Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP and Windows 2000 3rd Revised edition [Mīkstie vāki]

Introduction		xix
Chapter 1 Group Policy Essentials		1	(54)
Getting Started with Group Policy		1	(7)
Understanding Local Group Policy		2	(2)
Group Policy Entities and Policy Settings		4	(1)
Active Directory—Based Group Policy		5	(3)
An Example of Group Policy Application		8	(2)
Examining the Resultant Set of Policy		10	(2)
At the Site Level		10	(1)
At the Domain Level		11	(1)
At the OU Level		11	(1)
Group Policy, Active Directory, and the GPMC		12	(9)
Kickin' It Old-School		13	(1)
GPMC Overview		14	(2)
Installing the GPMC		16	(5)
Using the GPMC in Active Directory		21	(4)
Active Directory Users and Computers versus GPMC		22	(1)
Adjusting the View within the GPMC		23	(1)
The GPMC-centric view		24	(1)
Our Own Group Policy Examples		25	(26)
More about Linking and the Group Policy Objects Container		28	(2)
Applying Group Policy Object to the Site Level		30	(3)
Applying Group Policy Objects to the Domain Level		33	(2)
Applying Group Policy Objects to the OU Level		35	(5)
Testing Your Delegation of Group Policy Management		40	(1)
Understanding Group Policy Object Linking Delegation		40	(2)
Granting OU Admins Access to Create New Group Policy Objects		42	(1)
Creating and Linking Group Policy Objects at the OU Level		43	(4)
Creating a New Group Policy Object in an OU		47	(1)
Moving Computers into the Human Resources Computers OU		48	(1)
Verifying Your Cumulative Changes		49	(2)
Things That Aren't Group Policy but Look Like Group Policy		51	(1)
Terminal Services		52	(1)
Routing and Remote Access		52	(1)
Final Thoughts		52	(3)
Chapter 2 Managing Group Policy with the GPMC		55	(52)
Common Procedures with the GPMC		55	(17)
Minimizing the View with Policy Setting Filtering		58	(3)
Raising or Lowering the Precedence of Multiple Group Policy Objects		61	(1)
Understanding GPMC's Link Warning		62	(1)
Stopping Group Policy Objects from Applying		63	(5)
Block Inheritance		68	(1)
The Enforced Function		69	(3)
Advanced Security and Delegation with the GPMC		72	(15)
Filtering the Scope of Group Policy Objects		72	(9)
Granting User Permissions upon an Existing Group Policy Object		81	(1)
Granting Group Policy Object Creation Rights in the Domain		82	(1)
Special Group Policy Operation Delegations		83	(2)
Who Can Create and Use WMI Filters?		85	(2)
Performing RSoP Calculations with the GPMC		87	(9)
What's-Going-On Calculations with Group Policy Results		88	(5)
What-If Calculations with Group Policy Modeling		93	(3)
Backing Up and Restoring Group Policy Objects		96	(6)
Backing Up Group Policy Objects		97	(2)
Restoring Group Policy Objects		99	(3)
Backing Up and Restoring WMI Filters		102	(1)
Searching for Group Policy Objects with the GPMC		102	(1)
GPMC At-a-Glance Icon View		102	(2)
The GPMC At-a-Glance Compatibility Table		104	(1)
Final Thoughts		105	(2)
Chapter 3 Group Policy Processing Behavior		107	(50)
Group Policy Processing Principles		107	(17)
Initial Policy Processing		109	(1)
Background Refresh Policy Processing		110	(9)
Security Background Refresh Processing		119	(5)
Special Case: Moving a User or a Computer Object		124	(1)
Policy Application via Remote Access or Slow Links		124	(3)
Using Group Policy to Affect Group Policy		127	(10)
Affecting the User Settings of Group Policy		127	(2)
Affecting the Computer Settings of Group Policy		129	(8)
Group Policy Loopback Processing		137	(7)
Reviewing Normal Group Policy Processing		137	(1)
Group Policy Loopback—Merge Mode		138	(1)
Group Policy Loopback—Replace Mode		138	(6)
Group Policy with Cross-Forest Trusts		144	(7)
What Happens When Logging on to Different Clients Across a Cross-Forest Trust?		145	(3)
Disabling Loopback Processing When Using Cross-Forest Trusts		148	(1)
Cross-Forest Trust Client Matrix		149	(1)
Understanding Cross-Forest Trust Permissions		150	(1)
Intermixing Group Policy and NT 4 System Policy		151	(3)
Final Thoughts		154	(3)
Chapter 4 Troubleshooting Group Policy		157	(62)
Under the Hood of Group Policy		158	(5)
Inside Local Group Policy		158	(2)
Inside Active Directory Group Policy Objects		160	(3)
The Birth, Life, and Death of a GPO		163	(19)
How Group Policy Objects Are "Born"		163	(2)
How a GPO "Lives"		165	(17)
Death of a GPO		182	(1)
How Client Systems Get Group Policy Objects		182	(7)
Client-Side Extensions		183	(4)
Where Are Administrative Templates Registry Settings Stored?		187	(2)
Why Isn't Group Policy Applying?		189	(11)
Reviewing the Basics		189	(2)
Advanced Inspection		191	(9)
Client-Side Troubleshooting		200	(12)
RSoP for Windows 2000		201	(1)
RSoP for Windows 2003 and Windows XP		202	(10)
Advanced Group Policy Troubleshooting with Log Files		212	(4)
Using the Event Viewer		212	(1)
Diagnostic Event Log Registry Hacks		213	(1)
Turning On Verbose Logging		213	(3)
Final Thoughts		216	(3)
Chapter 5 Windows ADM Templates		219	(30)
Policies versus Preferences		220	(1)
Typical ADM Templates		221	(10)
Default ADM Templates		222	(1)
Vendor-Supplied ADM Templates		223	(8)
Creating Your Own Custom ADM Changes		231	(4)
Creating Your Own Custom ADM Template		232	(1)
Viewing Old-Style Preferences		233	(2)
Managing Windows ADM Templates		235	(8)
How Do You Currently Manage Your Group Policy Objects?		236	(1)
ADM Template Behavior		237	(5)
ADM Files Beyond XP SP2: The Retroactive Bug That Ate New York		242	(1)
ADM Template Management Best Practice		243	(4)
Create a Windows XP Management Workstation		243	(2)
Throttling an Automatic ADM Template Upgrade		245	(2)
Cracking the ADM Files		247	(1)
Final Thoughts		248	(1)
Chapter 6 Implementing Security with Group Policy		249	(72)
The Two Default Group Policy Objects		250	(8)
GPOs Linked at the Domain Level		251	(4)
Group Policy Objects Linked to the Domain Controllers OU		255	(2)
Oops, the "Default Domain Policy" GPO and/or "Default Domain Controllers Policy" GPO Got Screwed Up!		257	(1)
Understanding Local and Effective Security Permissions		258	(3)
The Strange Life of Password Policy		260	(1)
Auditing with Group Policy		261	(9)
Auditing Group Policy Object Changes		262	(7)
Auditing File Access		269	(1)
Logon, Logoff, Startup, and Shutdown Scripts		270	(3)
Startup and Shutdown Scripts		271	(1)
Logon and Logoff Scripts		272	(1)
Script Processing Defaults (and Changing Them)		272	(1)
Internet Explorer ADM and Internet Explorer Maintenance Policies		273	(2)
Finding Internet Explorer ADM Policy Settings		273	(1)
Internet Explorer Maintenance Policies		274	(1)
Internet Explorer Settings Warning		274	(1)
Wireless Network (802.11) Policies		275	(1)
Restricted Groups		276	(4)
Strictly Controlling Active Directory Groups		276	(2)
Strictly Controlling Local Group Membership		278	(1)
Strictly Applying Group Nesting		279	(1)
Which Groups Can Go into Which Other Groups via Restricted Groups?		280	(1)
Software Restriction Policy		280	(10)
Software Restriction Policies' "Philosophies"		282	(1)
Software Restriction Policies' Rules		283	(7)
Windows XP/SP2 and Windows 2003/SP1 Firewall Settings		290	(2)
Domain vs. Standard Profiles		291	(1)
Killing the Firewall		291	(1)
Opening Specific Ports, Managing Exceptions, and More		292	(1)
Firewall Warning		292	(1)
Securing Workstations with Templates		292	(17)
Security Templates		293	(4)
Your Own Security Templates		297	(4)
The Security Configuration and Analysis Snap-In		301	(7)
Applying Security Templates with Group Policy		308	(1)
The Security Configuration Wizard for Windows 2003/SP1		309	(8)
Installing the SCW		310	(1)
A Practical SWC Example		310	(5)
Converting Your SCW Policy to a GPO		315	(1)
SCW Caveats		316	(1)
Final Thoughts		317	(4)
What I Didn't Cover		318	(1)
Even More Resources		318	(1)
Designing versus Implementing		319	(2)
Chapter 7 Scripting GPMC Operations		321	(40)
Getting Started with GPMC Scripting		322	(2)
GPMC Scripting Caveats		322	(1)
Scripting References		322	(1)
Scripting Tools		323	(1)
Setting the Stage for Your GPMC Scripts		324	(5)
Initial GMPC Script Requirements		325	(2)
Obtaining Domain DNS Names Automatically		327	(1)
Obtaining Basic Domain and Site Information		328	(1)
Creating Simple GPMC Scripts		329	(4)
Automating Routine Group Policy Operations		333	(23)
Documenting GPO Links and WMI Filter Links		333	(5)
Documenting GPO Settings		338	(2)
Creating and Linking New GPOs		340	(2)
Backing Up GPOs		342	(2)
Restoring GPOs		344	(4)
Importing GPOs		348	(1)
Changing GPO Permissions		349	(7)
Forcing a Group Policy Object Refresh		356	(2)
Enabling Remote Scripting		356	(1)
Scripting the Forced Background Refresh		357	(1)
Using the Included GPMC Scripts from Microsoft		358	(2)
Final Thoughts		360	(1)
Chapter 8 Profiles: Local, Roaming, and Mandatory		361	(38)
What Is a User Profile?		361	(8)
The NTUSER.DAT File		362	(1)
Profile Folders		363	(1)
The Default Local User Profile		364	(3)
The Default Domain User Profile		367	(2)
Roaming Profiles		369	(24)
Setting Up Roaming Profiles		370	(4)
Testing Roaming Profiles		374	(2)
Migrating Local Profiles to Roaming Profiles		376	(1)
Roaming and Nonroaming Folders		377	(1)
Windows XP and Windows 2003 Profile Changes		378	(4)
Affecting Roaming Profiles with Computer Group Policy Settings		382	(7)
Affecting Roaming Profiles with User Group Policy Settings		389	(4)
Mandatory Profiles		393	(5)
Establishing Mandatory Profiles from a Local Profile		393	(3)
Mandatory Profiles from an Established Roaming Profile		396	(1)
Forced Mandatory Profiles (Super-Mandatory)		397	(1)
Final Thoughts		398	(1)
Chapter 9 IntelliMirror, Part 1: Redirected Folders, Offline Files, Synchronization Manager, and Disk Quotas		399	(64)
Overview of Change and Configuration Management and IntelliMirror		399	(2)
Redirected Folders		401	(18)
Redirected My Documents		402	(13)
Redirecting the Start Menu and the Desktop		415	(1)
Redirecting the Application Data		416	(1)
Troubleshooting Redirected Folders		416	(3)
Offline Files and the Synchronization Manager		419	(16)
Offline Files Basics		419	(1)
Synchronization Manager Basics		420	(1)
Making Offline Files Available		421	(4)
Client Configuration of Offline Folders		425	(1)
The "Do Nothing" Approach		425	(5)
Running Around to Each Client to Tweak Offline Files and the Synchronization Manager		430	(5)
Offline Files and Synchronization Manager Interaction		435	(1)
Using Folder Redirection and Offline Files over Slow Links		436	(5)
Synchronizing over Slow Links with Redirected My Documents		437	(1)
Synchronizing over Slow Links with Public Shares		437	(4)
Using Group Policy to Configure Offline Files (User and Computer Node)		441	(8)
Prohibit User Configuration of Offline Files		442	(1)
Synchronize All Offline Files When Logging On		442	(1)
Synchronize All Offline Files When Logging Off		442	(1)
Synchronize All Offline Files Before Suspend		443	(1)
Action on Server Disconnect		443	(1)
Nondefault Server Disconnect Actions		443	(1)
Remove "Make Available Offline"		444	(1)
Prevent Use of Offline Files Folder		444	(1)
Administratively Assigned Offline Files		445	(1)
Turn off Reminder Balloons		446	(1)
Reminder Balloon Frequency		447	(1)
Initial Reminder Balloon Lifetime		447	(1)
Reminder Balloon Lifetime		447	(1)
Event Logging Level		447	(1)
Prohibit "Make Available Offline" for These File and Folders		448	(1)
Do Not Automatically Make Redirected Folders Available Offline		449	(1)
Using Group Policy to Configure Offline Files (Exclusive to the Computer Node)		449	(4)
Allow or Disallow Use of the Offline Files Feature		449	(1)
Default Cache Size		450	(1)
Files Not Cached		450	(1)
At Logoff, Delete Local Copy of User's Offline Files		451	(1)
Subfolders Always Available Offline		451	(1)
Encrypt the Offline Files Cache		451	(2)
Configure Slow Link Speed		453	(1)
Disk Quotas		453	(9)
Quotas and Groups		456	(1)
Designing and Implementing a Quota Strategy		457	(3)
Import and Export Quota Entries		460	(1)
Using Group Policy to Affect Quotas		460	(2)
Final Thoughts		462	(1)
Chapter 10 IntelliMirror, Part 2: Software Deployment via Group Policy		463	(66)
Group Policy Software Installation (GPSI) Overview		463	(8)
The Windows Installer Service		464	(1)
Understanding .msi Packages		465	(1)
Utilizing an Existing .msi Package		466	(5)
Assigning and Publishing Applications		471	(12)
Assigning Applications		471	(1)
Publishing Applications		472	(1)
Rules of Deployment		472	(1)
Package-Targeting Strategy		473	(5)
Understanding .zap Files		478	(3)
Testing Publishing Applications to Users		481	(1)
Application Isolation		481	(2)
Advanced Published or Assigned		483	(11)
The General Tab		483	(1)
The Deployment Tab		484	(5)
The Upgrades Tab		489	(1)
The Categories Tab		490	(1)
The Modifications Tab		490	(4)
The Security Tab		494	(1)
Default Group Policy Software Installation Properties		494	(4)
The General Tab		495	(1)
The Advanced Tab (Windows 2003 Server Tools Only)		495	(1)
The File Extensions Tab		496	(1)
The Categories Tab		497	(1)
Removing Applications		498	(4)
Users Can Manually Change or Remove Applications		498	(1)
Automatically Removing Assigned or Published .msi Applications		498	(1)
Forcefully Removing Assigned or Published .msi Applications		499	(1)
Removing Published .zap Applications		500	(1)
Troubleshooting the Removal of Applications		501	(1)
Using Group Policy Software Installation over Slow Links		502	(3)
Assigning Applications to Users over Slow Links Using Windows 2000		503	(2)
Assigning Applications to Users over Slow Links Using Windows XP and Windows 2003		505	(1)
Managing .msi Packages and the Windows Installer		505	(12)
Inside the MS/EXEC Tool		505	(3)
Affecting Windows Installer with Group Policy		508	(9)
GPO Targeting with WMI Filters		517	(6)
Tools (and References) of the WMI Trade		518	(2)
WMI Filter Syntax		520	(1)
Creating and Using a WMI Filter		520	(2)
Final WMI Filter Thoughts		522	(1)
Fitting Microsoft SMS into Your Environment		523	(3)
SMS versus GPOs: A Comparison Rundown		524	(2)
GPSI and SMS Coexistence		526	(1)
Final Thoughts		526	(3)
Chapter 11 Beyond IntelliMirror: Shadow Copies and Remote Installation Services		529	(28)
Shadow Copies		530	(5)
Setting Up Shadow Copies on the Server		530	(2)
Delivering Shadow Copies to the Client		532	(1)
Restoring Files with the Shadow Copies Client		532	(3)
Inside Remote Installation Services		535	(3)
Server Components		535	(1)
Client Components		536	(2)
Setting Up RIS Server		538	(4)
Loading RIS		538	(1)
Installing the Base Image		538	(2)
Authorizing Your RIS Server		540	(1)
Managing the RIS Server J		541	(1)
Installing Your First Client		542	(7)
Creating a Remote Boot Disk		542	(1)
Installing Your First Client		543	(3)
The Remote Installation Prep Tool (RIPrep)		546	(3)
How to Create Your Own Automated RIS Answer Files		549	(6)
Creating a Sample Fully Automated Answer File		549	(1)
Associating an Answer File with an Image		550	(2)
Using Group Policy to Manipulate Remote Installation Services		552	(1)
The Automatic Setup Section		553	(1)
The Custom Setup Section		553	(1)
The Restart Setup Section		554	(1)
The Tools Section		554	(1)
Final Thoughts		555	(2)
Appendix A Group Policy Tools		557	(18)
Migrating Group Policy Objects between Domains		557	(7)
Basic Interdomain Copy and Import		557	(5)
Copy and Import with Migration tables		562	(2)
Microsoft Tools Roundup		564	(6)
Group Policy Tools from Microsoft		565	(4)
Profile Tools from Microsoft		569	(1)
Third-Party Vendors List		570	(5)
Index		575

Jeremy Moskowitz, founder of Moskowitz, Inc. (www.moskowitz inc.com), is an MCSE, MCSA, and one of only six Microsoft MVPs (Most Valued Professionals) in Group Policy. He has performed Active Directory, Group Policy, and SMS consulting for some of the nation s largest organizations. Jeremy teaches a two day Group Policy Intensive Training and Workshop class and runs www.GPanswers.com, a community forum to help answer tough Group Policy questions. Jeremy frequently contributes to Windows IT Pro Magazine, REDMOND Magazine, Technet Magazine and has been a noted speaker at many industry conferences. About the Series The Mark Minasi Windows Administrator Library Library is designed to equip system administrators with in depth technical solutions to the many challenges associated with administering Windows in an enterprise setting. The series editor is leading Windows NT/2003 expert Mark Minasi, who selects the topics and authors, and develops and reviews each book to ensure that every entry in the series meets your needs and helps you achieve your goals.