Title Page Copyright and Credits Mastering Windows Group Policy Contributors About the author About the reviewers Packt is searching for authors like you About Packt Why subscribe? Packt.com Preface Who this book is for What this book covers To get the most out of this book Download the color images Conventions used Get in touch Reviews Group Policy - The Basics Terminology What is Group Policy? Active Directory Group Policy versus Local Group Policy Local Group Policy Active Directory Group Policy What does Group Policy look like? Requirements for Group Policy Who can use Group Policy? Hierarchy of Group Policy processing Levels of GPO processing Local Policy Site-level policies Domain-level policies OU-level policies GPO workflow Building a lab to test Group Policy today Domain Controller Windows 10 Client Configuring the Windows Server 2016 Domain Controller Configuring the Windows 10 client Summary Group Policy Management Console (GPMC) Technical requirements Launching the console locally Server Manager – the most common way Microsoft Management Console (MMC) snap-in Start menu GPMC.MSC Accessing Group Policy remotely Installing the GPMC on another server RSAT on Windows 10 Exploring the GPMC Summary Daily Tasks in Group Policy Default policies and permissions Default Domain Policy Authenticated users Default Domain Controllers Policy Permissions Modifying an existing GPO Using the newest GPMC Editing settings inside a GPO Quickly finding your settings An annoying Internet Explorer popup Updating the default password policy Not configured versus enabled versus disabled Example – configuring Teredo Creating a new GPO Naming your GPOs Creating the GPO Configuring the policy to apply a desktop wallpaper More on GPO links The difference between GPOs and GPO links The GPO link warning message Linking our new GPO Creating and linking new GPOs at the same time Linking at the site level Deleting a GPO link versus deleting a GPO Deleting a GPO link Deleting a GPO Disabling GPO links Everyday command-line tools GPUpdate Background refresh Foreground refresh GPUpdate.exe switches GPResult Sending the output to a file Checking GPResult data from a remote machine Resultant Set of Policy Summary Advanced Filtering of Group Policy Objects Link order precedence OUs trump domains Multiple GPOs linked at the same level Changing the order of link precedence Seeing the big picture Blocking GPO inheritance Enforcing GPOs Will enforcing GPOs affect GPO precedence? User settings versus computer settings Disabling half of a GPO Exercises with OUs and links Creating or deleting OUs OUs inside ADUC OUs inside GPMC Default containers that are not OUs Moving machines from one OU to another OUs protected from accidental deletion A warning on cross-domain policy linking Filtering GPOs with security filters How to filter a GPO to a particular Active Directory group Filtering to specific users or computers Security filtering – permission changes How to block a GPO from a particular Active Directory group Filtering GPOs with WMI filters WMI filters could cause a performance hit Applying a WMI filter to our GPO Summary Deploying Policy Settings Managed versus unmanaged policies Administrative Templates ADMX/ADML files Self-regulating policies Special registry keys Sticky preferences Unmanaged Policies versus Group Policy Preferences Preferences can usually be overwritten by a user Preferences stick around after the GPO is removed Creating or importing new templates How can you tell the difference? Computer configuration policies Idle-time lockout policy What about Windows 7? Launching an application upon login Configuring certificate auto-enrollment Startup and shutdown scripts – running scripts at the computer level Disabling Local Group Policy processing User configuration policies Remove the shutdown button Locking down display settings Prohibiting access to the Control Panel and Settings Logon and logoff scripts – running scripts at the user level Group Policy loopback processing What's really happening? Merge mode Replace mode How to do it? Summary Group Policy Preferences How is a preference different from a policy setting? Create, Replace, Update, or Delete Green and red marks Green and red lines How to change them Green and red circles Internet Explorer tabs The Common tab Stop processing items in this extension if an error occurs Run in  logged-on user's security context Remove this item when it is no longer applied Apply once and do not reapply Item-level targeting Implementing Preferences Modifying the power options Environment variables Registry keys Drive mappings Creating a printer connection Forcing an Internet Explorer proxy server Summary Group Policy as a Security Mechanism Password rules and regulations A plethora of security settings Windows Firewall with Advanced Security Location of WFAS policy settings General settings  Inbound Rules Outbound Rules Connection Security Rules Forcing Windows Firewall to always be enabled An aside about WFAS Profiles Disabling Windows Firewall by policy Creating a rule to allow inbound traffic Creating a rule to block outbound traffic What about conflicting rules? Configuring GPO to clear local WFAS rules Manipulating Local Users and Groups Denying access to Command Prompt Prohibiting user software-installation Disabling IPv6 via Group Policy User Account Control Configuring UAC via GPO User Account Control – Behavior of the Elevation Prompt for Administrators in Admin Approval Mode User Account Control – Behavior of the Elevation Prompt for Standard Users User Account Control – Detecting Application Installations and Prompting for Elevation User Account Control – Running All Administrators in Admin Approval Mode Blocking USB Drives Summary Group Policy Maintenance Documenting Group Policy Commenting inside GPOs Generating a GPO report Searching Group Policy Searching for GPOs Filtering settings Filtering by keywords Filtering by your own comments Filtering by settings that have been modified Clearing the filter Starter GPOs Creating a Starter GPO Editing a Starter GPO Using a Starter GPO to build finalized GPOs Backing up and restoring GPOs Backing up GPOs Permissions needed to back up a GPO Backing up a single GPO Backing up all GPOs at once Restoring GPOs Permissions needed to restore an existing GPO Permissions needed to restore a deleted GPO Two ways to restore a GPO Managing backups Relinking restored GPOs Exporting and Importing WMI Filters Implementing ADMX/ADML files Importing a new ADMX file The location for placing ADMX files The location for placing ADML files The Central Store Creating the Central Store Verifying Central Store is working Importing new ADMX/ADML files into the Central Store Delegating permissions to manage Group Policy Delegation to edit GPOs Delegation to link GPOs Delegation to create new GPOs Additional delegation capabilities Summary Group Policy Troubleshooting Troubleshooting tools and procedures GPUpdate GPResult and RSOP RSOP GPResult User or computer results – not usually both GPO permissions Map out policy settings Is the GPO disabled? Watching for inheritance blocking Looking out for Enforced GPOs Conflicting settings Is your operating system supported? Windows Event Logs GPO version numbers Checking Domain Controller synchronization Version numbers triggering the client Checking the replication status via GPMC Detecting slow links Changing slow-link detection behavior The trouble with FRS What's wrong with FRS? Which one am I running? Group Policy results wizard Running the report Group Policy Modeling Summary PowerShell for Group Policy Administration Importing PowerShell Group Policy modules PowerShell for GPOs and Links Creating new GPOs Deleting GPOs Linking a GPO Disabling a GPO Link Deleting a GPO Link Creating a new Starter GPO Enforcing a GPO Disabling GPO enforcement Setting inheritance blocking on an OU Configuring security filtering on a GPO GPO information and reporting Viewing information about a GPO GPO Reports RSOP data via PowerShell GPO permissions via PowerShell Viewing current GPO permissions Setting GPO permissions Removing GPO permissions Using PowerShell to back up and restore GPOs Backing up a single GPO Backing up all of the GPOs Restoring a GPO Remotely running GPUpdate Using PowerShell Help Summary Other Books You May Enjoy Leave a review - let other readers know what you think