Miscellaneous

It does seem counterproductive to have to share a printer that is going to be installed on workstations as a TCP/IP printer using GPP. The only reason you have to share it and input the UNC path of the printer into the Printer Path text box on the GPP interface is so that the driver can be downloaded onto the workstations. Other than the driver, all print processing will occur on the workstation itself and not the server. Theoretically, once the driver is installed on all of the workstations, you could unshare the printer if you so desired although this is not recommended.

When a user logs on to a computer, he/she creates a local profile which stores its settings in a file called NTUSER.DAT. This file is read/write, allowing the user to modify the profile. By simply changing the file extension from .DAT to .MAN, you will make the profile read only, which makes it a mandatory profile. Jeremy covers this process in Chapter 9 of his book.

If you are troubleshooting Server 2003 or XP machines, you can simply use the GPResult.exe command by itself. If you are logged on a computer as a different user to troubleshoot their logon, you can type gpresult /v in most cases which is called verbose mode. For Server 2008 and Windows 7 machines, you need to type gpresult /r as the command by itself is no longer functional in those operating systems. Jeremy covers the usage of this command in Chapter 7 of his book.

Active Directory

There is a little application called Kerbtray that is found in the Windows 2003 Resource kit. When you run Kerbtray it puts an easy identifiable icon in the notification area. If the icon is green the user is logged on. It’s that simple. Jeremy demonstrates this tool in Chapter 7 of his book.

No, a user cannot belong to more than one OU at any one time. The reason this question frequently comes up is because we want to apply a different set of group policies to a user when they log into a special use computer. For example, a terminal server, a computer in a public area or even a computer training lab. When we log into those special use computers, we want a different user experience then when we log into our regular desktop. The answer to this issue is to use what is called a Loopback Policy.
When a user starts a computer up, the GPOs based on the computer objects location in Active Directory are processed. With a Loopback Policy in place, when a user logs in, one of two things can happen. If the Loopback Policy is set to Replace mode, the user’s list of GPOs is not even retrieved from Active Directory. Instead, the GPOs based on the computer objects location in Active Directory are retrieved, and then processed for every user who logs into that computer. If the Loopback Policy is set to Merge Mode, when a user logs in, the user’s list of GPOs is retrieved from Active Directory, and then the computer’s list of GPOs is retrieved. The list of GPOs for the computer is then added to the end of the GPOs for the user, which gives the computer GPOs a higher precedence. In short, the settings are merged, with the computer based GPOs “winning” if there is a difference in the settings.

Backing up Group Policy

There is a very easy way! Simply use the GPMC and navigate to the Group Policy Objects Container. Then simply right click and choose “Back Up All”. You can also right click on an individual GPO and back it up as well. Jeremy discusses backup and restore processes thoroughly in his book in Chapter 2.

Yes, the Microsoft GPMC Example scripts (found here: http://www.microsoft.com/en-us/download/details.aspx?id=14536) have some of scripts. These include backupallgpos.wsf, restoreallgpos.wsf, backupgpo.wsf and restore.wsf.

You can also use Powershell. See the free chapter Jeremy has on Powershell at www.GPanswers.com/book

Common Uses for Group Policy

Both of these tasks can be created using Group Policy Preferences. Go to User Configuration | Preferences | Windows Settings. You will find an icon for Drive Maps and one for Shortcuts. Create a separate GPO for each function and assign them both to the OU that contains the user accounts. Then make sure that the GPO for the Drive Maps is listed ABOVE the GPO for Shortcuts. This will ensure that the Drive Map GPO will be implemented first which is essential for the two to work in cohesion.

You can simply create a GPO that redirects their “My Documents” folder to a network share on one of your servers, allowing you a single location backup solution.

Again, this is easily done through Group Policy Preferences. Go to Computer Configuration | Preferences | Control Panel Settings | and click the Services icon. You can then modify the settings for any service that is currently running on the machine you are creating the GPO from. For this reason, it is essential to use a machine that represents the targeted machines for the GPO.

This is easily done using Group Policy Preferences and can be implemented using User or Computer Configurations. Then go to Preferences | Control Panel Settings | and click on the Power Options icon. You can then select which operating system such as XP or Windows 7 and Later and make the desired configuration settings.

Yes. Group Policy Preferences is a fantastic way to copy files from one location to another. Simply place the file on a server and create a GPO for the task. You can utilize the Computer or User Configuration depending on what you need. Then go to Preferences | Windows Settings | Files and input the location that currently hosts the file and then input the path where you want the file to reside on the targeted machines.

There is actually a specific policy to do exactly what you are asking. Look under User Configuration | Administrative Templates | System. The setting you are looking for is ‘Prevent access to registry editing tools’

If you enable this setting on your Windows XP systems, users will not be able to open up the registry.

Of course, if there are other specific applications you do not want your users to run, Software Restriction Policies (XP) and Applocker (Win7 and later) to the rescue!

Jeremy has a whole section dedicated to Software Restriction Policies and also Applocker in Chapter 8 of his book, and it’s also covered with hands-on labs in his training classes.

It is very easy to add a local user to a restricted group in group policy. Simply type the username by itself and that is it. Jeremy discusses this topic in Chapter 8 in his book and in his Group Policy training class.

Yes. Check out these two policy settings:

User Configuration | Administrative Templates | Windows Components | Windows Explorer | Hide these specified drives in My Computer

And

User Configuration | Administrative Templates | Windows Components | Windows Explorer | Prevent access to drives from My Computer

If you’re talking about the Internet Explorer home page, then sure! That’s User Configuration | Windows Settings | Internet Explorer Maintenance | URLs | Home Page URL.

While you’re there, check out Administrative Templates | Windows Components | Internet Explorer | Disable changing home page settings. This ensures that users cannot change it once you’ve set it.

If you’d like to do this in Firefox or Chrome, you’ll need PolicyPak (www.PolicyPak.com) to do it.

There are two different ways to accomplish what you are looking for. The first is to redirect the desktop folder to a file server on your network. By redirecting the desktop folder, the users desktop will be available to them wherever they log in. However, in this case, the files will not be copied down locally to every desktop they log in to. Jeremy covers redirected folders quite thoroughly in Chapter 10 of his Group Policy book.

If you truly want the files copied down locally, then the answer you seek is called Roaming Profiles. Microsoft has some basic documentation on Roaming Profiles here, but Jeremy has documented the heck out of how they actually work, live, and breathe in Chapter 9 of his Group Policy book.

Yes, for Windows XP and later.

The answer lies within Administrative Templates | Start Menu and Taskbar | Remove Balloon Tips on Start Menu items.

Distributing Applications through Group Policy

Sadly, the answer is no. The GP editor does not allow you to change the path for the installation source.
The way to save yourself a headache in the future is to create a Distributed File System (DFS) structure and point to the installation files through DFS. You then create the GPO and set it to access the installation files via the DFS path. This way, if you want to move your installation files, all you have to do is change the DFS pointer!

When you make the GPO for the assigned application, there is a deployment tab within the GPO properties. At the bottom of the tab are two Installation user interface options. If you select Basic, the user will not be presented with any user prompts other than the ability to cancel out of the installation. You may need to perform an Administrative Installation of the application’s MSI file with the answers for the user prompts such as a license key, name of the organization, etc. Jeremy talks about this process in Chapter 11 of his book.

Actually it is neither. Programs are automatically downloaded and installed when they are first run by the user. The download/installation can be triggered by either the user clicking on the application icon located in the Start Menu which appears once the GPO is created, or if the user opens up a file that is matched to that application. For instance, the opening of a Word File would initiate the installation of Microsoft Word. Jeremy discusses the assigning of applications on Chapter 11 of his book.

No, users do not require admin rights in order for GPOs to execute MSI files and install assigned applications. Jeremy discusses all facets of Group Policy Software Installations in Chapter 11 of his book.

Group Policy and Scripts

GPAnswers.com very own Jakob Heidelberg has written a script that can be used as a startup script to install the Group Policy Preference Extensions and pre-requisites. This is NOT needed on Windows 7 and later. This is only needed for XP, 2003 and Vista.

Here is the complete script:

 

' --------------------------------------------- '
' ----- By Jakob H. Heidelberg 29-02-2008 ----- '
' ----- - - - - - - - - - - - - - - - - - ----- '
' ----- Install GP Preference CSEs ----- '
' ----- Developed for: ----- '
' ----- http://heidelbergit.blogspot.com ----- '
' ----- - - - - - - - - - - - - - - - - - ----- '
' ----- version 1.01 ----- '
' ----- Last rev. date: 01-03-2008 ----- '
' --------------------------------------------- '
' Changes:
'---------
' v1.0 Basic functionality:
' - Developed to be combined with a Startup Script (or admin rights)
' - Check if the CSEs are installed already, using local WMI call
' - Check OS Version (Windows XP, Windows Server 2003, Windows Vista), using local WMI call
' - Check OS Architecture (32 or 64 bit), just checking for a folder as WMI call was kinda strange
' - Check OS Service Pack Level, using local WMI call
' - Check for GPP CSE Pre-requisite on XP/2003 systems, using local WMI call
' - Installation of GPP CSE Pre-reqs on XP/2003 systems
' - Handles install on Windows XP SP2/SP3 32-bit (EXE file)
' - Handles install on Windows XP 64-bit, any SP level (EXE file)
' - Handles install on Windows Server 2003 SP1/SP2 32-bit (EXE file)
' - Handles install on Windows Server 2003 64-bit, any SP level (EXE file)
' - Handles install on Windows Vista RTM/SP1 32-bit (MSU package)
' - Handles install on Windows Vista RTM/SP1 64-bit (MSU package)
'
'More info:
'----------
' 1) Place ALL GPP CSE and GPP CSE Pre-Req files in the same directory (strBasePath), eg. \\DC1\UPDATES\
' 2) Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista:
' http://support.microsoft.com/kb/934307/en-us
' 3) NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!
Option Explicit
On Error Resume Next
'The Group Policy Preference CSE HotfixID
Dim strCSEFixID : strCSEFixID ="943729"
'Path to main update share/folder - place the 4 GPP CSE and the 3 GPP CSE Pre-Req binaries here!
Dim strBasePath : strBasePath = "\\SERVER\SHARE\" 'NB! with trailing backslash!
'GPP CSE filename for: Windows XP 32-bit / Windows Server 2003 32-bit (MD5: dfa20e51141af67ec49d574428c38fb8)
'http://www.microsoft.com/downloads/details.aspx?FamilyID=e60b5c8f-d7dc-4b27-a261-247ce3f6c4f8&DisplayLang=en
'http://www.microsoft.com/downloads/details.aspx?FamilyID=bfe775f9-5c34-44d0-8a94-44e47db35add&DisplayLang=en
Dim strXP2K332CSE : strXP2K332CSE = "Windows-en-US-KB943729-x86.exe"
'GPP CSE filename for: Windows XP 64-bit / Windows Server 2003 64-bit (MD5: 5803c6f4b4bc02ea29d934d839e0a66f)
'http://www.microsoft.com/downloads/details.aspx?FamilyID=b10a7af4-8bee-4adc-8bbe-9949df77a3cf&DisplayLang=en
'http://www.microsoft.com/downloads/details.aspx?FamilyID=29e83503-7686-49f3-b42d-8e5ed23d5d79&DisplayLang=en
Dim strXP2K364CSE : strXP2K364CSE = "Windows-en-US-KB943729-x64.exe"
'GPP CSE filename for: Windows Vista 32-bit (MD5: 22a42082473b3c8bc3b22ad095c6c31f)
'http://www.microsoft.com/downloads/details.aspx?FamilyID=ab60dc87-884c-46d5-82cd-f3c299dac7cc&DisplayLang=en
Dim strVIS32CSE : strVIS32CSE = "Windows6.0-KB943729-x86.msu"
'GPP CSE filename for: Windows Vista 64-bit (MD5: d92e107cdffa51d5943f1861f28178e7)
'http://www.microsoft.com/downloads/details.aspx?FamilyID=b10a7af4-8bee-4adc-8bbe-9949df77a3cf&DisplayLang=en
Dim strVIS64CSE : strVIS64CSE = "Windows6.0-KB943729-x64.msu"
'----------------------------------------------------------------------'
'PRE-REQUISITES - 'http://support.microsoft.com/default.aspx/kb/914783 '
'----------------------------------------------------------------------'
'GPP PreReq KB914783 filename for: Windows XP SP2 32-bit = KB915865 (MD5: 656657aeaea02d3a1069d52c4593e6e8)
'http://www.microsoft.com/downloads/details.aspx?FamilyId=D7B5DC81-AD14-4DE2-8AD5-8C4A9AAB5992&displaylang=en
Dim strXP32PRE : strXP32PRE = "WindowsXP-KB915865-v11-x86-ENU.exe"
Dim strPREFixID1 : strPREFixID1 = "915865"
'GPP PreReq KB914783 filename for: Windows Server 2003 SP1 32-bit = KB914783 (MD5: 830c6163fa113b782aa3cd9eb54ee549)
'http://www.microsoft.com/downloads/details.aspx?FamilyId=611D1FDE-C8D0-4D80-96DA-B5B20F7BA159&displaylang=en
Dim str2K332PRE : str2K332PRE = "WindowsServer2003-KB914783-v10-x86-ENU.exe"
Dim strPREFixID2 : strPREFixID2 = "914783"
'GPP PreReq KB914783 filename for: Windows XP 64-bit = KB915865 (MD5: 7fd3fc3fb21566fd97750d98e41bca0d)
'http://www.microsoft.com/downloads/details.aspx?FamilyId=C7CB26E9-68F1-4F80-B231-79D044431E8E&displaylang=en
Dim strPREFixID3 : strPREFixID3 = "915865" 'exact same install file as Windows Server 2003 SP1 64-bit (KB914783)
'GPP PreReq KB914783 filename for: Windows Server 2003 SP1 64-bit = KB914783 (MD5: 7fd3fc3fb21566fd97750d98e41bca0d)
'http://www.microsoft.com/downloads/details.aspx?FamilyId=406777E6-79DA-4414-A329-22A435A95D9D&displaylang=en
Dim strXP2K364PRE : strXP2K364PRE = "WindowsServer2003.WindowsXP-KB914783-v10-x64-ENU.exe"
Dim strPREFixID4 : strPREFixID4 = "914783"
'Commandline stuff
Dim strArgusMSU : strArgusMSU = "/quiet /norestart"
Dim strArgusEXE : strArgusEXE = "/quiet /passive /norestart"
Dim objFso : Set objFso = CreateObject("Scripting.FileSystemObject")
'Get SYSTEM folder, eg. C:\Windows\System32
Dim strSys : strSys = objFSO.GetSpecialFolder(1)
'Is the GPP CSE already installed? Is so, then just quit!
If IsThisHotfixInstalled(strCSEFixID) Then WScript.Quit(0)
'Is this a 64-bit windows OS?
'Get WINDOWS folder, eg. C:\Windows
Dim strWin : strWin = objFSO.GetSpecialFolder(0)
Dim strBit : strBit = "32"
If objFso.FolderExists(strWin & "\SysWOW64") Then strBit = "64"
Set objFso = Nothing
'Get OS version and Service Pack level using WMI
Dim strCSDVers, strCaption
Dim objWMI : Set objWMI = GetObject("winmgmts:\\.\root\CIMV2")
Dim colItm : Set colItm = objWMI.ExecQuery("SELECT * FROM Win32_OperatingSystem")
Dim objItm
For Each objItm In colItm
strCSDVers = objItm.CSDVersion
strCaption = objItm.Caption
Next
Set objWMI = Nothing
Set colItm = Nothing
'GET OS ARCHITECTURE
If Instr(strBit, "32") Then
strBit = "32"
ElseIf Instr(strBit, "64") Then
strBit = "64"
Else
'We don't know what OS architecture it is, let's beat it...
WScript.Quit()
End If
'GET SP LEVEL (number only)
If strCSDVers "" Then
strCSDVers = Right(strCSDVers,1)
End If
Dim strCommandLineCSE, strCommandLinePRE
'GET OS VERSION (CAPTION) and Build CommandLine
If Instr(UCASE(strCaption), "VISTA") Then
'We are dealing with a Windows Vista system
If strBit = "32" Then
'This is 32 bit (no SP level check)
'No pre-req check for Windows Vista
strCommandLineCSE = strSys & "\WUSA.EXE " & Chr(34) & strBasePath & strVIS32CSE & Chr(34) & " " & strArgusMSU
ElseIf strBit = "64" Then
'This is 64 bit (no SP level check)
'No pre-req check for Windows Vista
strCommandLineCSE = strSys & "\WUSA.EXE " & Chr(34) & strBasePath & strVIS64CSE & Chr(34) & " " & strArgusMSU
End If

ElseIf Instr(UCASE(strCaption), "XP") Then
'We are dealing with a Windows XP system
If (strCSDVers = "2" Or strCSDVers = "3")And strBit = "32" Then
'This is SP2 or SP3 - 32 bit
'Install pre-req if it's not already there
If Not IsThisHotfixInstalled(strPREFixID1) Then strCommandLinePRE = Chr(34) & strBasePath & strXP32PRE & Chr(34) & " " & strArgusEXE
strCommandLineCSE = Chr(34) & strBasePath & strXP2K332CSE & Chr(34) & " " & strArgusEXE
ElseIf strBit = "64" Then
'This is 64 bit (no SP level check)
'Install pre-req if it's not already there
If Not IsThisHotfixInstalled(strPREFixID3) Then strCommandLinePRE = Chr(34) & strBasePath & strXP2K364PRE & Chr(34) & " " & strArgusEXE
strCommandLineCSE = Chr(34) & strBasePath & strXP2K364CSE & Chr(34) & " " & strArgusEXE
End If
ElseIf Instr(strCaption, "2003") Then
'We are dealing with a Windows Server 2003 system
If (strCSDVers = "1" Or strCSDVers = "2") And strBit = "32" Then
'This is SP1 or SP2 - 32 bit
'Install pre-req if it's not already there
If Not IsThisHotfixInstalled(strPREFixID2) Then strCommandLinePRE = Chr(34) & strBasePath & str2K332PRE & Chr(34) & " " & strArgusEXE
strCommandLineCSE = Chr(34) & strBasePath & strXP2K332CSE & Chr(34) & " " & strArgusEXE
ElseIf strBit = "64" Then
'This is 64 bit (no SP level check)
'Install pre-req if it's not already there
If Not IsThisHotfixInstalled(strPREFixID4) Then strCommandLinePRE = Chr(34) & strBasePath & strXP2K364PRE & Chr(34) & " " & strArgusEXE
strCommandLineCSE = Chr(34) & strBasePath & strXP2K364CSE & Chr(34) & " " & strArgusEXE
End If
Else
'It's some other OS, let's beat it...
Wscript.Quit()
End If
'Install GPP CSE Pre-req if strCommandLinePRE is defined
If strCommandLinePRE "" Then
ExecuteThis(strCommandLinePRE)
End If
'Install GPP CSE if strCommandLineCSE is defined
If strCommandLineCSE "" Then
ExecuteThis(strCommandLineCSE)
End If
Function ExecuteThis(FULLSTRING)
Dim objShell : Set objShell = CreateObject("Wscript.Shell")
ExecuteThis = objShell.Run(FULLSTRING,,1)
Set objShell = Nothing
End Function
Function IsThisHotfixInstalled(KBNUMBER)
Dim objWMI : Set objWMI = GetObject("winmgmts:\\.\root\CIMV2")
Dim colItm : Set colItm = objWMI.ExecQuery("SELECT * FROM Win32_OperatingSystemQFE")
IsThisHotfixInstalled = False
Dim objItm
For Each objItm In colItm
If Instr(objItm.Dependent,KBNUMBER) Then
IsThisHotfixInstalled = True
Exit For
End If
Next
Set colItm = Nothing
Set objWMI = Nothing
End Function

The answer in this case is no. Log-on GPOs are processed in the foreground, so since they are already logged on using cached credentials, they only get a background refresh, so the logon script settings in this GPO do not run.

See FAQ “Is there any advantage to running a login script from the network or from the local PC?”

This is something you should consider for laptop users.

If you place a script on the local drive of the client and point the GPO to it, the script will run at logon even if the laptop it is not connected to the network.

This is because the client side extension for scripts will still fire off based upon the most recently applied GPO.

However, the script will only perform the commands it is able to perform. Oftentimes, administrators choose to perform tasks like mapping network drives and other things which are simply not possible if the network is not available. However, again, technically, the script is trying to run

Group Policy Preferences

XP out of the box does not support Group Policy Preferences. You will need to install Windows Update 943729 and install it on your XP machines. You can use WSUS or SCCM if you like. Once this update is installed, the XP machines will recognize Group Policy Preferences. Chapter 5 in Jeremy’s book is exclusively dedicated to the subject of Group Policy Preferences.

Although Group Policy Preferences does allow users to override your GPO settings such as in this case, deleting the very printers you assigned, the printers will return within 90 minutes when the GPO is refreshed. The only exception to this rule is if the “Apply once and do not reapply” is selected. Jeremy talks all about Printers using GPP in his book in Chapter 5 and again in Chapter 12.

Yes. In addition to the fact that Group Policy Preferences offers a GUI interface to create the Preference settings, there is a key difference in how both of them are enforced. Settings created by Group Policy are enforced so that if desired, the user cannot reverse the settings. Group Policy can completely disable certain operating system and application features while Group Policy Preferences cannot.

 

The very word “Preferences” infers that these are simply suggested baseline settings. The user can alter these settings if desired; however, the configured settings are refreshed at the normal Group Policy interval. In addition, settings are not removed once the GPO falls out of scope.

A policy is a setting that changes keys in a special area of the Registry. If a GPO that sets a policy is removed, the affected Registry key is automatically removed on the next GPO refresh, in essence, reverting the Registry setting to its default state.
A preference is a setting that changes a Registry key that is not in the ‘policy’ area of the Registry, and is persistent. If a GPO that sets a preference is removed, the affected Registry key IS NOT removed automatically during the next GPO refresh. (This is also referred to as tattooing the Registry.) In order to disable the effect of the Registry key set by a preference, the GPO must be set to ‘Disabled’, and allowed to take effect on the clients. Once this has occurred, the GPO can be removed.
A policy is indicated in the Group Policy Management Console, and the Group Policy Editor, by an icon with a blue dot, whereas a preference is indicated by an icon with a red dot.

Linking, Enabling and Enforcing GPOs

If you have no GPOs that “conflict” anywhere in your Scope of Management (SOM), they will apply cumulatively. However, if you have a GPO which says to do one specific thing at, say, the Domain level, and another GPO which says to do a specific thing at, say, the OU level, the one “closer” to the user (or computer) will apply. So, here’s a simple example: You restrict the control panel at the domain level, but at the OU level you make it available. Since the GPO linked to the OU is “closer” to the target account, that is the setting that will take effect.

There is a feature called Group Policy Loopback Policy Processing which accomplishes this. Loopback Processing allows you to apply all GPO settings from both the computer AND user side and enforce those settings for all users no matter who they are. Jeremy discusses this in great detail in Chapter 4 of the book, and has lessons on this in his Group Policy Training Class.

Yes, you can create a GPO in the Group Policy Objects node and unless you link it to another container object, it will have no effect on your network. This also applies to GPOs contained within the Starter GPO node as well.

Not Really. Although you may speed up the performance by a hair, it isn’t worth the hassle that it introduces down the road of troubleshooting the GPO when you or someone else doesn’t know that half the GPO is disabled. A well designed OU and GPO structure will only need to utilize one side at a time anyway as user accounts and computer accounts should be separated.

There is no hard absolute answer concerning the question of the proper number of GPOs, however there are some guidelines to follow. It is true that having fewer GPOs is slightly faster for user logons and gpupdates, but it makes it more difficult to troubleshoot or disable specific settings. For these reasons there are distinct advantages to having more GPOs as well. In the end, there is a happy medium between fewer and more. Considering that the speed differential is quite small, one should not obsess over consolidating GPOs for that reason. The flexibility that more GPOs give you is worth it. Darren Mar-Elia has a good article on optimization here: http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx

Although an OU using Block Inheritance can prevent higher level GPOs from applying settings to the user or computer accounts it contains, if cannot stop an Enforced GPO. If you don’t want to stop the flow of a domain level GPO, the GPO should be enforced. Jeremy discusses Block Inheritance and Enforcement in Chapter 2 of his book.

As far as the targeted users or computers are concerned there is no difference between deleting and disabling a GPO and its links. In either case the GPO falls out of scope. The only difference is that if the GPO is deleted, it can no longer be utilized in the future while if it simply disabled, it can be linked again or modified for additional use. Jeremy discusses deletion of GPOs in Chapter 2 of his book.

Although the “Disabled” selection doesn’t mean the same thing in all cases, generally, Disabled will reverse a policy setting that is enacted at a higher level. If a setting is “Not Configured” it means to apply a higher level policy setting. Simply said, “Disabled” reverses a high policy for that particular setting while “Not Configured” does simply nothing.

Managing Your Group Policies

The new GPMC tab in Windows 8 is called Status. It currently shows the replication status of Group Policy within Active Directory and SYSVOL.

Manage by Exception means that a GPO is applied to the Authenticated Users group for the container that the GPO is linked to. Then the deny permission is applied to whatever group you want to exclude from the GPO. In other words, the GPO will apply to everyone within the OU except for these designated accounts.

You can download RSAT – Remote Server Administration Tools which is actually a Windows update. Once installed you simply go to control panel and enable the features within the RSAT that you want.

There are two ways to allocate non-administrative accounts the ability to create GPOs. They are:

  • Make them a member of the Group Policy Creator Owners Group in AD Users and Computers
  • Grant them the right within the Group Policy Objects node on the Delegation tab. Anyone in this list can do so.

Yes. You should always use the latest and greatest GPMC. As of this writing, that’s the GPMC on Windows 8, but the Windows 7 one is just fine too. (Note: You will get more settings and features if you use the Windows 8, or Server 2012 version.)

You can add a comment to any GPO within GPMC 2.0 or later. Simply go to the edit page of the GPO and right click the GPO title at the top left and select properties. You will find a Comment tab that will allow you to add detailed comments or notes. Jeremy discusses this on pages 123 – 125 of his book.

The easiest way to do this is to make a copy of the original GPO, and then rename it. Then you will have a new GPO with all of the settings of the original. To do this, open the GPMC and drill down to the Group Policy Objects node. Right-click over the GPO you want to use, and select Copy. Then, immediately select Paste. It will create a new GPO named

You’re right to have discovered that the internal auditing for Group Policy is, well, rather lacking. There are a variety of Group Policy auditing products.

In fact, the answer is YES! With the GPMC, you can most definitely accomplish this, and the steps required are, for the most part, relatively straight forward. If you have both domains in the GPMC, you can drag the GPO from one “Group Policy Objects” node to the other domains’ “Group Policy Objects” node and it will start to copy.

Scope of Management is a simple way of referring to where and when a Group Policy Object (GPO) will be applied. The SOM includes where the GPO is linked (Site, Domain, or OU) and any filtering involved that determines which users and/or computers the GPO applies to.

Although the GPMC allows you to filter settings based on the version of the operating system, there is no way to search for a word (“printer” for example) and find all policies that contain that word.

To help you out, Microsoft has created a spreadsheet that contains every policy setting possible. It tells you everything about each setting, where to find it, what operating system it runs on, and even the Registry setting that is applied. At last check that spreadsheet was at http://www.microsoft.com/en-us/download/details.aspx?id=25250

Unless your server is a domain controller, you have to install the GPMC which on a Server 2008 machine is done by installing the GPMC “feature” in Server Manager. When you promote a server to a domain controller, the GPMC is installed by default.

Yes, there are two ways to accomplish this:

Delegate them the right to use the Group Policy Management Console or GPMC

Delegate them the permission – Manage Group Policy Links, within the OU itself.

Jeremy discusses this in Chapter 1 of his book.

Microsoft Advanced Group Policy Management integrates with the GPMC and adds a couple of great features that allow you to better manage your GPOs. By providing a check-in/check-out system for when GPOs are modified, you can track which user modified a GPO and what they did. You can also roll the GPO back to a previous snapshot. Other features such as off-line editing and cross forest management are also included.

Jeremy has a downloadable chapter at www.GPanswers.com/book and it’s part of his Advanced One Day training.

No, only creators/owners of the GPOs can modify them. The one exception is Domain Administrators.

Security and Restrictions

Group Policy, amazingly, doesn’t apply to security groups. It applies only to the user or computer accounts in the Site, Domain, or OU. So, you’ll need to move the user’s account into the OU where the GPO is linked. Log back in as the user, and you’re in business.

Within the Windows 2000 and Windows 2003 Server operating systems, you can only have one password policy for the entire domain. If you need separate password policies, you will have to create separate domains. However, this does change for Windows Server 2008 and 2012 domains. Jeremy covers this idea of “Fine Grained Password Policy” in his book (Chapter 8) and in his training class.

Yes there is and its called WMI Filters. It’s like adding laser-sighting to the gun of Group Policy. You can create WMI filters within the GPMC and then apply them to your individual GPOs. They’re a little bit of work but they can really be worth it. Jeremy discusses the topic thoroughly in his book in Chapter 4 and in the training class.

No. The Read permission is necessary for you to read and work with the GPO. If you were to remove the Read permission from your account, you would no longer be able to access the settings of the GPO in any way. As long as you don’t have the “Apply Group Policy” permission the settings will not be enforced on your user account unless they are applied to the computer configuration which affects all users no matter who they are.

You cannot link a GPO to a group. GPOs can only be linked to a site, domain or OU. You can filter a GPO within its linked container by changing the default permissions on the GPO by using security groups. In this case, simply delete the Authenticated Users default group from the permissions and select the designated group and give it the Read and Apply Group Policy permissions.

It is true that local admins can skirt your group policy settings by deleting designated registry keys. You can shore up your choosing the GPO settings located in Administrative Templates which is “Process even if the Group Policy Objects have not changed”

Path rules are great if you want to restrict a certain file extension. In the Software Restriction examples in the book, Jeremy uses the example of disallowing all VBScript files by setting a path rule to disallow files named *.vb*.

Yes there is. Instead of a Path Rule you can create a Hash rule. A hash rule takes a fingerprint of the application executable which means that no matter how many times the name of the file is changed; the rule restriction is still enforced. Jeremy discusses software restrictions in Chapter 8 got iin his book.

The password settings in the Default Domain Policy always reign supreme when a user logs on to the domain. This prevents OU administrators from circumventing the domain password policy. However, if you choose to assign a password GPO to the OU level, it will enforce those settings when a user logs on locally to their computers. Jeremy discusses this thoroughly in Chapter 8 of his book.

Updating Group Policy

Unlike Windows 2000, XP+ does not process GPOs in the foreground synchronously. This feature is called Fast Boot. This can affect changes made to roaming profile paths, home directories and some logon scripts as well as GPOs that may manage software deployments or folder redirections. Jeremy talks all about this in his book. He suggests you enable the Group Policy setting – Computer | Administrative Templates | System | Logon | Always wait for the network at computer startup and logon policy. This setting will alleviate this problem, but there are some caveats.

Yes, the gpupdate command will do this with the correct switches. Simply type either gpupdate /Target: computer or else gpupdate /Target:user. Each of these tags will only refresh one side or the other.

The gpupdate command by itself simply downloads any changes made within Group Policy. It is all you need 90% of the time most likely. By typing gpupdate /force you are telling the computer to download ALL applicable GPOs regardless if any changes have been made or not. As this takes additional time, you should use gpupdate if all you want are the changes. Jeremy covers the /force switch on page 166 of his book.

The refresh interval is 90 minutes plus a random offset of up to 30 minutes. GPOs on Domain Controllers have a refresh interval of five minutes with no offset by default. There are some exceptions however. GPO’s that involve folder redirection settings, disk quotas and drive maps only refresh at startup or logon. If multiple sites are involved then you must take into account the AD replication interval which can be another 30 minutes. Jeremy discusses refresh intervals in his book.

GPO settings are cached along with the cached logon credentials.The only limitation is that the computers won’t receive GPO updates if they are disconnected from the LAN. Note, however, if you’re using Microsoft’s DirectAccess (which extends the LAN to the Internet) then, yes, they do get new and updated GPOs.