration\Policies\Windows Settings\Security Settings and User Configuration\Policies\Windows Settings\Security Settings. SRP is similar to AppLocker but has more limited functionality.

With the introduction of AppLocker in Windows 7 and Windows Server 2008 R2, you should now use AppLocker instead of SRP if all your client computers are running Windows 7 or later. Organizations that include a mix of Windows 8, Windows 7, and older Windows clients can use a combination of AppLocker and SRP to lock down their desktop application environments.


More Info: Using SRP with AppLocker

For more information on how to implement SRP and AppLocker in the same domain, see “Use AppLocker and Software Restriction Policies in the Same Domain” at http://technet.microsoft.com/library/hh994614.


Windows Firewall with Advanced Security

Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering for Windows client and server operating systems. Windows Firewall with Advanced Security was introduced in Windows Vista and Windows Server 2008. Windows Firewall with Advanced Security policies are found under Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security.


More Info: Windows Firewall with Advanced Security

Because Windows Firewall with Advanced Security is a key security feature for Windows platforms, it is covered in detail in Chapter 11.



Image Quick check

Image Which policy in the Security Options section of a GPO can you use to ensure that users of Windows 8 client computers in your environment can log on to their computers using only their domain credentials and no other kind of credentials supported by Windows 8?

Quick check answer

Image Accounts: Block Microsoft accounts. This policy prevents users from adding new Microsoft accounts on the computer.


Managing Group Policy

Managing Group Policy in an Active Directory environment is a broad topic that has many different aspects. The upcoming sections cover the following basic tasks:

Image Viewing infrastructure status

Image Creating GPOs

Image Managing GPO links

Image Configuring security filtering

Image Configuring WMI filtering

Image Backing up and restoring GPOs


More Info: Managing Group Policy

For more information on Group Policy planning, deployment, operations, and troubleshooting, see the Group Policy portal at http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx.


Viewing infrastructure status

A new feature of the GPMC introduced in Windows Server 2012 is the Status tab shown in Figure 10-6, which provides information about the status of Active Directory and SYSVOL replication. The status information displayed on this tab can be either of the following:

Image The status for all GPOs if the node for the domain is selected

Image The status for a particular GPO if the node for that GPO is selected

Image

FIGURE 10-6 View the status of SYSVOL replication to monitor Group Policy health.


More Info: Group Policy infrastructure status

For more information on using the new Status tab of the GPMC for monitoring the health of your Group Policy infrastructure, see “Check Group Policy Infrastructure Status” at http://technet.microsoft.com/en-us/library/jj134176.


Creating GPOs

By using the GPMC, you can create GPOs either from scratch or from a Starter GPO. You can also create a new GPO so that it is

Image Linked to an OU, a site, or the domain by right-clicking the container and selecting New.

Image Unlinked to any container in Active Directory by right-clicking the Group Policy Objects node and selecting New.

New GPOs are enabled by default, but after you create a new GPO you can disable

Image The GPO’s User Configuration settings.

Image The GPO’s Computer Configuration settings.

Image All the GPO’s settings.

Once you create a GPO, you can open it in the Group Policy Management Editor and configure the GPO’s policies and preferences:

Image Policies These are settings that Group Policy enforces for users or computers targeted by the GPO. The types of policies include the following:

Image Administrative Templates, which are registry-based settings that are written to a special area of the registry on client computers

Image Windows Settings, which include the security settings described earlier in this lesson

Image Software Settings, which you can use to install applications for targeted users or computers

Image Preferences These are settings you can use to modify configuration settings for features of Windows operating systems or applications that are not Group Policy–aware.


Note: Creating GPOs by using Windows PowerShell

You can also use Windows PowerShell to create GPOs. This is described in Lesson 2 of this chapter.


Managing GPO links

GPOs can be linked to OUs, sites, or domains. Figure 10-7 shows the HQ-Desktops GPO selected in the console tree of the GPMC. The Links section of the Scope tab in the details pane indicates the following:

Image The GPO is linked to the Desktops OU, which is in the Computers OU beneath the HQ-NYC OU of the corp.fabrikam.com domain.

Image The link is currently enabled. If you disable the link, the settings in the GPO will not be applied to the users or computers targeted by the GPO.

Image The GPO’s settings can be blocked by settings inherited from a GPO linked to a parent OU or to the domain. This is indicated by Enforced being set to No.

Image

FIGURE 10-7 View information about the links for a GPO.


Note: Linking GPOs by using Windows PowerShell

You can also use Windows PowerShell to link GPOs. This is described in Lesson 2 of this chapter.


Configuring security filtering

You can configure security filtering on a GPO to refine which users and computers will receive and apply the settings in the GPO. For example, you can use security filtering to specify that only certain security groups within the OU where the GPO is linked have the GPO applied to them.

To configure security filtering on a GPO, perform the following steps:

1. Select the GPO beneath the Group Policy Objects node in the GPMC.

2. Select the Scope tab in the details pane and click Add in the Security Filtering section of this tab.

3. Browse the directory to select the security group to filter.

4. Once the group you selected is displayed in the Security Filtering section of the Scope tab, select Authenticated Users and click Remove. This ensures that the settings in the GPO will apply only to users and computers that belong to the group you specified.

Configuring WMI filtering

Windows Management Instrumentation (WMI) filtering allows the scope of a GPO to be dynamically determined based on attributes of the target computer. WMI filters are queries written using the WMI Query Language (WQL), a SQL-like language. An example of a WMI filter is the following:

select Version from Win32_OperatingSystem where
Version like "6.2%" and ProductType = "1"

The preceding query filters based on whether the target computer is running Windows 8. Configuring this query as a WMI filter for a GPO will result in the GPO being applied only to computers running Windows 8. To create and link this filter to a GPO, you do the following:

1. Right-click the WMI Filters node in the GPMC and select New to open the New WMI Filter dialog box.

2. Give the new filter a name and, optionally, a description.

3. Click Add and type your query in the Query field of the WMI Query dialog box. Then click OK to return to the New WMI Filter dialog box:

Image

4. Click Save to save your query. The new filter will be displayed beneath the WMI Filters node.

5. Select the GPO to which you want to link the filter and switch to the Scope tab.

6. In the WMI Filtering section on the Scope tab, select the filter you created from the list of available filters. Click Yes when the confirmation dialog box is displayed.


Note: WMI 1.0 namespace

The namespace for version 1.0 of WMI was deprecated in Windows Server 2012 and has been removed from Windows Server 2012 R2, so do not configure WMI queries based on this namespace. For an explanation of this change, see “The v2 WMI namespace in Hyper-V on Windows 8” at http://blogs.msdn.com/b/virtual_pc_guy/archive/2012/05/30/the-v2-wmi-namespace-in-hyper-v-on-windows-8.aspx.



Important: Performance impact of WMI filters

Although security filtering is fast, WMI filtering can be slow. Improper use of WMI filtering can therefore have a significant performance impact on how Group Policy is processed and applied. As a result, you should be sure to test the performance of any WMI filter before you deploy it in your production environment. WMI filters that usually evaluate quickly include filters that query for registry keys or environment variables. WMI filters that might evaluate slowly include filters that query the CIM_DataFile namespace or query for installed products using the MSI database.



Real World: Alternative to WMI filtering

An alternative to using WMI filtering in many scenarios is to use the Item-Level Targeting feature of Group Policy Preferences, which allows you to change the scope of individual preferences so that they apply only to the specified users or computers. For example, by using Item-Level Targeting you can allow a preference item to be applied only if the targeted computer has a battery, has a certain amount of free disk space available, has an IP address within a specified range of addresses, and so on. For more information, see “Preference Item-Level Targeting” at http://technet.microsoft.com/en-us/library/cc733022.


Backing up and restoring GPOs

You can use the GPMC to back up your GPOs. You can also restore a deleted or previous version of an existing GPO, copy a GPO, import the settings from a GPO, or migrate a GPO to a different domain. By backing up GPOs, you can quickly restore your Group Policy infrastructure in the event of a disaster.

To back up a specific GPO, follow these steps:

1. Right-click the GPO and select Back Up to open the Backup Group Policy Object dialog box.

2. Specify the path to the location where you want to store the backup.

You can also back up all GPOs in a domain as follows:

1. Right-click the Group Policy Objects node and select Back Up.

2. Specify the path to the location where you want to store the backup.

After you back up GPOs, you can manage your backups by right-clicking the Group Policy Objects node and selecting Manage Backups.


Note: Backing up GPOs by using Windows PowerShell

You can also use Windows PowerShell to back up and restore GPOs. This is described in Lesson 2 of this chapter.


Lesson summary

Image You need to plan your OU structure to support Group Policy.

Image You should configure a central store for storing policy definition files in the domain.

Image Creating and using Starter GPOs can simplify the process of deploying new GPOs.

Image Windows Server 2012 and Windows Server 2012 R2 allow you to perform a remote refresh of Group Policy on targeted computers.

Image Group Policy security settings for Windows Server 2012 and Windows Server 2012 R2 include new policies and capabilities.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. You have created a flat OU structure for your domain that has only top-level OUs and no child OUs. Each department’s desktops, laptops, and users are contained in different OUs. What is the main reason why this design is a poor choice when it comes to implementing Group Policy for your environment?

A. It will be difficult to manage Group Policy because of the large number of GPOs you will need.

B. It will be difficult to delegate Group Policy because of the large number of GPOs you will need.

C. It will be difficult to manage Group Policy because you won’t be able to make effective use of Group Policy inheritance.

D. It will be difficult to delegate Group Policy because you won’t be able to make effective use of Group Policy inheritance.

2. You right-clicked an OU in the GPMC console tree that contains computers and then selected the Group Policy Update menu option from the context menu. The Remote Group Policy Update Results dialog box indicates Completed, and no error message has been displayed. You later discover that at least one of the Computer Configuration policies in the GPO linked to the OU was not refreshed on the computers in the OU. What could be the cause of this failure? (Choose all that apply.)

A. The necessary firewall ports on the targeted computers have not been opened to enable a remote refresh of Group Policy.

B. The GPO that should be linked to the OU has become unlinked from the OU.

C. The Computer Configuration portion of the GPO linked to the OU has been disabled.

D. The Group Policy Remote Update Firewall Ports Starter GPO has been deleted from the domain.

3. What node should you select in the console tree of the GPMC to view the current status of SYSVOL replication as it relates to Group Policy in a domain?

A. The root node named Group Policy Management

B. The node named Forest: <forest_root_domain>

C. The node named Domains

D. The node named <domain_name>

Lesson 2: Managing Group Policy using Windows PowerShell

Although you can most easily perform most administrative tasks for Group Policy by using GUI tools such as the GPMC and the Group Policy Management Editor, you can also perform some tasks using Windows PowerShell. This lesson examines some of the ways you can use Windows PowerShell to configure and manage Group Policy in an Active Directory environment based on Windows Server 2012 or Windows Server 2012 R2.


After this lesson, you will be able to:

Image Create and link GPOs using Windows PowerShell.

Image Configure and perform Group Policy remote refresh using Windows PowerShell.

Image Back up and restore GPOs using Windows PowerShell.

Estimated lesson time: 15 minutes


Creating and linking GPOs

To show how you can create and link GPOs using Windows PowerShell, in this lesson you create a new GPO named BO-1-Desktops based on the Starter GPO named Computers-Desktop that you created in Lesson 1 of this chapter. You then link the new GPO to the OU named BO-1-SEA, which represents Branch Office #1 in Seattle in the corp.fabrikam.com domain.

You can start by using the Get-StarterGPO cmdlet to confirm that your Starter GPO exists:

PS C:\> Get-GPStarterGPO -Name "Computers-Desktop"

DisplayName : Computers-Desktop
Id : 260220b0-d73e-40f1-b293-9477dd697977
Owner : BUILTIN\Administrators
CreationTime : 8/30/2012 11:00:36 AM
ModificationTime : 8/30/2012 11:05:10 AM
UserVersion : 0
ComputerVersion : 1
StarterGpoVersion :
StarterGpoType : Custom
Author :
Description : This Starter GPO will be used to create GPOs for desktop computers
for all locations

Next, you can use the New-GPO cmdlet to create the new GPO from your Starter GPO as follows:

PS C:\> New-GPO -Name "BO-1-Desktops" -StarterGpoName "Computers-Desktop"

DisplayName : BO-1-Desktops
DomainName : corp.fabrikam.com
Owner : CORP\Domain Admins
Id : a2b711b4-ea20-4a42-9cd2-cba11b07b7ea
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 8/30/2012 7:57:35 PM
ModificationTime : 8/30/2012 7:57:36 PM
UserVersion : AD Version: 1, SysVol Version: 1
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :

Finally, you can link the new GPO to the targeted OU as follows:

PS C:\> New-GPLink -Name "BO-1-Desktops" `
-Target "ou=BO-1-SEA,dc=corp,dc=fabrikam,dc=com"

GpoId : a2b711b4-ea20-4a42-9cd2-cba11b07b7ea
DisplayName : BO-1-Desktops
Enabled : True
Enforced : False
Target : OU=BO-1-SEA,DC=corp,DC=fabrikam,DC=com
Order : 1

Alternatively, by using the Windows PowerShell pipeline feature, you can create and link the GPO using a single command like this:

Get-GPStarterGPO -Name "Computers-Desktop" | New-GPO -Name "BO-1-Desktops" | `
New-GPLink -Target "ou=BO-1-SEA,dc=corp,dc=fabrikam,dc=com"

Remotely refreshing Group Policy

You can use the Invoke-GPUpdate cmdlet to refresh Group Policy settings on remote computers. This cmdlet works by scheduling the running of the Gpupdate.exe command on the remote computers. Before you can do this, however, you need to open the necessary firewall ports on the computers you will be targeting, as was explained in the previous lesson in this chapter. You can perform this preliminary step by using Windows PowerShell. For example, the following command creates and links a GPO that will open the necessary firewall ports for all computers in the corp.fabrikam.com domain:

New-GPO -Name "EnableRemoteRefresh" `
-StarterGPOName "Group Policy Remote Update Firewall Ports" | `
New-GPLink -Target "dc=corp,dc=fabrikam,dc=com"

Once this GPO has been processed, you can perform a remote refresh of Group Policy for computers in a specific OU. For example, the following command remotely refreshes Group Policy for computers in the Desktops OU described earlier in Lesson 1 of this chapter:

Get-ADComputer -Filter * `
-SearchBase "ou=Desktops,ou=Computers,ou=HQ-NYC,dc=corp,dc=fabrikam,dc=com" | `
foreach{Invoke-GPUpdate -Computer $_.Name -force -RandomDelayInMinutes 0}

The preceding command uses the Get-ADComputer cmdlet to obtain a list of names of computers in the targeted OU. The output from this command is then piped into a foreach statement that initiates an immediate refresh of Group Policy on each computer.

Backing up and restoring GPOs

You can use the Backup-GPO and Restore-GPO cmdlets to back up and restore GPOs. For example, the following command backs up the GPO named HQ-Desktops to the local folder named C:\GPOBackups:

PS C:\> Get-GPO -Name "BO-1-Desktops" | Backup-GPO -Path "C:\GPOBackups" `
-Comment "Today's backup"

DisplayName : BO-1-Desktops
GpoId : aec4900f-f450-4ea6-8187-13cfb014ab2f
Id : 54937d03-5cb6-49c8-9069-dcdc9aece0d0
BackupDirectory : C:\GPOBackups
CreationTime : 8/30/2012 8:41:59 PM
DomainName : corp.fabrikam.com
Comment : Today's backup

You can then use the Get-ChildItem cmdlet to verify the result as follows:

PS C:\> Get-ChildItem "C:\GPOBackups" -Recurse

Directory: C:\GPOBackups

Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM {54937D03-5CB6-49C8-9069-DCDC9AECE0D0}

Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}

Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM DomainSysvol
-a--- 8/30/2012 8:41 PM 3707 Backup.xml
-a--- 8/30/2012 8:42 PM 16700 gpreport.xml

Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}\DomainSysvol

Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM GPO

Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}\DomainSysvol\GPO

Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 8/30/2012 8:41 PM Machine
d---- 8/30/2012 8:41 PM User

Directory: C:\GPOBackups\{54937D03-5CB6-49C8-9069-DCDC9AECE0D0}\DomainSysvol\GPO
\Machine

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 8/30/2012 11:05 AM 558 comment.cmtx
-a--- 8/30/2012 11:05 AM 196 registry.pol


More Info: Group Policy cmdlets

For more information on the different cmdlets for managing Group Policy in Windows Server 2012 and Windows Server 2012 R2, see “Group Policy Cmdlets in Windows PowerShell” at http://technet.microsoft.com/en-us/library/hh967461.


Lesson summary

Image You can use the Get-StarterGPO, New-GPO, and New-GPLink cmdlets to create new GPOs from Starter GPOs and link the new GPOs to OUs.

Image You can use the New-GPO cmdlet to create and link a new GPO that will enable Group Policy remote refresh on all computers in your domain.

Image You can use the Get-ADComputer GPO and Invoke-GPUpdate cmdlets to perform a remote refresh of Group Policy for computers in a specific OU.

Image You can use the Get-GPO and Backup-GPO cmdlets to back up a GPO.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. Which two cmdlets can you use together to create a new GPO and link it using a single command?

A. Get-StarterGPO and New-GPO

B. New-GPO and New-GPLink

C. New-GPO and Set-GPLink

D. Get-GPO and New-GPLink

2. What action does the following command perform?

Backup-GPO –All –Path \\HOST6\GpoBackups

A. The command backs up the GPO named All to the C:\GpoBackups folder on HOST6.

B. The command backs up the GPO named All to the GpoBackups share on HOST6.

C. The command backs up all GPOs to the C:\GpoBackups folder on HOST6.

D. The command backs up all GPOs to the GpoBackups share on HOST6.

Lesson 3: Implementing Group Policy preferences

Most administrators are familiar with how to use Group Policy policies for configuring or locking down users’ desktop environments, but many are less familiar with the capabilities and benefits of using Group Policy preferences. This lesson provides an overview of how Group Policy preferences work, how to configure them, and the different types of Windows features and settings that you can configure using them.


After this lesson, you will be able to:

Image Explain the difference between policies and preferences.

Image Create and configure new preference items.

Image Manage preference items.

Image Understand the different types of preference extensions and what they can be used for.

Estimated lesson time: 30 minutes


Understanding preferences

As explained previously in Lesson 1 of this chapter, Group Policy preferences are unmanaged configuration settings. That is, they are configuration settings that the organization does not consider mandatory but might consider recommended or advisable. Unmanaged settings are pushed out to targeted user accounts or computers, but unlike managed settings, which are always enforced, unmanaged settings can be modified by users if they want to do so.

Group Policy preferences are implemented using client-side extensions (CSEs) and supplement the range of configurable settings available within a GPO. You can use Group Policy preferences to manage the configuration of the following versions of Windows:

Image Windows 8.1 and Windows Server 2012 R2

Image Windows 8 and Windows Server 2012

Image Windows 7 and Windows Server 2008 R2

Image Windows Vista and Windows Server 2008

Image Windows XP SP2 or later and Windows Server 2003 SP1 or later


Note: Group Policy preferences and earlier versions of Windows

To use Group Policy preferences to manage the configuration of Windows XP or Windows Vista, you must download and install the “Group Policy Preferences Client-Side Extension Hotfix Rollup” at http://support.microsoft.com/kb/974266.


Image

As Figure 10-8 shows, you can configure Group Policy preferences within a GPO by opening the GPO in the Group Policy Management Editor. You can find preference extensions in both the Computer Configuration and User Configuration sections of the GPO. By right-clicking a preference extension and selecting New from the context menu, you can create a new preference item that you can use to distribute the settings configured in the item to users or computer targeted by the GPO.

Image

FIGURE 10-8 Configure Group Policy preferences in the Group Policy Management Editor.


Note: Preferences and local Group Policy

Unlike policies, which you can configure in both domain and local GPOs, you can configure preferences only in domain GPOs. This means that if you open the Local Computer Policy on a computer by running gpedit.msc, you will not see a Preferences node under Computer Configuration or User Configuration.


Preference categories

As Figure 10-8 shows, preferences can be categorized in two ways:

Image Windows Settings These are preferences that you can use to configure different aspects of the Windows environment for targeted users and computers.

Image Control Panel Settings These are preferences that you can use to configure Control Panel settings for targeted users and computers.

The different types of Windows Settings and Control Panel Settings preferences are described later in this lesson.


Note: Overlap

A few policies and preferences overlap and allow you to configure the same setting for targeted users or computers. To resolve such situations, policies always have priority over preferences.


Configuring preferences

Preference options are usually configured using properties sheets. For example, Figure 10-9 shows the General tab on the properties sheet of a New Drive preference item, which you can use to configure new mapped drives for users or computers targeted by a GPO. For most types of preference extensions, when you create a new preference item you have a choice of four actions from which to select:

Image Create Creates a new preference item for the targeted user or computer—for example, a new mapped drive for users.

Image Delete Removes a previously created preference item for the targeted user or computer—for example, a previously configured mapped drive for users.

Image Replace Deletes and re-creates the preference item for the targeted user or computer—for example, deletes a previously mapped drive and creates a new one. The Replace action overwrites all existing settings associated with the previously configured preference item. If the preference item (for example, a drive mapping) does not exist, the Replace action creates a new preference item (for example, a new drive mapping) for the targeted user or computer.

Image Update Modifies the settings of an existing preference item, such as a mapped drive. Update differs from Replace in that it updates only settings defined within the preference item. If the preference item (for example, a drive mapping) does not exist, the Update action creates a new item (for example, a new drive mapping) for the targeted user or computer.

Image

FIGURE 10-9 You can configure preferences on the General tab on the properties sheet of a New Drive preference item.

The remaining configuration options available on the General tab depend on which type of action you selected for the new preference item.


Note: Default action

The default action for a new preference item is Update.


Common options

Several preference options are common to most types of preferences. You can configure these options using the Common tab on the properties sheet of the preference item. For example, Figure 10-10 shows the Common tab displayed when creating a new preference item of the Drive Maps preference type, which you can use to configure new mapped drives for users or computers targeted by a GPO. As you can see, one of the preference options on this tab is unavailable for configuration for this particular type of preference.

Image

FIGURE 10-10 You can use the Common tab on the properties sheet of a New Drive preference item to configure new mapped drives.

The different options available on the Common tab include the following:

Image Stop Processing Items In This Extension If An Error Occurs A preference extension can contain one or more preference items. If this option is selected, a preference item that fails to apply will prevent the remaining preference items in the extension from processing.

Image Run In Logged-on Users Security Context (User Policy Option) By default, preferences are processed using the security context of the SYSTEM account on the client. If this option is selected, the preference will be processed using the security context of the currently logged-on user on the client, which allows user-specific environment variables to be used in file system paths.

Image Remove This Item When It Is No Longer Applied By default, preference items are not removed from the client when the GPO targeting the user or computer goes out of scope. Selecting this option causes the preference item to be removed from the client when the GPO targeting the user or computer goes out of scope, which is done by deleting and then re-creating the preference item.

Image Apply Once And Do Not Reapply By default, preference items are rewritten whenever Group Policy is refreshed on the client. Selecting this option causes the preference item to be applied only once to the client.

Image Item-Level Targeting By default, a preference item configured in a GPO applies to all users and computers targeted by that GPO. Selecting this option allows you to change this behavior as described later in this lesson.

Using environment variables

You can use environment variables in preference items to simplify the configuration of options such as file system paths. These variables can include

Image Standard Windows per-machine environment variables.

Image Standard Windows per-user environment variables.

Image Environment variables that are specific to Group Policy preferences.

In addition, some variables might apply only to certain versions of Windows.

The following is a list of variables that can be processed by preference extensions:

Image %AppDataDir% The current user’s Application Data directory

Image %BinaryComputerSid% The security identifier (SID) of the computer in hexadecimal format

Image %BinaryUserSid% The SID of the current user in hexadecimal format

Image %CommonAppdataDir% The All Users Application Data directory

Image %CommonDesktopDir% The All Users Desktop directory

Image %CommonFavoritesDir% The All Users Explorer Favorites directory

Image %CommonProgramsDir% The All Users Programs directory

Image %CommonStartMenuDir% The All Users Start Menu directory

Image %CommonStartUpDir% The All Users Startup directory

Image %ComputerName% The NetBIOS name of the computer

Image %CurrentProcessId% The numeric identity of the main client process

Image %CurrentThreadId% The numeric identity of the main client thread

Image %DateTime% The current time (UTC)

Image %DateTimeEx% The current time (UTC) with milliseconds

Image %DesktopDir% The current user’s desktop directory

Image %DomainName% The domain name or workgroup of the computer

Image %FavoritesDir% The current user’s Explorer Favorites directory

Image %LastError% The last error code encountered during configuration

Image %LastErrorText% The last error code text description

Image %LdapComputerSid% The SID of the computer in Lightweight Directory Access Protocol (LDAP) escaped binary format

Image %LdapUserSid% The SID of the current user in LDAP escaped binary format

Image %LocalTime% The current local time

Image %LocalTimeEx% The current local time with milliseconds

Image %LogonDomain% The domain of the current user

Image %LogonServer% The domain controller that authenticated the current user

Image %LogonUser% The user name of the current user

Image %LogonUserSid% The SID of the current user

Image %MacAddress% The first detected media access control (MAC) address on the computer

Image %NetPlacesDir% The current user’s My Network Places directory

Image %OsVersion% The operating system, which can be a specific Windows operating system or Unknown

Image %ProgramFilesDir% The Windows Program Files directory

Image %ProgramsDir% The current user’s Programs directory

Image %RecentDocumentsDir% The current user’s Recent Documents directory

Image %ResultCode% The client’s exit code

Image %ResultText% The client’s exit code text description

Image %ReversedComputerSid% The SID of the computer in reversed-byte-order hexadecimal format

Image %ReversedUserSid% The SID of the current user in reversed-byte-order hexadecimal format

Image %SendToDir% The current user’s Send To directory

Image %StartMenuDir% The current user’s Start Menu directory

Image %StartUpDir% The current user’s Startup directory

Image %SystemDir% The Windows system directory

Image %SystemDrive% The name of the drive from which the operating system is running

Image %TempDir% The current user’s Temp directory as determined by Windows API

Image %TimeStamp% The time stamp of the configurations being implemented

Image %TraceFile% The path/name of the trace file

Image %WindowsDir% The Windows directory

To select a variable when configuring a preference item, do the following:

1. Open the properties of the preference item and click in any field in which a variable can be used, such as the Location field on the General tab of a Drive Maps item.

2. Press F3 to open the Select A Variable dialog box:

Image

3. Select the variable you want to use in the field used for configuring the preference item.

4. Deselect the Resolve Variable check box if you want the variable instead of the resolved value to appear in the properties of the preference item.

5. Click Select to insert the variable in the preference item properties.

Item-level targeting

The default scope of a preference item is the users or computers targeted by the GPO in which the preference item has been configured. You can modify this default scope by using item-level targeting, which you can use to create one or more targeting items for a preference item. These targeting items can be used to determine whether the preference item should be applied based on various conditions—for example:

Image Whether a battery is present in the targeted computer

Image Whether the name of the targeted computer matches the name specified in the targeting item

Image Whether an environment variable for the targeted user or computer has the value specified

The full list of categories of targeting items is as follows:

Image Battery Present

Image Computer Name

Image CPU Speed

Image Date Match

Image Disk Space

Image Domain

Image Environment Variable

Image File Match

Image IP Address Range

Image Language

Image LDAP Query

Image MAC Address Range

Image MSI Query

Image Network Connection

Image Operating System

Image Organizational Unit

Image PCMCIA Present

Image Portable Computer

Image Processing Mode

Image RAM

Image Registry Match

Image Security Group

Image Site

Image Terminal Session

Image Time Range

Image User

Image WMI Query

Configuring a preference item

As an example of configuring a preference item, in this section you create an item that will map a network drive for a user targeted by a GPO. To do this, follow this procedure:

1. Open the GPO in the Group Policy Management Editor and expand the Windows Settings for the Preferences node under User Configuration to display the Drive Maps preference extension. (See Figure 10-8 earlier in this lesson.)

2. Right-click the Drive Maps preference extension and select New and then select Mapped Drive. This opens the New Drive Properties dialog box with the focus on the General tab, which you configure as follows:

Image Action Replace.

Image Location UNC path to a network share.

Image Reconnect This option is selected to save the mapped drive in the user’s profile and attempt to restore a connection to it at each subsequent logon.

Image Label As A descriptive label for the new mapped drive.

Image Drive Letter You can select an available drive letter for the new mapped drive or use the first available drive, starting at the drive letter specified.

Image Connect As You can use this option to map the drive using different credentials from those of the currently logged-on user.

Image Hide/Show This Drive You can use this option to configure the visibility of the mapped drive on the client.

Image Hide/Show All Drives You can use this option to configure the visibility of all mapped drives on the client.

Image

3. Switch to the Common tab and select Remove This Item When It Is No Longer Applied so that the mapped drive will be deleted if the targeted user goes out of scope from the GPO.

After you complete the preceding steps, the new preference item is displayed in the details pane of the Group Policy Management Editor when the Drive Maps extension is selected in the context pane. (See Figure 10-11.)

Image

FIGURE 10-11 A new Drive Maps preference item has been created.

As a continuation of the preceding example, you can now use item-level targeting to configure the new Drive Maps item so that it applies only to members of the Sales security group who are targeted by the GPO:

1. With the Drive Maps preference extension selected in the console tree of the Group Policy Management Editor, right-click the new Drive Map item (S drive) and select Properties.

2. Switch to the Common tab and select the Item-Level Targeting option on this tab.

3. Click the Targeting button to open the Targeting Editor.

4. Click the New Item menu option and select Security Group as the item-level target:

Image

5. In the Group field on the Targeting Editor, select the Sales security group as shown here:

Image

6. Click OK to finish configuring item-level targeting for the preference item. As Figure 10-12 shows, the information on the Processing tab will be updated to indicate that the preference item is being filtered using item-level targeting.

Image

FIGURE 10-12 A preference item is being filtered using item-level targeting.

Managing preference items

Once you have created new preference items in a GPO, you can use the Group Policy Management Editor to manage those items. As Figure 10-13 shows, the management tasks you can perform on preference items include

Image Enabling or disabling the item.

Image Moving the item up or down in the preference extension item list. Preference items are processed from the bottom of this list to the top.

Image Displaying the XML for the item.

Image Opening the properties of the item to modify its configuration settings on the General or Common tab.

Image

FIGURE 10-13 Manage preference items using the Group Policy Management Editor.


Image Quick check

Image You want to deploy mapped drives only to users who have French configured as their local language. What feature of Group Policy preferences allows you to do this?

Quick check answer

Image You can use item-level targeting with Language targeting selected.



IPv6 and Group Policy preferences

New in Windows Server 2012 R2 is support for Internet Protocol version 6 (IPv6) for item-level targeting of Group Policy preferences. Specifically, you can configure the scope of individual preference items so they apply only to computers that have a specific IPv6 address range. For example, here’s how you might use this capability to use a GPO to apply a certain power plan to computers running Windows 7 or later whose IPv6 addresses fall within the address range 2001:DB8:3FA9:/48:

1. Open the GPO in the Group Policy Management Editor and expand Computer Configuration, then Preferences, then Control Panel Settings, and then Power Options.

2. Right-click Power Options and select New followed by Power Plan (at least Windows 7 is required).

3. In the New Power Plan Properties dialog box, click the Common tab, select the Item-level Targeting check box, and click Targeting.

4. In the Targeting Editor, click New Item followed by IP Address Range.

5. Select the Use IPv6 check box, as shown below, and specify the IPv6 address and prefix length.

Image

Support for IPv6 has also been introduced into other areas of Group Policy. For example, when you create a new TCP/IP Printer preference item, you can specify an IPv6 address of the network printer, as shown here.

Image

You can find another example of IPv6 support in Group Policy when you create a new VPN Connection preference item, as shown here.

Image

For more information on IPv6 support in Microsoft Windows, see http://technet.microsoft.com/en-us/network/bb530961.aspx.


Windows Settings extensions

Figure 10-14 shows the different preference extensions for Windows settings that are available under Computer Configuration and User Configuration. You can use these preference extensions to configure the following types of settings for users or computers targeted by the GPO:

Image Applications Use this to configure settings for applications.

Image Drive Maps Use this to create, modify, or delete mapped drives and to configure the visibility of all drives.

Image Environment Use this to create, modify, or delete environment variables.

Image Files Use this to copy, modify the attributes of, replace, or delete files.

Image Folders Use this to create, modify, or delete folders.

Image Ini Files Use this to add, replace, or delete sections or properties in configuration settings (.ini) or setup information (.inf) files.

Image Network Shares Use this to create, modify, or delete (unshare) shares.

Image Registry Use this to copy registry settings and apply them to other computers. You can create, replace, or delete registry settings.

Image Shortcuts Use this to create, modify, or delete shortcuts.

Image

FIGURE 10-14 View the available Windows Settings extensions for Group Policy preferences.

Control Panel Settings extensions

Figure 10-15 shows the different preference extensions for Control Panel settings that are available under Computer Configuration and User Configuration. You can use these preference extensions to configure the following types of settings for users or computers targeted by the GPO:

Image Data Sources Use this to create, modify, or delete Open Database Connectivity (ODBC) data source names.

Image Devices Use this to enable or disable hardware devices or classes of devices.

Image Folder Options Use this to configure folder options; create, modify, or delete Open With associations for file-name extensions; and create, modify, or delete file-name extensions associated with a type of file.

Image Internet Settings Use this to modify user-configurable Internet settings.

Image Local Users and Groups Use this to create, modify, or delete local users and groups.

Image Network Options Use this to create, modify, or delete virtual private networks (VPNs) or dial-up networking connections.

Image Power Options Use this to modify power options and create, modify, or delete power schemes.

Image Printers Use this to create, modify, or delete TCP/IP, shared, and local printer connections.

Image Regional Options Use this to modify regional options.

Image Scheduled Tasks Use this to create, modify, or delete scheduled or immediate tasks.

Image Services Use this to modify services.

Image Start Menu Use this to modify Start menu options.

Image

FIGURE 10-15 View the available Control Panel Settings extensions for Group Policy preferences.

Lesson summary

Image Preference extensions consist of Windows settings and Control Panel settings.

Image You can configure preference items to create, delete, replace, or update a registry-based configuration setting on the client.

Image A set of five common configuration options is supported for most preference extensions.

Image Environment variables can be used in preference items to simplify the configuration of options such as file system paths.

Image You can use item-level targeting to determine whether the preference item should be applied based on various conditions.

Image You can manage preference items by right-clicking them in the Group Policy Management Editor.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

1. Which of the following is not true concerning Group Policy preferences? (Choose all that apply.)

A. You cannot configure preferences in local GPOs.

B. Preferences take precedence over policies when they conflict.

C. When creating a new preference item, selecting the Create action deletes and re-creates the preference item for the targeted user or computer.

D. You can press F3 to select a variable when configuring a field of a preference item in which a variable can be used.

2. Which of the following cannot be used as a targeting item for preference item-level targeting?

A. MAC Address Range

B. Organizational Unit

C. Registry Match

D. Desktop Computer

3. You have configured several Drive Maps preference items so that users targeted by the GPO can have mapped drives to make it easier for them to access shared folders on the network. These shared folders are all located on different file servers. Occasionally, one of the file servers is taken down for maintenance, and you want the user to be able to use the remaining mapped drives when this occurs. Which option on the Common tab of the Drive Maps preference item can you configure to allow this?

A. Stop Processing Items In This Extension If An Error Occurs

B. Run In Logged-on User’s Security Context (User Policy Option)

C. Remove This Item When It Is No Longer Applied

D. Apply Once And Do Not Reapply

Practice exercises

The goal of this section is to provide you with hands-on practice with the following:

Image Designing and implementing Group Policy

Image Creating and managing GPOs using Windows PowerShell

To perform the following exercises, you need at least one clean installation of Windows Server 2012 R2 using the Server With A GUI installation option. The server should be a domain controller in a domain, have Internet connectivity, and have no additional roles or features installed. For the purposes of these exercises, the name of the server is assumed to be HOST4 and the domain is corp.fabrikam.com.

You also need read/write access for Everyone to a shared folder on the network. This shared folder can be on a file server running either Windows Server 2012 R2 or an earlier version of Windows Server.

You should be logged on interactively to HOST4 using a user account that is a member of the local Administrators group.

Exercise 1: Designing and implementing Group Policy

In this exercise, you design an OU structure to support Group Policy, create Starter GPOs, and configure your environment to support a remote refresh of Group Policy.

1. Design and create an OU structure for the corp.fabrikam.com domain that satisfies the following requirements:

Image Fabrikam has its offices located in Chicago and currently has no branch offices.

Image The departments called Executive, HR, IT, and Marketing each have different security requirements for their users and computers.

Image All servers are managed by the IT department.

Image The Remote Desktop Session Host (RDSH) servers have different security requirements than Fabrikam’s other servers do.

Image Users in the HR department have only desktops.

Image Users in the Marketing department have only laptops.

Image Users in the Executive and IT departments have both desktops and laptops.

2. Create the following Starter GPOs:

Image Start-Computers You will use this Starter GPO in the next exercise for creating GPOs that will be linked to any OUs containing child OUs for different types of computers.

Image Start-Users You will use this Starter GPO in the next exercise for creating GPOs that will be linked to containers for all types of users except those in the IT department.

Image Start-RDS You will use this Starter GPO in the next exercise to configure the security for Fabrikam’s RDSH servers.

Image Start-Member You will use this Starter GPO in the next exercise to configure the security for Fabrikam’s other member servers.

3. Configure a few appropriate policies in each of the new Starter GPOs you just created.

4. Create a new GPO called Refresh that you can use to enable a remote refresh of Group Policy on computers targeted by the GPO. Do not link the new GPO to any container in Active Directory.

Exercise 2: Creating and managing GPOs using Windows PowerShell

In this exercise, you use the Refresh GPO you created in the previous exercise to enable remote refresh of Group Policy for all computers except those used by the IT department. You then create new GPOs from the Starter GPOs you created in the previous exercise and link them to different OUs in your Active Directory infrastructure. Finally, you back up all the GPOs you just created so that you can restore them quickly in the event of a disaster, and you test your backup by performing a restore. You perform all tasks in this exercise using Windows PowerShell. Follow these steps:

1. Use the New-GPLink cmdlet to link the Refresh GPO to the OUs that contain computers for different departments except for the IT department.

2. Use the New-StarterGPO, New-GPO, and New-GPLink cmdlets to create and link new GPOs to any OUs containing child OUs for different types of computers.

3. Use the New-StarterGPO, New-GPO, and New-GPLink cmdlets to create and link new GPOs to containers for all types of users except those in the IT department.

4. Use the New-StarterGPO, New-GPO, and New-GPLink cmdlets to create and link new GPOs to configure the security for Fabrikam’s RDSH servers.

5. Use the New-StarterGPO, New-GPO, and New-GPLink cmdlets to create and link new GPOs to configure the security for Fabrikam’s other member servers.

6. Use the Get-GPO and Backup-GPO cmdlets to back up all GPOs in the corp.fabrikam.com domain to a shared folder on the network.

7. Use the Get-ChildItem cmdlet to verify that the backup was successful.

8. Delete one of the GPOs in your environment.

9. Use the Restore-GPO cmdlet to restore the deleted GPO and its link.

10. Open the restored GPO in the Group Policy Management Editor and verify that the restored GPO contains the policies of the deleted GPO.

Suggested practice exercises

The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.

Image Exercise 1 Explore using different Group Policy preference extensions to configure different types of settings for Windows clients in your environment.

Image Exercise 2 Write a Windows PowerShell script that creates a hierarchy of OUs and then creates a new GPO linked to each OU in your hierarchy.

Image Exercise 3 Learn how to use “AppLocker Cmdlets in Windows PowerShell” at http://technet.microsoft.com/en-us/library/hh847210.

Answers

This section contains the answers to the lesson review questions in this chapter.

Lesson 1

1. Correct answer: D

A. Incorrect: A flat OU structure like this does not necessarily have more OUs than a hierarchical structure designed for the same purpose. In fact, a hierarchical OU structure often has more OUs and therefore more GPOs.

B. Incorrect: A flat OU structure like this does not necessarily have more OUs than a hierarchical structure designed for the same purpose. In fact, a hierarchical OU structure often has more OUs and therefore more GPOs.

C. Incorrect: Group Policy inheritance can make delegation of authority over GPOs easier to implement. It does not necessarily make a GPO environment more manageable, however.

D. Correct: Group Policy delegation is more difficult to implement in a flat OU structure because Group Policy inheritance cannot be used to pass policies from parent OUs to child OUs.

2. Correct answers: A, B, and C

A. Correct: Group Policy remote refresh will not work if the necessary firewall ports on the targeted computers have not been opened.

B. Correct: Group Policy remote refresh will not work if the GPO that should be linked to the OU has become unlinked from the OU.

C. Correct: Group Policy remote refresh will refresh User Configuration policies on the targeted computers only if the Computer Configuration portion of the GPO linked to the OU has been disabled.

D. Incorrect: The Group Policy Remote Update Firewall Ports Starter GPO makes it easier to enable remote refresh of Group Policy on targeted computers. However, you can also enable remote refresh of Group Policy by manually opening the necessary firewall ports on targeted computers or by running a Netsh or Windows PowerShell script to do this.

3. Correct answer: D

A. Incorrect: Selecting the root node in the GPMC displays a shortcut to the forest root domain node. Right-clicking this node allows you to add another forest to the console.

B. Incorrect: Selecting the node named Forest: <forest_root_domain_name> displays shortcuts to various nodes in the console. Right-clicking this node allows you to search for GPOs in all domains in the forest.

C. Incorrect: Selecting the node named Domain displays a shortcut to the node named <domain_name>. Right-clicking this node allows you to choose which domains to show, manage GPO backups, and open the Migration Table Editor.

D. Correct: Selecting the node named <domain_name> allows you to view the current status of SYSVOL replication as it relates to Group Policy in a domain.

Lesson 2

1. Correct answer: B

A. Incorrect: You can use Get-StarterGPO and New-GPO to create a new GPO from a Starter GPO but not to link the new GPO.

B. Correct: You can use New-GPO and New-GPLink to create a new GPO and link the GPO using a single command by piping the output of New-GPO into New-GPLink.

C. Incorrect: You can use New-GPO to create a new GPO. You can use Set-GPLink to set the properties of an existing GPO link but not to create a new GPO link.

D. Incorrect: You can use Get-GPO and New-GPLink to link an existing GPO but not to create and link a new GPO.

2. Correct answer: D

A. Incorrect: The dash prefixing All indicates that All is a parameter, not the name of a GPO.

B. Incorrect: The dash prefixing All indicates that All is a parameter, not the name of a GPO.

C. Incorrect: \\HOST6\GpoBackups is a network path, not a local path.

D. Correct: The parameter –All indicates that all GPOs should be backed up. The parameter –Path specifies a UNC path, which means the GPOs will be backed up to a shared folder on the network.

Lesson 3

1. Correct answers: B and C

A. Incorrect: Unlike policies, which can be configured in both domain and local GPOs, preferences can be configured only in domain GPOs. This means that if you open the Local Computer Policy on a computer by running gpedit.msc, you will not see a Preferences node under Computer Configuration or User Configuration.

B. Correct: A few policies and preferences overlap and allow you to configure the same setting for targeted users or computers. To resolve such situations, policies always have priority over preferences.

C. Correct: When creating a new preference item, selecting the Create action creates a new preference item for the targeted user or computer. In contrast, selecting the Replace action deletes and re-creates the preference item for the targeted user or computer.

D. Incorrect: To select a variable when configuring a preference item, open the properties of the preference item, click in any field in which a variable can be used, and press F3 to open the Select A Variable dialog box.

2. Correct answer: D

A. Incorrect: A MAC Address Range targeting item allows a preference item to be applied to computers or users only if any of the processing computer’s MAC addresses are within the range specified in the targeting item.

B. Incorrect: An Organizational Unit targeting item allows a preference item to be applied to computers or users only if the user or computer is a member of the organizational unit (OU) specified in the targeting item.

C. Incorrect: A Registry Match targeting item allows a preference item to be applied to computers or users only if the registry key or value specified in the targeting item exists, if the registry value contains the data specified in the targeting item, or if the version number in the registry value is within the range specified in the targeting item.

D. Correct: There is no Desktop Computer targeting item available. However, you could use the Portable Computer targeting option for this purpose and select Is Not instead of Is for the targeting condition.

3. Correct answer: A

A. Correct: A preference extension can contain one or more preference items. If this option is selected, a preference item that fails to apply will not prevent the remaining preference items in the extension from processing.

B. Incorrect: By default, preferences are processed using the security context of the SYSTEM account on the client. If this option is selected, the preference will be processed using the security context of the currently logged-on user on the client, which allows user-specific environment variables to be used in file system paths.

C. Incorrect: By default, preference items are not removed from the client when the GPO targeting the user or computer goes out of scope. Selecting this option causes the preference item to be removed from the client when the GPO targeting the user or computer goes out of scope, which is done by deleting and then re-creating the preference item.

D. Incorrect: By default, a preference item configured in a GPO applies to all users and computers targeted by that GPO. You can select this option to change this behavior.