Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by William R. Stanek, Derek Melber, Darren Mar-Elia, The Microsoft Group Policy Tea
Microsoft® Windows® Group Policy Guide
Microsoft® Windows® Group Policy Guide
A Note Regarding Supplemental Files
About the Authors
Foreword
Introduction
About This Book
Document Conventions
Companion CD
Support Policy
System Requirements
I. Getting Started with Group Policy
1. Overview of Group Policy
Understanding Group Policy
What It Does
How It Works
Using and Implementing Group Policy
Using Group Policy in Workgroups and Domains
Working with Group Policy Objects
Getting Started with Group Policy
Understanding Group Policy Settings and Options
Using Group Policy for Administration
Understanding the Required Infrastructure for Group Policy
DNS and Active Directory
Applying Active Directory Structure to Inheritance
Examining GPO Links and Default GPOs
Understanding GPO Links
Working with Linked GPOs and Default Policy
Working with the Default Domain Policy GPO
Working with the Default Domain Controllers Policy GPO
Summary
2. Working with Group Policy
Navigating Group Policy Objects and Settings
Connecting to and Working with GPOs
Applying Group Policy and Using Resultant Set of Policy
RSoP Walkthrough
Managing Group Policy Objects
Managing Local Group Policy
Accessing Local Group Policy on the Local Computer
Accessing Local Group Policy on a Remote Machine
Managing Active Directory–Based Group Policy
Installing the GPMC
Using the GPMC
Connecting to Additional Forests
Showing Sites in Connected Forests
Accessing Additional Domains
Setting Domain Controller Focus Options
Creating and Linking GPOs
Creating and Linking GPOs for Sites
Creating and Linking GPOs for Domains
Creating and Then Linking a GPO for a Domain
Creating and Linking a Domain GPO as a Single Operation
Creating and Linking GPOs for OUs
Creating OUs in the GPMC
Creating and Then Linking a GPO for an OU
Creating and Linking an OU GPO as a Single Operation
Delegating Privileges for Group Policy Management
Determining and Assigning GPO Creation Rights
Determining Group Policy Management Privileges
Delegating Control for Working with GPOs
Delegating Authority for Managing Links and RSoP
Removing Links and Deleting GPOs
Removing a Link to a GPO
Deleting a GPO Permanently
Summary
3. Advanced Group Policy Management
Searching and Filtering Group Policy
Filtering Policy Settings
Filtering Techniques for Policy Settings
Filtering Policy Settings by Operating System and Application Configuration
Searching Policy Objects, Links, and Settings
Search Techniques for Policy Objects, Links, and Settings
Beginning Your Policy Object, Link, or Setting Search
Filtering by Security Group, User, or Computer
Managing Group Policy Inheritance
Changing Link Order and Precedence
Overriding Inheritance
Blocking Inheritance
Enforcing Inheritance
Managing Group Policy Processing and Refresh
Changing the Refresh Interval
Enabling or Disabling GPO Processing
Changing Policy Processing Preferences
Configuring Slow Link Detection
Slow Link Detection
Configuring Slow Link Detection and Slow Link Policy Processing
Configuring Slow Link and Background Policy Processing
Refreshing Group Policy Manually
Modeling and Maintaining Group Policy
Modeling Group Policy for Planning Purposes
Copying and Importing Policy Objects
Copying Policy Objects and Their Settings
Importing Policy Objects and Their Settings
Backing Up GPOs
Restoring Policy Objects
Determining the Effective Group Policy Settings and Last Refresh
Summary
II. Group Policy Implementation and Scenarios
4. Deploying Group Policy
Group Policy Design Considerations
Active Directory Design Considerations
Active Directory Database Storage Location
Active Directory Operating System File Storage Location
Replication
Organizational Unit Design
Site Design
Physical Design Considerations
Remote Access Connection Design Considerations
GPO Application Design Considerations
Site, Domain, and OU Linking
GPOs Have Two Distinct Sections
Interaction of GPO Application When Linked to Sites, Domains, and OUs
Cross-Domain GPO Linking
Synchronous and Asynchronous Processing
Fast Logon Optimization
GPO Inheritance Modification
Additional GPO Design Considerations
Monolithic vs. Functional
Additional GPO Settings
Controlling GPO Processing Performance
Common Performance Issues
Performance Tips
Reduce the Number of Group Policy Objects
Link GPOs to Organizational Units
Disable Unused Sections of GPOs
Optimize the Background Refresh Interval
Configure a Reasonable Timeout for Scripts
Configure Asynchronous Processing
Limit Use of Loopback
Filter GPOs Based on Group Membership
Best Practices for Deploying GPOs
Choosing the Best Level to Link GPOs
GPOs Linked to Sites
GPOs Linked to Domains
GPOs Linked to OUs
Resources Used by GPOs
Software Installation
Designing GPOs Based on GPO Categories
Limit Enforced and Block Policy Inheritance Options
When to Use Security Filtering
When to Use WMI Filters
Network Topology Considerations
Limiting Administrative Privileges
Naming GPOs
Testing GPOs Before Deployment
Migrating GPOs from Test to Production
Migrating GPOs from Production to Production
Using Migration Tables
Domain-Specific GPO Settings
Migration Table Structure
Source Type
Source Name
Destination Name
Summary
5. Hardening Clients and Servers
Understanding Security Templates
Default Security Templates
Compatws.inf
DC security.inf
Iesacls.inf
Securedc.inf
Securews.inf
Hisecdc.inf
Hisecws.inf
Notssid.inf
Rootsec.inf
Setup Security.inf
Sections of the Security Template
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Tools for Accessing, Creating, and Modifying Security Templates
Security Templates Snap-in
Security Configuration and Analysis Snap-in
Security Configuration Wizard
Using the Security Configuration Wizard
Accessing the Security Configuration Wizard
Sections of the Security Configuration Wizard
Role-Based Service Configuration
Network Security
Registry Settings
Audit Policy
Incorporating Security Templates into Security Policies
Best Practices for Using the Security Configuration Wizard
Deploying Security Templates
Importing Security Templates Into GPOs
Using the Security Configuration and Analysis Tool
Using the Secedit.exe Command-Line Tool
Using the Security Configuration Wizard and the scwcmd Command
General Hardening Techniques
Closing Unnecessary Ports
Disabling Unnecessary Services
Tools Used in Hardening Computers
Netstat
Portqry
Server Hardening
Member Servers
OU Design Considerations
Member Server Security Environment Levels
Security Settings for Member Servers
Ports Required for Member Servers
Domain Controllers
Domain Controller Security Environment Levels
Security Settings for Domain Controllers
Ports Required for Domain Controllers
File and Print Servers
Web Servers
Security Settings for Web Servers
Ports Required for Web Servers
Client Hardening
Ports Required for Clients
Restricted Groups for Clients
Client Computers for IT Staff and Administrators
Security Settings for IT Staff and Administrators
Local Services and Software
Local Group Configuration
Client Computers for Help Desk Staff
Security Settings for Help Desk Staff
Local Group Configuration
Troubleshooting
Security Areas and Potential Problems
Tools
Secedit
Security Configuration and Analysis
Gpresult
Resultant Set of Policy
Summary
6. Managing and Maintaining Essential Windows Components
Configuring Application Compatibility Settings
Optimizing Application Compatibility Through Group Policy
Configuring Additional Application Compatibility Settings
Configuring Attachment Manager Settings
Working with Attachment Manager
Configuring Risk Levels and Trust Logic in Group Policy
Configuring Event Viewer Information Requests
Using Event Viewer Information Requests
Customizing Event Details Through Group Policy
Controlling IIS Installation
Configuring Access to and Use of Microsoft Management Console
Blocking Author Mode for MMC
Designating Prohibited and Permitted Snap-ins
Requiring Explicit Permission for All Snap-Ins
Optimizing NetMeeting Security and Features
Configuring NetMeeting Through Group Policy
Enabling Security Center for Use in Domains
Managing Access to Scheduled Tasks and Task Scheduler
Managing File System, Drive, and Windows Explorer Access Options
Hiding Drives in Windows Explorer and Related Views
Preventing Access to Drives in Windows Explorer and Related Views
Removing CD-Burning and DVD-Burning Features in Windows Explorer and Related Views
Removing the Security Tab in Windows Explorer and Related Views
Limiting the Maximum Size of the Recycle Bin
Optimizing the Windows Installer Configuration
Controlling System Restore Checkpoints for Program Installations
Configuring Baseline File Cache Usage
Controlling Rollback File Creation
Elevating User Privileges for Installation
Controlling Per-User Installation and Program Operation
Preventing Installation from Floppy Disk, CD, DVD, and Other Removable Media
Configuring Windows Installer Logging
Optimizing Automatic Updates with Windows Update
Enabling and Configuring Automatic Updates
Controlling Auto Download and Notify for Install
Setting the Automatic Updates Detection Frequency
Optimizing Notify User Installs
Optimizing Scheduled Installs
Blocking Access to Automatic Updates
Designating an Update Server
Summary
7. Managing User Settings and Data
Understanding User Profiles and Group Policy
Configuring Roaming Profiles
Configuring the Network Share for Roaming Profiles
Configuring User Accounts to Use Roaming Profiles
Optimizing User Profile Configurations
Modifying the Way Local and Roaming Profiles Are Used
Only Allow Local User Profiles
Delete Cached Copies of Roaming Profiles
Do Not Detect Slow Network Connection
Log Users Off When Roaming Profile Fails
Prompt User When Slow Link Is Detected
Slow Network Connection Timeout for User Profiles
Timeout for Dialog Boxes
Wait for Remote User Profile
Modifying the Way Profile Data Is Updated and Changed
Modifying the Way Profile Data Can Be Accessed
Limiting Profile Size and Included Folders
Limiting Profile Size
Limiting Folders Included in Profiles
Redirecting User Profile Folders and Data
Understanding Folder Redirection
Configuring Folder Redirection
Using Basic Folder Redirection
Using Advanced Folder Redirection
Configuring Setup, Removal, and Preference Settings for Redirection
Managing Computer and User Scripts
Working with Computer and User Scripts
Configuring Computer Startup and Shutdown Scripts
Configuring User Logon and Logoff Scripts
Controlling Script Visibility
Controlling Script Timeout
Controlling Script Execution and Run Technique
Summary
8. Maintaining Internet Explorer Configurations
Customizing the Internet Explorer Interface
Customizing the Title Bar Text
Customizing Logos
Customizing Buttons and Toolbars
Customizing URLs, Favorites, and Links
Customizing Home, Search, and Support URLs
Customizing Favorites and Links
Creating Individual Favorites and Links
Importing Favorites and Links Lists
Configuring Global Default Programs
Optimizing Connection and Proxy Settings
Deploying Connection Settings Through Group Policy
Deploying Proxy Settings Through Group Policy
Enhancing Internet Explorer Security
Working with Security Zones and Settings
Restricting Security Zone Configuration
Deploying Security Zone Configurations
Configuring the Internet Security Zone
Configuring the Local Intranet Zone
Configuring the Trusted Sites Security Zone
Configuring the Restricted Sites Security Zone
Importing and Deploying the Security Zone Settings
Configuring Additional Policies for Internet Options
Summary
9. Deploying and Maintaining Software Through Group Policy
Understanding Group Policy Software Installation
How Software Installation Works
What You Need to Know to Prepare
How to Set Up the Installation Location
What Limitations Apply
Planning the Software Deployment
Creating Software Deployment GPOs
Configuring the Software Deployment
Deploying Software Through Group Policy
Deploying Software with Windows Installer Packages
Getting the Necessary Windows Installer File
Deploying the Software Using a Windows Installer File
Deploying Software with Non–Windows Installer Packages
Creating the ZAP File
Deploying the Software Using a ZAP File
Configuring Advanced and Global Software Installation Options
Viewing and Setting General Deployment Properties
Changing the Deployment Type and Installation Options
Defining Application Categories
Adding, Modifying, and Removing Application Categories
Adding an Application to a Category
Performing Upgrades
Patching or Installing an Application Service Pack
Deploying a New Version of an Application
Customizing the Installation Package with Transforms
Controlling Deployment by Security Group
Setting Global Deployment Defaults
Deploying Microsoft Office and Service Packs
Deploying Office Through Policy
Choosing a Package Distribution Technique
Using Transforms to Customize an Office Deployment
Selecting a Deployment Mode
Keeping Office Updated
Deploying Windows Service Packs Through Policy
Maintaining Deployed Applications
Removing Deployed Applications
Redeploying Applications
Configuring Software Restriction Policies
Getting Started with Software Restriction Policies
Configuring Enforcement Policy
Viewing and Configuring Designated File Types
Configuring Trust Publishers Policy
Configuring Disallowed and Unrestricted Applications
Configuring Security Rules
Using Certificate Rules
Using Hash Rules
Using Internet Zone Rules
Using Path Rules
Troubleshooting Software Installation Policy
Troubleshooting Steps
Common Software Installation Policy Problems
Summary
10. Managing Microsoft Office Configurations
Introducing Office Configuration Management
Customizing Office Configurations
Downloading and Installing the Tools
Working with the Custom Installation Wizard
Step 1: Create the Administrative Install of Office’s .msi File
Step 2: Use the Custom Installation Wizard for Office Configuration
Step 3: Deploy the Transformed Office Configuration
Working with the Custom Maintenance Wizard
Step 1: Update the Microsoft Office Configuration
Step 2: Deploy the New Configuration of Office
Preparing the Policy Environment
Deploying Office Administrative Template Files
Deploying Office Administrative Template Files for the First Time
Updating Previously Deployed Office-Related Policy Templates
Creating Office Configuration GPOs
Managing Multiple Office Configuration Versions
Managing Office-Related Policy
Working with Office-Related Policy
Examining Global and Application-Specific Settings
Configuring Office-Related Policy Settings
Preventing Users from Changing Office Configurations
Understanding How to Prevent Office Configuration Changes
Disabling Office Menu Items and Options Using Predefined Options
Disabling Office Menu Items and Options Using Custom Options
Step 1: Determining the Menu Item ID
Step 2: Using a Custom Disable Policy
Configuring Notification for Disabled Menu Items and Options
Controlling Default File and Folder Locations
Setting the Default Database Folder Location for Access 2003
Setting the Default File Location for Excel 2003
Setting Default Folder Locations for OneNote 2003
Setting Default Folder Locations for Publisher 2003
Setting Default Folder Locations for Word 2003
Configuring Outlook Security Options
Controlling Office Language Settings
Troubleshooting Office Administrative Template Policy
Summary
11. Maintaining Secure Network Communications
Understanding IPSec Policy
How IPSec Works
How IPSec Policy Is Deployed
When to Use IPSec and IPSec Policy
Managing and Maintaining IPSec Policy
Activating and Deactivating IPSec Policies
Create Additional IPSec Policies
Creating and Assigning the IPSec Policy
Defining Security Rules and Actions
Creating and Managing IP Filter Lists
Creating and Managing Filter Actions
Monitoring IPSec Policy
Deploying Public Key Policies
How Public Key Certificates Work
How Public Key Policies Are Used
Managing Public Key Policy
Understanding Windows Firewall Policy
How Windows Firewall Works
How Windows Firewall Policy Is Used
Managing Windows Firewall Policy
Configuring IPSec Bypass
Enabling and Disabling Windows Firewall with Group Policy
Managing Firewall Exceptions with Group Policy
Disabling the Use of Exceptions
Allowing File and Printer Sharing Exceptions
Allowing Remote Administration Exceptions
Allowing Remote Desktop Exceptions
Allowing UPnP Framework Exceptions
Defining Program Exceptions
Defining ICMP Exceptions
Defining Port Exceptions
Configuring Firewall Notification, Logging, and Response Requests
Prohibiting Notifications
Allowing Logging
Prohibiting Unicast Responses to Multicast or Broadcast Requests
Summary
12. Creating Custom Environments
Loopback Processing
Replace Mode
Merge Mode
Troubleshooting Loopback
Terminal Services
Controlling Terminal Services Through Group Policy on an Individual Computer
Controlling Terminal Services Through Group Policy in a Domain
Configuring Order of Precedence
Configuring Terminal Services User Properties
Best Practices
Configuring License Server Using Group Policy Settings
License Server Security Group
Prevent License Upgrade
Configuring Terminal Services Connections
Limit Number of Connections
Set Client Connection Encryption Level
Secure Server (Require Security)
Start a Program on Connection
Set Rules for Remote Control to Terminal Services User Sessions
Set Time Limit for Disconnected Sessions
Set Time Limit for Active Terminal Services Sessions
Terminate Session When Time Limits Are Reached
Allow Reconnection From Original Client Only
Managing Drive, Printer, and Device Mappings for Clients
Allow Audio Redirection
Do Not Allow COM Port Redirection
Do Not Allow Client Printer Redirection
Do Not Allow LPT Port Redirection
Do Not Allow Drive Redirection
Do Not Set Default Client Printer To Be Default Printer in a Session
Controlling Terminal Services Profiles
Set Path for TS Roaming Profiles
TS User Home Directory
Restrict Terminal Services Users To a Single Remove Session
Only Allow Local User Profiles
Delete Cached Copies of Roaming Profiles
Group Policy over Slow Links
Default Policy Application over Slow Links
Policies That Apply over Slow Links
Slow Link Behavior for RAS Connections
Slow Link Detection Group Policy Settings
Group Policy Slow Link Detection
Slow Network Connection Timeout for User Profiles
Do Not Detect Slow Network Connections
Prompt User When Slow Link Is Detected
Configure Slow Link Speed
Additional Slow Link Detection Settings for Client-Side Extensions
Summary
III. Group Policy Customization
13. Group Policy Structure and Processing
Navigating Group Policy Logical Structure
Working with Group Policy Containers
Examining Attributes of groupPolicyContainer Objects
Examining the Security of groupPolicyContainer Objects
Examining GPO Creation Permissions
Viewing and Setting Default Security for New GPOs
Viewing the defaultSecurityDescriptor Attribute
Modifying the defaultSecurityDescriptor Attribute
Navigating Group Policy Physical Structure
Working with Group Policy Templates
Understanding Group Policy Versioning
Understanding Group Policy Template Security
Navigating Group Policy Link Structure
Examining Group Policy Linking
Viewing the gPLink Attribute
Examining Inheritance Blocking on Links
Understanding Group Policy Security and Links
Understanding Group Policy Processing
Examining Client-Side Extension Processing
Examining Server-Side Extension Processing
Setting Storage for Wireless Network Policy
Setting Storage for Folder Redirection Policy
Setting Storage for Administrative Templates Policy
Setting Storage for Disk Quota Policy
Setting Storage for QoS Packet Scheduler Policy
Setting Storage for Scripts
Setting Storage for Internet Explorer Maintenance Policy
Setting Storage for Security Policy
Setting Storage for Software Installation Policy
Setting Storage for IP Security Policy
Understanding Policy Processing Events
Asynchronous vs. Synchronous Policy Processing
Tracking Policy Application
Tracking Slow Link Detection
Modifying Security Policy Processing
Group Policy History and State Data
Group Policy History Data
Group Policy State Data
Group Membership Data
Navigating Local GPO Structure
Understanding LGPO Creation and Application
Understanding LGPO Structure
Managing and Maintaining LGPOs
Controlling Access to the LGPO
Summary
14. Customizing Administrative Templates
What Is an Administrative Template?
Default .adm Files
Working with .adm Files
Default Installed .adm Files
Tips for Importing .adm Files
Adding .adm Files
Removing .adm Files
Managing .adm Files
Controlling Updated Versions of .adm Files
Turn Off Automatic Updates of ADM Files
Always Use Local ADM Files for Group Policy Editor
Tips for Working with .adm Files
Operating System and Service Pack Release Issues
Policies vs. Preferences
Creating Custom .adm Files
A Simple .adm File
Using .adm File Language
Structure of an .adm File
#if version
Syntax for Updating the Registry
Class
Keyname
Valuename
Valueoff/Valueon
Syntax for Updating the Group Policy Object Editor Interface
Strings
Category
Policy
Part
Checkbox
Clienttext
Combobox
Dropdownlist
Edittext
Listbox
Numeric
Text
Actionlist
Additional Statements in the .adm Template
Comments
Required
Maxlen
Explain
Supported
.adm File String and Tab Limits
Best Practices
Summary
15. Security Templates
Understanding the Security Template Structure
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Where Security Template Settings Overlap with GPO Settings
Working with Security Templates
Security Templates Snap-In
Raw Security Template INF Files
Customizing Security Templates
Copying Templates
Creating New Security Templates
Customizing Security Options
Structure of the Sceregvl.inf File
Customizing the Sceregvl.inf File
Getting the Custom Entry to Show Up
Customizing Services in the Security Templates
Getting the Correct Service to Automatically Display
Acquiring the Service Syntax for the Security Template File
Manually Updating Services in the Security Template File
Microsoft Solutions for Security Settings
Summary
IV. Group Policy Troubleshooting
16. Troubleshooting Group Policy
Group Policy Troubleshooting Essentials
Verifying the Core Configuration
Verifying the Network Connection and Configuration
Verifying the Computer Account and Trust
Verifying Time Synchronization
Verifying the Computer and User Account Configuration
Verifying Key Infrastructure Components
Verifying the Scope of Management
Checking the GPO Status and Version
Checking the GPO on the Logon Domain Controller
Checking the GPO Link Status and Order
Checking the GPO Permissions
Checking the Loopback Processing Status of the GPO
Checking for Slow Links
Essential Troubleshooting Tools
Working with Resultant Set of Policy
Navigating the Summary Tab
Navigating the Settings Tab
Navigating the Policy Events Tab
Navigating the Advanced View
Viewing RSoP from the Command Line
Verifying Server-Side GPO Health
Checking the GPC and GPT for Errors
Checking the SYSVOL Permissions
Verifying Specific GPOs
Navigating the GPO Details
Managing RSoP Logs Centrally
Getting Started with Group Policy Monitor
Preparing the Group Policy Monitor Installation
Deploying and Configuring Group Policy Monitor
Viewing Group Policy Monitor Reports
Examining Differences Between Refresh Intervals
Managing Report Log Deletion
Group Policy Logging
Navigating the Application Event Logs
Configuring the Level of Application Logging
Understanding Group Policy Events
Managing Userenv Logging
Configuring the Level of Userenv Logging
Examining the Userenv Logs
Managing Logging for Specific CSEs
Enabling Debug Logging for Windows Installer Policy
Enabling Debug Logging for Folder Redirection Policy
Enabling Debug Logging for Security Policy
Summary
17. Resolving Common Group Policy Problems
Solving GPO Administration Problems
Domain Controller Running the PDC Emulator Is Not Available
Not All Settings Show Up in the Group Policy Editor
Custom Administrative Template Settings Are Not Visible
Administrative Templates and Settings Depend on the Operating System Version
Security Template Settings Are Not Taking Effect
New Custom Security Settings Are Not Displayed
Delegation Restrictions Within the GPMC
Creating GPOs
Linking GPOs
Managing GPOs
Editing GPOs
Viewing GPOs
Group Policy Settings Are Not Being Applied Due to Infrastructure Problems
Domain Controllers Are Not Available
Active Directory Database Is Corrupt
Local Logon vs. Active Directory Logon
SYSVOL Files Are Causing GPO Application Failure
GPO Files Manually Modified Incorrectly
SYSVOL Share Removed
Incorrect Date and Time of GPO Files
Problems with Replication and Convergence of Active Directory and SYSVOL
Syncing Group Policy GPC and GPT
Intrasite Replication
Intersite Replication
DNS Problems Causing GPO Application Problems
DHCP Servers Allocating Incorrect DNS Information
Manual Client Configuration Is Incorrect
SRV Records Have Been Deleted
Solving Implementation Problems
Tracking Down Incorrect GPO Settings
GPO Settings That Can Be Set to Enabled or Disabled
Incorrect Setting Selected
Computer Configuration vs. User Configuration Settings
GPO Links Causing GPO Application Problems
Linking GPOs to Multiple Containers
Administering GPOs that are Linked to Multiple Containers
Accounts Are Not Located in the Correct OU
Reasons That Accounts Are Placed in the Incorrect OU
Wrong Account in OU
Trying to Apply Group Policy Settings to Groups
Linking GPOs to OUs That Contain Only Groups
Setting GPO Security Filtering to Apply GPO Settings to Groups
Conflicting Settings in Two GPOs
Modifying Default GPO Inheritance
Enforcing GPOs
Block Policy Inheritance
Security Filtering
Summary
V. Appendixes
A. Group Policy Reference
Computer Configuration Reference
User Configuration Reference
B. New Features in Windows Server 2003 Service Pack 1
Adprep
Administrative Tools
Internet Explorer Feature Control Settings
Managing Feature Control Settings
Configuring Policies and Preferences
Internet Explorer Administration Kit/Internet Explorer Maintenance
Internet Explorer URL Action Security Settings
Changes to Internet Explorer URL Action Security Settings
Resultant Set of Policy
Changes to RSoP in SP1
Administering Remote RSoP with GPMC SP1
Delegating Access to Group Policy Results
Post-Setup Security Updates
Security Configuration Wizard
Windows Firewall
Changes to Windows Firewall
Changes for Audit Logging
Changes for Netsh Helper
Windows Firewall New Group Policy Support
C. GPMC Scripting
GPMC Scripting Interface Essentials
Understanding the GPMC Scripting Object Model
Creating the Initial GPM Object
Referencing the Domain to Manage
Creating and Linking GPOs
Automating Group Policy Security Management
Using the GPMC’s Prebuilt Scripts
Creating GPOs
Deleting GPOs
Finding Disabled GPOs
Finding GPOs by Security Group
Finding GPOs Without Active Links
Setting GPO Creation Permissions
Setting Other GPO Permissions
Backing Up All GPOs
Backing Up Individual GPOs
Copying GPOs
Importing GPOs
Generating RSoP Reports
Mirroring Your Production Environment
GPMC Prebuilt Script Review
D. Office 2003 Administrative Template Highlights
Microsoft Access 2003
Microsoft Excel 2003
Microsoft FrontPage 2003
Microsoft Clip Organizer 2003
Microsoft InfoPath 2003
Microsoft Office 2003
Microsoft OneNote 2003
Microsoft Outlook 2003
Microsoft PowerPoint 2003
Microsoft Project 2003
Microsoft Publisher 2003
Microsoft Visio 2003
Microsoft Word 2003
Index
About the Authors
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
T
Take ownership of files or other objects setting, Local Policies,
Local Policies
Task Scheduler,
Configuring NetMeeting Through Group Policy
taskbars, Administrative Templates,
Using Group Policy for Administration
TCP/IP NetBIOS Helper service,
Verifying the Computer and User Account Configuration
techniques,
Searching and Filtering Group Policy
,
Searching and Filtering Group Policy
,
Searching Policy Objects, Links, and Settings
filtering, policy settings,
Searching and Filtering Group Policy
searching policy objects,
Searching Policy Objects, Links, and Settings
Temp folder, user profile,
Understanding User Profiles and Group Policy
templates,
Using Group Policy for Administration
,
Using Group Policy for Administration
,
Hardening Clients and Servers
,
Compatws.inf
,
Compatws.inf
,
Compatws.inf
,
Securedc.inf
,
Securedc.inf
,
Securews.inf
,
Hisecws.inf
,
Hisecws.inf
,
Notssid.inf
,
Notssid.inf
,
Sections of the Security Template
,
Account Policies
,
Event Log
,
Restricted Groups
,
System Services
,
System Services
,
Registry
,
Security Templates Snap-in
,
Security Templates Snap-in
,
Security Configuration and Analysis Snap-in
,
Deploying Security Templates
,
Preparing the Policy Environment
,
Group Policy Structure and Processing
,
Navigating Group Policy Physical Structure
,
Navigating Group Policy Physical Structure
,
Customizing Administrative Templates
,
Understanding the Security Template Structure
,
Where Security Template Settings Overlap with GPO Settings
,
Where Security Template Settings Overlap with GPO Settings
,
Raw Security Template INF Files
,
Raw Security Template INF Files
,
Copying Templates
,
Copying Templates
,
Getting the Custom Entry to Show Up
,
Manually Updating Services in the Security Template File
,
Navigating the GPO Details
,
Domain Controller Running the PDC Emulator Is Not Available
,
Administrative Templates and Settings Depend on the Operating System Version
,
Office 2003 Administrative Template Highlights
,
Microsoft Access 2003
,
Microsoft Access 2003
,
Microsoft Excel 2003
,
Microsoft Excel 2003
,
Microsoft InfoPath 2003
,
Microsoft InfoPath 2003
,
Microsoft Office 2003
,
Microsoft OneNote 2003
,
Microsoft Outlook 2003
,
Microsoft PowerPoint 2003
,
Microsoft Project 2003
,
Microsoft Publisher 2003
,
Microsoft Visio 2003
Administrative,
Using Group Policy for Administration
,
Customizing Administrative Templates
,
Domain Controller Running the PDC Emulator Is Not Available
,
Office 2003 Administrative Template Highlights
,
Microsoft Access 2003
,
Microsoft Access 2003
,
Microsoft Excel 2003
,
Microsoft Excel 2003
,
Microsoft InfoPath 2003
,
Microsoft InfoPath 2003
,
Microsoft Office 2003
,
Microsoft OneNote 2003
,
Microsoft Outlook 2003
,
Microsoft PowerPoint 2003
,
Microsoft Project 2003
,
Microsoft Publisher 2003
,
Microsoft Visio 2003
Access 2003,
Microsoft Access 2003
Clip Organizer 2003,
Microsoft Excel 2003
custom settings,
Customizing Administrative Templates
,
Domain Controller Running the PDC Emulator Is Not Available
Excel 2003,
Microsoft Access 2003
FrontPage 2003,
Microsoft Excel 2003
InfoPath 2003,
Microsoft InfoPath 2003
Microsoft Office 2003,
Microsoft InfoPath 2003
OneNote 2003,
Microsoft Office 2003
Outlook 2003,
Microsoft OneNote 2003
PowerPoint 2003,
Microsoft Outlook 2003
Project 2003,
Microsoft PowerPoint 2003
Publisher 2003,
Microsoft Project 2003
Visio 2003,
Microsoft Publisher 2003
Word 2003,
Microsoft Visio 2003
GPTs,
Navigating Group Policy Physical Structure
Group Policy Monitor Administrative,
Navigating the GPO Details
Group Policy template (GPT),
Group Policy Structure and Processing
,
Navigating Group Policy Physical Structure
Office 2003 Administrative Templates,
Preparing the Policy Environment
security,
Hardening Clients and Servers
,
Compatws.inf
,
Compatws.inf
,
Compatws.inf
,
Securedc.inf
,
Securedc.inf
,
Securews.inf
,
Hisecws.inf
,
Hisecws.inf
,
Notssid.inf
,
Notssid.inf
,
Sections of the Security Template
,
Account Policies
,
Event Log
,
Restricted Groups
,
System Services
,
System Services
,
Registry
,
Security Templates Snap-in
,
Security Templates Snap-in
,
Security Configuration and Analysis Snap-in
,
Deploying Security Templates
,
Understanding the Security Template Structure
,
Where Security Template Settings Overlap with GPO Settings
,
Where Security Template Settings Overlap with GPO Settings
,
Raw Security Template INF Files
,
Raw Security Template INF Files
,
Copying Templates
,
Copying Templates
,
Getting the Custom Entry to Show Up
,
Manually Updating Services in the Security Template File
,
Administrative Templates and Settings Depend on the Operating System Version
Account Policies section,
Sections of the Security Template
Compatws.inf,
Compatws.inf
copying,
Raw Security Template INF Files
creating new,
Copying Templates
customizing services,
Getting the Custom Entry to Show Up
DC security.inf,
Compatws.inf
deployment,
Deploying Security Templates
Event Log security area,
Event Log
File System section,
Registry
Hisecdc.inf,
Securews.inf
Hisecws.inf,
Hisecws.inf
Iesacls.inf,
Compatws.inf
Local Policies section,
Account Policies
Microsoft settings,
Manually Updating Services in the Security Template File
Notssid.inf,
Hisecws.inf
overlap with GPOs,
Where Security Template Settings Overlap with GPO Settings
raw security .inf files,
Raw Security Template INF Files
Registry section,
System Services
Restricted Groups security,
Restricted Groups
Rootsec.inf,
Notssid.inf
Sceregvl.inf file,
Copying Templates
Securedc.inf,
Securedc.inf
Securews.inf,
Securedc.inf
Security Configuration and Analysis snap-in,
Security Templates Snap-in
Security Configuration Wizard,
Security Configuration and Analysis Snap-in
Security Templates snap-in,
Security Templates Snap-in
,
Where Security Template Settings Overlap with GPO Settings
Setup Security.inf,
Notssid.inf
structure,
Understanding the Security Template Structure
System Services section,
System Services
troubleshooting,
Administrative Templates and Settings Depend on the Operating System Version
Templates folder, user profile,
Understanding User Profiles and Group Policy
Temporary Internet Files, user profile,
Understanding User Profiles and Group Policy
Terminal Services, customizing GPOs,
Terminal Services
,
Terminal Services
,
Controlling Terminal Services Through Group Policy on an Individual Computer
,
Controlling Terminal Services Through Group Policy in a Domain
,
Controlling Terminal Services Through Group Policy in a Domain
,
Best Practices
,
License Server Security Group
,
Allow Reconnection From Original Client Only
,
Controlling Terminal Services Profiles
connection configuration,
License Server Security Group
controlling on individual computers,
Terminal Services
device mapping,
Allow Reconnection From Original Client Only
domain controlling,
Controlling Terminal Services Through Group Policy on an Individual Computer
licensing,
Best Practices
order of precedence configuration,
Controlling Terminal Services Through Group Policy in a Domain
user profiles,
Controlling Terminal Services Profiles
user properties,
Controlling Terminal Services Through Group Policy in a Domain
Terminate Session When Time Limits Are Reached setting,
Set Time Limit for Active Terminal Services Sessions
test forest, GPO migration to production,
Migrating GPOs from Test to Production
testing, GPOs,
Naming GPOs
,
Migrating GPOs from Test to Production
,
Migrating GPOs from Test to Production
,
Migrating GPOs from Test to Production
migration tables,
Migrating GPOs from Test to Production
migration to production,
Migrating GPOs from Test to Production
production forest to production forest,
Migrating GPOs from Test to Production
TEXT syntax, PART syntax,
Numeric
text, Internet Explorer title bars,
Customizing the Internet Explorer Interface
time synchronization verification,
Verifying the Computer Account and Trust
Timeout For Dialog Boxes setting,
Do Not Detect Slow Network Connection
timeouts, scripts,
Controlling Script Visibility
title bars, Internet Explorer, customizing text,
Customizing the Internet Explorer Interface
Toolbars command (View menu),
Customizing Buttons and Toolbars
toolbars, Internet Explorer, customizing,
Customizing Logos
Tools menu commands (Word 2003), Options,
Understanding How to Prevent Office Configuration Changes
ToolTip text, Internet Explorer customizing,
Customizing Logos
transform files,
How Software Installation Works
,
Deploying Software with Windows Installer Packages
,
Deploying a New Version of an Application
,
Choosing a Package Distribution Technique
,
Step 2: Use the Custom Installation Wizard for Office Configuration
Microsoft Office deployment,
Choosing a Package Distribution Technique
,
Step 2: Use the Custom Installation Wizard for Office Configuration
software installation, package customization,
Deploying a New Version of an Application
Windows Installer packages,
Deploying Software with Windows Installer Packages
troubleshooting,
Cross-Domain GPO Linking
,
Local Group Configuration
,
Local Group Configuration
,
Security Areas and Potential Problems
,
Using Path Rules
,
Troubleshooting Software Installation Policy
,
Troubleshooting Steps
,
Configuring Outlook Security Options
,
Merge Mode
,
Troubleshooting Group Policy
,
Group Policy Troubleshooting Essentials
,
Verifying the Computer and User Account Configuration
,
Verifying Key Infrastructure Components
,
Verifying Key Infrastructure Components
,
Checking the GPO Status and Version
,
Checking the GPO on the Logon Domain Controller
,
Checking the GPO on the Logon Domain Controller
,
Checking the GPO Permissions
,
Checking the GPO Permissions
,
Checking the GPO Permissions
,
Essential Troubleshooting Tools
,
Viewing RSoP from the Command Line
,
Viewing RSoP from the Command Line
,
Navigating the GPO Details
,
Managing Report Log Deletion
,
Solving GPO Administration Problems
,
Solving GPO Administration Problems
,
Solving GPO Administration Problems
,
Domain Controller Running the PDC Emulator Is Not Available
,
Security Template Settings Are Not Taking Effect
,
Viewing GPOs
,
Domain Controllers Are Not Available
,
Domain Controllers Are Not Available
,
Active Directory Database Is Corrupt
,
SYSVOL Files Are Causing GPO Application Failure
,
GPO Files Manually Modified Incorrectly
,
GPO Files Manually Modified Incorrectly
,
GPO Files Manually Modified Incorrectly
,
GPO Files Manually Modified Incorrectly
,
Syncing Group Policy GPC and GPT
,
Solving Implementation Problems
,
Solving Implementation Problems
,
Computer Configuration vs. User Configuration Settings
,
Administering GPOs that are Linked to Multiple Containers
,
Linking GPOs to OUs That Contain Only Groups
,
Conflicting Settings in Two GPOs
Active Directory,
Domain Controllers Are Not Available
,
Active Directory Database Is Corrupt
,
GPO Files Manually Modified Incorrectly
,
GPO Files Manually Modified Incorrectly
,
GPO Files Manually Modified Incorrectly
convergence,
GPO Files Manually Modified Incorrectly
database corruption,
Domain Controllers Are Not Available
local logons vs. Active Directory,
Active Directory Database Is Corrupt
replication,
GPO Files Manually Modified Incorrectly
cross-domain GPO linking,
Cross-Domain GPO Linking
DNS,
Syncing Group Policy GPC and GPT
domain controllers,
Domain Controllers Are Not Available
GPMC, delegation restrictions,
Security Template Settings Are Not Taking Effect
GPOs,
Solving GPO Administration Problems
,
Solving GPO Administration Problems
,
Viewing GPOs
,
SYSVOL Files Are Causing GPO Application Failure
,
Solving Implementation Problems
,
Solving Implementation Problems
,
Computer Configuration vs. User Configuration Settings
,
Linking GPOs to OUs That Contain Only Groups
,
Conflicting Settings in Two GPOs
administration problems,
Solving GPO Administration Problems
application failures,
SYSVOL Files Are Causing GPO Application Failure
conflicting settings,
Linking GPOs to OUs That Contain Only Groups
implementation problems,
Solving Implementation Problems
incorrect settings,
Solving Implementation Problems
infrastructure problems,
Viewing GPOs
inheritance,
Conflicting Settings in Two GPOs
linking,
Computer Configuration vs. User Configuration Settings
Group Policy,
Troubleshooting Group Policy
,
Group Policy Troubleshooting Essentials
,
Verifying the Computer and User Account Configuration
,
Verifying Key Infrastructure Components
,
Verifying Key Infrastructure Components
,
Checking the GPO Status and Version
,
Checking the GPO on the Logon Domain Controller
,
Checking the GPO on the Logon Domain Controller
,
Checking the GPO Permissions
,
Checking the GPO Permissions
,
Checking the GPO Permissions
,
Essential Troubleshooting Tools
,
Viewing RSoP from the Command Line
,
Viewing RSoP from the Command Line
,
Navigating the GPO Details
,
Managing Report Log Deletion
core configuration verification,
Group Policy Troubleshooting Essentials
GPMonitor.exe,
Navigating the GPO Details
GPO permissions,
Checking the GPO Permissions
Gpotool,
Viewing RSoP from the Command Line
Gpresult,
Viewing RSoP from the Command Line
infrastructure component verification,
Verifying the Computer and User Account Configuration
link status,
Checking the GPO on the Logon Domain Controller
logging,
Managing Report Log Deletion
logon domain controller,
Checking the GPO Status and Version
loopback processing status,
Checking the GPO Permissions
order,
Checking the GPO on the Logon Domain Controller
RSoP (Resultant Set of Policy),
Essential Troubleshooting Tools
slow links,
Checking the GPO Permissions
status states,
Verifying Key Infrastructure Components
versions,
Verifying Key Infrastructure Components
Group Policy Editor settings,
Domain Controller Running the PDC Emulator Is Not Available
loopbacks,
Merge Mode
Office-related policy,
Configuring Outlook Security Options
OUs,
Administering GPOs that are Linked to Multiple Containers
PDC Emulator,
Solving GPO Administration Problems
security settings,
Local Group Configuration
,
Local Group Configuration
,
Security Areas and Potential Problems
areas of potential problems,
Local Group Configuration
tools,
Security Areas and Potential Problems
Software Installation policy,
Using Path Rules
,
Troubleshooting Software Installation Policy
,
Troubleshooting Steps
common issues,
Troubleshooting Steps
steps,
Troubleshooting Software Installation Policy
true policies,
Operating System and Service Pack Release Issues
trust logic, configuring Attachment Manager,
Working with Attachment Manager
Trusted Publishers dialog box,
Configuring Trust Publishers Policy
Trusted Publishers policy,
Viewing and Configuring Designated File Types
Trusted Sites,
Configuring Additional Application Compatibility Settings
,
Configuring Additional Application Compatibility Settings
,
Configuring the Local Intranet Zone
Internet Security zone,
Configuring Additional Application Compatibility Settings
security zones configuration,
Configuring the Local Intranet Zone
Trusted Sites dialog box,
Configuring the Trusted Sites Security Zone
Trusted Zones rule, Software Restriction Policies,
Using Hash Rules
trusts, verification,
Verifying the Network Connection and Configuration
TS User Home Directory setting, Terminal Services user profiles,
Set Path for TS Roaming Profiles
tunnels, defining IPSec policy rules,
Defining Security Rules and Actions
Turn Off Application Compatibility Engine policy,
Optimizing Application Compatibility Through Group Policy
Turn Off Automatic Updates Of ADM Files policy,
Removing .adm Files
Turn Off Program Compatibility Wizard policy,
Optimizing Application Compatibility Through Group Policy
Turn On Application Help Log Events policy,
Configuring Additional Application Compatibility Settings
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset