Module 2: Group Policy

Contents

Overview 1
Lesson: Introduction to Group Policy 2
Classroom Practice: GPMC Administration 8
Lesson: Using Group Policy for
Organizational Control 9
OU Design for Security 15
Classroom Practice: Applying a Security
Template 17
Software Restriction Policies 22
Lab 2: Controlling the User Environment 31
Clinic Evaluation 39
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2004 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
FrontPage, InfoPath, IntelliMirror, NetMeeting, OneNote, Outlook, PowerPoint, and Windows
Media are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
 Module 2: Group Policy 1

Overview

Introduction This module is designed to introduce you to Group Policy objects (GPOs). You
will see that GPOs can be used to control a wide variety of features and
functions on almost any computer in the domain. This includes security, the
user environment, and applications. You will also see how delegation of control
can help you define which administrators can create and manage GPOs.
Objectives After completing this module, you will be able to:
! Understand Group Policy fundamentals.
! Understand the Group Policy Management Console.
! Describe GPO processing.
! Describe how to use GPOs to control security.
! Describe how to use GPOs to control the user environment.
! Describe how to use GPOs to deploy applications.
2 Module 2: Group Policy

Lesson: Introduction to Group Policy

Introduction Microsoft® Windows Server™ 2003 unleashes the power of policy-based

management through an improved Group Policy infrastructure, new and vastly
enhanced Group Policy management capabilities, and broad support for policy-
based management across server components. All Group Policy management
operations can now be done by using a single easy-to-use GUI, ‘what-if’
modeling, reporting on Group Policy enforcement; ability to stage, back up
Group Policy implementations, and to support multi-forest network topology
scenarios.
Lesson objectives After this lesson you will be able to:
! Describe the purpose of Group Policy.
! Describe the benefits of administering Group Policy with Active Directory®.
! Describe the capabilities of GPOs.
! Describe how to configure GPOs using the Group Policy Management
Console.
 Module 2: Group Policy 3

Purpose of Group Policy

Introduction Group Policy is the cornerstone of network management using Active

Directory. A Group Policy is a collection of files and settings that are
continually enforced on client computers and servers when those computers are
members of an Active Directory domain. Client computers and servers are
grouped into organizational units (OUs). Different collections of Group Policy
settings are assigned to each OU.
GPO overview A GPO modifies the registry on a target computer. The registry settings are
either in HKEY_Local_Machine or HKEY_Current_User. A GPO can modify
other configurations, such as application installation, folder redirection,
Account Policy settings, and user rights. It is extremely important that you
understand that a GPO can only modify user accounts and computer accounts.
GPOs do not configure settings based on group accounts.
Computer configuration One portion of the GPO modifies computer accounts that are located in a
container that is influenced by where the GPO is linked. For example, let’s
assume you configure a Computer Configuration setting in a GPO to have a
Legal Notice Caption and Banner. Then, you link the GPO to an OU named
HR. If a computer account named HR_XP1 is located in the HR OU, any user
that logs onto HR_XP1 will receive the Legal Notice Caption and Banner. This
GPO will have modified the HKEY_Local_Machine portion of the registry on
HR_XP1.
User configuration One portion of the GPO modifies user accounts that are located in a container
that is influenced by where the GPO is linked. For example, let’s assume you
configure a User Configuration setting in a GPO to remove the Run command
from the Start menu. Then, you link the GPO to an OU named Marketing. If a
user account named Joe is located in the Marketing OU, Joe will not have the
Run command on his Start menu. This GPO will have modified the
HKEY_Current_User portion of the registry where Joe is logging on. No matter
where Joe logs on, he will not have the Run command.
4 Module 2: Group Policy

Security settings Parts of both the Computer Configuration and the User Configuration are
specific to Security Settings. If you are in the GPO editor, under both
Configuration nodes, go to Windows Settings\Security Settings. After a quick
review of the options under each node, you will see that more options are
available for Computer Configuration than for User Configuration.
For the Computer Configuration, numerous areas of security can be configured.
Areas such as Account Policies, User Rights, Permissions on Folders and the
Registry, PKI, and Software Restriction Policies, to name just a few.
The User Configuration has two essential settings: Certificate Autoenrollment
and Software Restriction Policies.
Centralized A benefit of GPOs used within Active Directory is that the settings for multiple
configuration computers can be made from one console and the files can be updated on one
computer to affect all of the target computers. With the domain controllers
replicating the GPO files and configurations, it makes the administration of
GPOs and the final settings much easier than if each computer had to be visited
and configured.
Centralized management GPOs can be managed through Active Directory Users and Computers or the
of GPOs new Group Policy Management Console (GPMC). Regardless of the tool that is
used, you can administer and configure where the GPOs are linked to the
different objects within Active Directory. This provides an easy way of
ensuring that the GPOs are applied to the correct target objects.
Consistent Because GPOs are tied to the logon process of both the computer and user
configurations accounts, the logon process provides a consistent method for applying the
settings within the GPO. Because you can control either the computer or the
user, settings can be consistent for the user or computer that it is targeted for.
For example, if a computer is located in the reception area of your business, you
would want a consistent configuration on that computer, regardless of who logs
on. This can be accomplished through GPOs and Active Directory.
Sets of objects can also have a consistent configuration. For example, if the
reception room in our example has more than one computer, all of the computer
objects can be placed in an OU and the GPO applied to the OU. This will
ensure that all of the objects in the OU are treated consistently, all having the
same configuration.
Automatic As soon as the OU structure is complete and objects are moved to their
configurations respective OU, GPOs can be linked and the settings automatically applied. The
reason for this is that GPOs automatically “refresh” at a preset interval for both
computer and user objects. Therefore, the computer does not need to be
restarted and the user does not have to logoff for the settings to be applied, they
are automatically applied at the next refresh interval.
 Module 2: Group Policy 5

Classroom Discussion: Group Policy Processing

Note Open the 2274_6_I_GP.html file on the instructor computer to complete

this classroom discussion.

Objectives After completing this lesson, you will be able to:

! Describe the types of settings that can be defined in Group Policy.
! Describe how Group Policy is applied.

Types of settings You can configure Group Policy settings to define the policies that affect users
and computers. The following table presents the types of settings that you can
configure.
Type of setting Description

Administrative templates Registry-based settings for configuring application

settings and user desktop environments
Scripts Settings for specifying when Windows Server 2003 runs
specific scripts
Remote Installation Settings that control the options available to users when
Services they run the Client Installation wizard used by Remote
Installation Services (RIS)
Internet Explorer Settings for administering and customizing Internet
maintenance Explorer on computers running Windows Server 2003
Folder redirection Settings for storing specific user profile folders on a
network server
Security Settings for configuring local computer, domain, and
network security settings
Software installation Settings for centralizing the management of software
installations, updates, and removals
6 Module 2: Group Policy

Flow of inheritance GPOs are associated with or linked to sites, domains, and OUs. You can set
centralized policies that affect the entire organization or decentralized policies
that affect a particular department. Unlike the parent and child organizational
units of OUs, GPOs do not have a domain hierarchy.
Order in which GPOs are The order in which Windows Server 2003 applies GPOs is based on the Active
processed Directory container that the GPOs are linked to. The GPOs are applied first to
the site, then to domains, and then to OUs within the domains.
Multivalued GPO Some GPO settings are multivalued. These settings are treated like single-value
settings settings. That is, if the setting is defined in multiple GPOs, only the settings in
one of the GPOs that adheres to the inheritance rules are applied.
Block Inheritance You can prevent a child container from inheriting all GPOs from parent
containers by enabling Block Inheritance on the child container. Block
Inheritance is useful when an Active Directory container requires unique Group
Policy settings.
Enforced The Enforced (named No Override if the Group Policy Management console is
not installed) option is an attribute of the link, not of the GPO. If the same GPO
is linked elsewhere, the Enforced option does not apply to that link unless you
modify that link as well. If you have a GPO that is linked to multiple
containers, you can configure the Enforced option individually for each
container. When more than one link is set to Enforced, the linked GPOs apply
to a common container. If they contain conflicting settings, the GPO that is
highest in the Active Directory hierarchy takes precedence.
You may need to link GPOs that are associated with other directory objects. By
setting the appropriate permissions for security groups, you can filter Group
Policy to influence only the computers and users that you specify.
 Module 2: Group Policy 7

Group Policy Management Console

Introduction The Microsoft Group Policy Management Console (GPMC) is the new tool for
Group Policy management that helps administrators manage an enterprise more
cost-effectively by improving manageability and increasing productivity. It
consists of a new Microsoft Management Console (MMC) snap-in and a set of
scriptable interfaces for managing Group Policy.
GPMC GPMC simplifies the management of Group Policy by providing a single place
for managing core aspects of Group Policy. It provides the following
functionality:
! A user interface (UI) that makes Group Policy much easier to use
! Backup/restore of GPOs
! Import/export and copy/paste of GPOs and Windows Management
Instrumentation (WMI) filters
! Simplified management of Group Policy-related security
! HTML reporting of GPO settings and Resultant Set of Policy (RSoP) data
! Scripting of policy-related tasks that are exposed within this tool (not
scripting of settings within a GPO)
8 Module 2: Group Policy

Classroom Practice: GPMC Administration

Introduction Your instructor will now demonstrate how to perform the most common Group
Policy administrative tasks using GPMC. Follow along on your computer with
your instructor if you want to practice.
! Create a GPO.
! Modify GPO policy settings.
! Edit GPO properties.
! Link a GPO.
! Delegate control of a GPO.
! Backup and restore a GPO.
! Save a report of settings.
 Module 2: Group Policy 9

Lesson: Using Group Policy for Organizational Control

Introduction Group Policy can be used in a number of ways to ensure that corporate policies
are enforced. From password policies, application restrictions, anti-virus install
and updates, and desktop lockdown; group policy is a powerful feature that will
help organization to achieve their goal.
Lesson objectives After this lesson you will be able to:
! Describe how Group Policy can control security settings.
! Describe the types of security templates and know where they are located.
! Describe how to configure OUs for security settings.
! Understand how Group Policy can control the user environment.
! Describe the purpose of Software Restriction Settings.
! Deploy security templates.
! Describe the software deployment process.
10 Module 2: Group Policy

Using Group Policy to Control Security

Introduction Security is an area of increasing importance; however, the complexity of many

networks makes it difficult for administrators to manage the security settings
for large numbers of servers and client computers. Using Group Policy, security
templates, and a carefully planned OU structure, you can easily configure and
control your organization’s security policies through Active Directory.
Group Policy One component of a secure network environment is a secure configuration for
all servers and client computers. By using Group Policy with Active Directory,
you can distribute secure configurations to all servers and client computers
through predefined security templates. Microsoft has developed role-based
security templates that enforce the recommended security settings for roles such
as domain controller, file server, infrastructure server, or client computer.
Create an OU structure The first step in planning security for the computers in your organization is to
create an OU structure that will support the application of a baseline security
policy. This step is most easily accomplished by creating an OU that contains
child OUs that are based on the role of that server. After the baseline security
policy is applied at the parent OU, specific settings for computers based on the
role can be addressed.
You should create a parent OU that includes all of the role-based OUs and then
create child OUs for Infrastructure, File, Print, IIS, Microsoft Internet
Authentication Service (IAS), Certificate, and Bastion Host servers. This
structure will enable you to apply a baseline member server security GPO to the
parent OU for all computers. You can address the specific security needs of
each computer by applying a GPO at the role-based OU.

Note The Windows Server 2003 Security Guide provides guidelines for
grouping computers in OUs based on their role. For more information about
grouping computers in OUs, see the Windows Server 2003 Security Guide in
the Additional Reading folder on the Student Materials compact disc.
 Module 2: Group Policy 11

Determine multiple Not all servers in an organization run the same operating system. In fact, it is
operating system very rare for an organization to have only one type of operating system. You
requirements should take this into consideration when determining a member server baseline.
For example, an organization might have a computer running Microsoft
Windows NT® 4.0 and IIS 4.0 that is running an application that is not
supported by IIS 6.0. Because a computer running Windows NT 4.0 cannot use
GPOs, you will need to secure this computer through other methods.
Use templates for each The security settings for computer in a given computer role (i.e.–DNS Server,
role DCHP Server, etc.,) are usually the same. For example, you can create one
template for servers running Microsoft SQL Server™ and another template for
client computers. Before you create any templates, identify common computer
roles and then design a template for each role.
Use Group Policy to You can use Group Policy to automatically assign templates. Group Policy can
apply templates also ensure that template settings are automatically reapplied if any template
settings change on a computer.
Grant only required Excessive permissions can lead to users having inappropriate access to
permissions confidential data or to the accidental or purposeful destruction of data.
Administrators often assign Full Control permissions to resources to the
Everyone group when some of the users only require limited access to the
resources. For example, if users in the sales department must review but not
change a spreadsheet that contains financial data, only assign the Read
permission and not the Write permission. Assign the Write permission only to
the group that contains users who need to change the spreadsheet.
12 Module 2: Group Policy

Security Templates

Introduction A security template is a collection of configured security settings. Windows

Server 2003 provides pre-defined security templates that contain the
recommended security settings for various situations.
Pre-defined security Microsoft has created pre-defined security templates that can be applied to
templates various server roles based on their security environments. The predefined
templates in Windows Server 2003 are descended from Windows 2000. These
templates provide variants for domain controllers and workstations. Although
they do not address computers based on their role, they are a good starting point
for customizing templates for various security needs.

Note The predefined templates that come with Windows Server 2003 do not
address different member server roles. For example, no templates are available
for IIS or IAS.

Windows Server 2003 provides the following predefined templates:

! Default Security (Setup security.inf)
! Domain Controller Default Security (DC security.inf)
! Compatible (Compatws.inf)
! Secure (Securedc.inf and Securews.inf)
! Highly Secure (Hisecdc.inf and Hicecws.inf)
! System Root Security (Rootsec.inf)
 Module 2: Group Policy 13

Server 2003 Security The Windows 2003 Security Guide includes a much more comprehensive set of
Guide templates templates. The Security Guide provides standardized settings for the three
classes of environments: Legacy Client, Enterprise Client, and High Security.
Each environment has separate templates for a variety of server roles. Security
templates contained in the Windows Server Security Guide provide hardening
information based on the role of the server. For example, there are templates for
legacy client file servers, enterprise client file servers, and high-security file
servers.
The roles addressed by the Security Guide templates are:
! Domain controllers, which include Domain Name System (DNS) services
! Infrastructure server roles that include:
• Windows Internet Name Service (WINS)
• Dynamic Host Configuration Protocol (DHCP)
! File servers
! Print servers
! Internet Information Services (IIS)
! Internet Authentication Server (IAS)
! Certificate Services servers
! Bastion hosts

Windows XP Security Windows XP is one of the client operating systems that you can use with
Guide templates Windows Server 2003. The Windows XP Security Guide includes a
comprehensive set of client security templates. The Security Guide provides
standardized settings for three classes of environments: Enterprise Clients, High
Security, and stand-alone environments:
! Enterprise Client (Desktop.inf)
! Enterprise Client (Laptop.inf)
! High Security (Desktop.inf)
! High Security (Laptop.inf)
! Legacy Enterprise (Account.inf)
! Legacy Enterprise Client (Desktop.inf)
! Legacy Enterprise Client (Laptop.inf)
! Legacy High Security (Account.inf)
! Legacy High Security (Desktop.inf)
! Legacy High Security (Laptop.inf)

Industry security Organizations such as the Computer Incident Advisory Capability (CIAC), the
templates SANS (SysAdmin, Audit, Network, Security) Institute, and the National
Security Agency (NSA) offer templates for various purposes and with varying
degrees of support. For example, the NSA provides templates that are required
for Department of Defense (DOD) computers and that meet their strict security
policy requirements. These templates are usually not supported by the provider,
and they are not supported by Microsoft either. These templates include
documentation that describes how to use the template, what its purpose is, and
how it should be applied.
14 Module 2: Group Policy

The following table contains URLs for the organizations mentioned above.
Organization URL

Computer Incident Advisory Capability (CIAC) http://ciac.llnl.gov/ciac/

SANS (SysAdmin, Audit, Network, Security) Institute http://www.sans.org
National Security Agency (NSA) http://www.nsa.org

Custom security Not all computers fit exactly into a specific role, such as a DHCP server or a
templates WINS server. Many medium-sized organizations use servers that perform
multiple roles.
In such cases, you might not have a security template that matches the roles
performed by the server. You can, however, create custom security templates to
match the roles the computer performs. For example, you can create a custom
template for a branch office domain controller that is also a DHCP and WINS
server.
 Module 2: Group Policy 15

OU Design for Security

Introduction Security templates can be implemented through scripting, command line tools,
or Group Policy. Group Policy is the recommended method for deploying
security templates.
Creating an OU You should create an OU structure that represents the different roles and
structure for security configurations required by servers and client computers. One example of an OU
templates structure is shown below.
16 Module 2: Group Policy

Once you have created your OU structure, follow the steps listed below:
1. Identify the security template that most closely matches the configuration
required by client computers or servers.
2. Create a new Group Policy object for each security template you will be
using.
3. In the new Group Policy object, import the security template.
4. If necessary, modify the GPO to add any additional security settings.
5. Link the new GPO to the appropriate OU.
6. Move computer objects for client computers and servers to the appropriate
OU.
 Module 2: Group Policy 17

Classroom Practice: Applying a Security Template

Introduction In this classroom practice, follow your instructor’s lead to:

! Create a new GPO.
! Import a security template.
18 Module 2: Group Policy

Using Group Policy to Control the User Environment

Introduction Managing user environments means controlling what users can do when they
are logged on to the network. You do this by controlling their desktops,
network connections, and user interfaces through Group Policy. You manage
user environments to ensure that users have what they need to perform their
jobs, but that they cannot corrupt or incorrectly configure their environments.
Tasks you can perform When you centrally configure and manage user environments, you can perform
with Group Policy the following tasks:
! Manage users and computers.
By managing user desktop settings with registry-based policies, you ensure
that users have the same computing environments even if they log on from
different computers. You can control how Microsoft Windows Server 2003
manages user profiles, which includes how a user’s personal data is made
available. By redirecting user folders from the user’s local hard disks to a
central location on a server, you can ensure that the user’s data is available
to them regardless of the computer they log on to.
! Deploy software.
Software is deployed to computers or users through the Active Directory
directory service. Using software deployment, you can ensure that users
have the required programs, service packs, and hot fixes.
 Module 2: Group Policy 19

! Enforce security settings.

By using Group Policy in Active Directory, the systems administrator can
centrally apply the security settings required to protect the user
environment. In Windows Server 2003, you can use the Security Settings
extension in Group Policy to define the security settings for local and
domain security policies.
! Enforce a consistent desktop environment.
Group Policy settings provide an efficient way to enforce standards, such as
logon scripts and password settings. For example, you can prevent users
from making changes to their desktops that may make their user
environments more complex than necessary.

Additional reading For more information about desktop management, see:

! “Windows 2000 Desktop Management Overview” at
http://www.microsoft.com/windows2000/techinfo/howitworks/
management/ccmintro.asp.
! “Introduction to Windows 2000 Group Policy” at
http://www.microsoft.com/windows2000/techinfo/howitworks/
management/grouppolicyintro.asp.
! The Group Policy newsgroup at http://www.microsoft.com/
windows2000/community/newsgroups/.
20 Module 2: Group Policy

GPO Settings to Control the User Environment

Introduction You can enforce Group Policy settings for computers and users by using the
Computer Configuration and User Configuration features in Group Policy.
User Configuration Group Policy settings for users include specific operating system behavior,
desktop settings, security settings, assigned and published application options,
application settings, folder redirection options, and user logon and logoff
scripts. User-related Group Policy settings are applied when users log on to the
computer and during the periodic refresh cycle.
Group Policy settings that customize the user’s desktop environment or enforce
lockdown policies can be found under User Configuration in Group Policy
Object Editor.
Software settings for The Software Settings folder under User Configuration contains software
user configuration settings that apply to users regardless of which computer they log on to. This
folder also contains software installation settings, and it might contain other
settings placed there by independent software vendors (ISVs).
Windows settings for The Windows Settings folder under User Configuration contains Windows
user configuration settings that apply to users regardless of which computer they log on to. This
folder also contains the following items: Folder Redirection, Security Settings,
and Scripts.
Computer configuration Group Policy settings for computers include operating system behavior, desktop
behavior, security settings, computer startup and shutdown scripts, computer-
assigned application options, and application settings. Computer-related Group
Policy settings are applied when the operating system initializes and during the
periodic refresh cycle. In general, computer-related Group Policy settings take
precedence over conflicting user-related Group Policy settings. Group Policy
settings that customize the desktop environment for all users of a computer or
that enforce security policies on a network’s computers are contained under
Computer Configuration in Group Policy Object Editor.
 Module 2: Group Policy 21

Software settings for The Software Settings folder under Computer Configuration contains software
computer configuration settings that apply to all users who log on to the computer. This folder contains
software installation settings, and it may contain other settings placed there by
ISVs.
Windows settings for The Windows Settings folder under Computer Configuration contains Windows
computer configuration settings that apply to all users who log on to the computer. This folder also
contains the following items: Security, Settings, and Scripts.
Security settings for Security settings are available under the Windows Settings folder under
user and computer Computer Configuration and User Configuration in the Group Policy Object
configuration Editor. Security settings and security policies are rules that you configure on a
computer or multiple computers that protect resources on a computer or
network. With security settings, you can specify the security policy of an
organizational unit, domain, or site.
Additional reading For more information about extending Group Policy, see "Advanced methods
of extending Group Policy" at http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/
sag_SPconcepts_30.asp.
22 Module 2: Group Policy

Software Restriction Policies

Introduction An organization's network faces many threats, most notably viruses and worms.
However, hostile code is not the only threat—many nonmalicious software
applications also cause problems. Any software not known and supported by an
organization can conflict with other applications or change crucial configuration
information. To address this problem, software restriction policies were
designed to help organizations control not just hostile code, but any unknown
code—malicious or otherwise.

Note You can use software restriction policies to manage only the clients that
run Windows XP and Windows Server 2003.

Four rules identify The purpose of a rule is to identify one or more software applications and
software specify whether they are allowed to run. Creating rules largely consists of
identifying software that are an exception to the default rule. Each rule can
include descriptive text to help communicate why the rule was created.
A software restriction policy supports the following four ways to identify
software:
! Hash—A cryptographic fingerprint of the file
! Certificate—A software publisher certificate used to digitally sign a file
! Path—The local or universal naming convention (UNC) path of where the
file is stored
! Zone—Internet zone

Hash rule A hash rule is a cryptographic fingerprint that uniquely identifies a file
regardless of where it is accessed or what it is named. An administrator may not
want users to run a particular version of a program. This may be the case if the
program has security or privacy bugs or if it compromises system stability.
With a hash rule, software can be renamed or moved to another location on a
disk, but it will still match the hash rule because the rule is based on a
cryptographic calculation involving the contents of the file.
 Module 2: Group Policy 23

Certificate rule A certificate rule specifies a code-signing, software publisher certificate. For
example, a company can require that all scripts and ActiveX controls be signed
with a particular set of publisher certificates. Certificates used in a certificate
rule can be issued from a commercial certificate authority (CA) such as
VeriSign, a Windows 2000/Windows Server 2003 PKI, or a self-signed
certificate.
A certificate rule is a strong way to identify software because it uses signed
hashes contained in the signature of the signed file to match files, regardless of
name or location. If you wish to make exceptions to a certificate rule, you can
use a hash rule to identify the exceptions.
Path rule A path rule can specify a folder or fully qualified path to a program. When a
path rule specifies a folder, it matches any program contained in that folder and
any programs contained in subfolders. Both local and Universal Naming
Convention (UNC) paths are supported.

Using environment variables in path rules. A path rule can use environment
variables. Because path rules are evaluated in the client environment, the ability
to use environment variables (e.g., %WINDIR%) allows a rule to adapt to a
particular user's environment.

Registry path rules. Many applications store paths to their installation folders
or application directories in the Windows registry. You can create a path rule
that looks up these registry keys. For example, some applications can be
installed anywhere on the file system. These locations may not be easily
identifiable by using specific folder paths, such as C:\Program Files\Microsoft
Platform SDK, or environment variables, such as %ProgramFiles%\Microsoft
Platform SDK. If the program stores its application directories in the registry,
you can create a path rule that will use the value stored in the registry, such as
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\
Directories\Install Dir%.
Zone rule A rule can identify software from the Microsoft Internet Explorer zone from
which it was downloaded. These zones are:
! Internet
! Intranet
! Restricted sites
! Trusted sites
! My Computer
24 Module 2: Group Policy

Administrative Templates

Introduction A large majority of the GPO settings are merely registry changes. These
registry settings are configured and organized into Administrative templates,
which can be customized to modify almost any registry entry.
Default templates Every GPO has a set of default templates that configures different aspects of the
registry. Administrative templates have an .adm extension, which makes them
easy to distinguish. The default ADM templates that are loaded into every GPO
include:
! Netmeeting settings (Conf.adm)
! Internet Explorer restriction settings (Inetres.adm)
! System settings (System.adm)
! Windows Media Player settings (Wmplayer.adm)
! Windows Update settings (Wuau.adm)

Other default ADM templates that are not loaded into a GPO by default
include:
! Legacy Windows NT system policy template (Common.adm)
! Internet Explorer corporate settings (Inetcorp.adm)
! Internet Explorer settings (Inetset.adm)
! Legacy Windows 9x system policy template (Windows.adm)
! Legacy Windows NT system policy template (Winnt.adm)
 Module 2: Group Policy 25

Office .adm templates The policy template files provided with the Office Resource Kit enable you to
set policies globally for Microsoft Office users connected to a network. By
using these global policies, an administrator can quickly enforce a particular
user configuration on client computers when users, groups, or computers log on
to the network.
The following .adm templates are installed in the Windows\INF directory when
the Office Resource Kit is installed.
! Microsoft Office Access 2003 template (Access11.adm)
! Microsoft Office Excel 2003 template (Excel11.adm)
! Microsoft Office FrontPage® 2003 template (FP11.adm)
! Microsoft Clip Organizer template (GAL11.adm)
! Microsoft Office InfoPath™ 2003 template (INF11.adm)
! Microsoft Office Publisher 2003 template (PUB11.adm)
! Microsoft Office 2003 general template (OFFICE11.adm)
! Microsoft Office OneNote™ 2003 template (ONENT11.adm)
! Microsoft Office Outlook® 2003 template (OUTLK11.adm)
! Microsoft Office PowerPoint® 2003 template (PPT11.adm)
! Microsoft Office Word 2003 template (WORD11.adm)

Note The Office Resource Kit (ork.exe) is available for download at

http://www.microsoft.com/office/ork/2003.

Custom templates Some registry settings are not configured on any of the templates; however, you
still need to centrally configure and deploy the settings. In this case, you can
create your own custom Administrative template and import it into a GPO for
deployment. The key items that need to be included in a custom Administrative
template include:
! Handle key: This will either by HKEY_Local_Machine or
HKEY_Current_User.
! Registry path: This is the path to the value that you need to modify in the
registry. The path in this case will not include the Handle Key, nor the value
itself.
! Valuename: This is the value name that the registry will understand. You
cannot make up names, they must be supported by the operating system. If
you make up names, you might corrupt the registry, which will result in a
Stop Error.
! Value type: This is extremely important; it is the type of value required by
the valuename. The value type will be one of the following:
• DWORD (4 bytes)
• BINARY (16 bits)
• SZ (text string)
• MULTI_SZ (multiple-line string)
• EXPAND_SZ (expandable string that contains a variable such as
%systemroot%)
26 Module 2: Group Policy

Adding Administrative After you have created a custom template or altered a default template, the
templates process of adding it to a GPO is simple. In the GPO editor, go down to the
Administrative Templates portion, either under the Computer Configuration or
the User Configuration. Regardless of the details within the administrative
template, you can add through either node. Right click on the Administrative
Template node and click Add/Remove Template. You will then be shown a list
of existing templates. Click the Add button and then select the template that you
created or modified. After adding the template to the GPO, simply expand the
Administrative Template section to see your new settings.
 Module 2: Group Policy 27

Overview of the Software Deployment Process

Introduction When you deploy software, you are specifying how applications are installed
and maintained within your organization.
Process To use Group Policy to deploy new software, you perform the following tasks:
1. Create a software distribution point on which to place the package file and
any related installation files. A software distribution point is a shared folder
on your server that contains the package files for deploying software.
Windows Installer packages and software files must be available on a
software distribution point so that when software is installed on a local
computer, files are copied from this point to the computer. Keeping the files
for each application together simplifies administration.
2. Use a GPO to deploy software. You need to create or make necessary
changes to a GPO for the container in which you want to deploy the
application. You can configure the GPO to deploy software for a user
account or a computer account. This task also includes selecting the type of
deployment that you need.
3. Change the software deployment properties that were set during the initial
deployment of software, if required.
28 Module 2: Group Policy

Assigning Software vs. Publishing Software

Introduction You deploy software to make sure that users have all of the applications they
need installed or available on their computers. The two deployment types are
assigning software and publishing software.
Why assign software? By assigning software packages, you ensure that the software is always
available to the user. Start menu shortcuts and desktop icons for the application
appear when the user logs on. Users are then able to access the software they
need from any computer to which they log on. If the user starts a file that uses
Microsoft Excel on a computer that does not have Excel, and Excel has been
assigned to the user, Excel will be installed on that computer when the user
activates the file.
In addition, assigning makes the software resilient. If for any reason the user
deletes the software, it will be reinstalled the next time the user logs on and
activates the application.
Why publish software? By publishing software, you ensure that the software is available for users to
install on their computers. No shortcuts are added to the user’s desktop or Start
menu, and no local registry entries are made. Because users must install the
published software, you can publish software only to users, not to computers.
 Module 2: Group Policy 29

Methods for assigning You can assign or publish software using one of the methods in the following
and publishing software table.
Deployment
method Method 1 Method 2

Assign During user configuration. When During computer configuration.

you assign software to a user, the When you assign software to a
software is advertised on the computer, no advertising takes
user’s desktop. Although the place. Instead, when the
application is advertised when computer starts up, the software
the user logs on, installation does is installed automatically. By
not begin until the user double- assigning software to a computer,
clicks either the application’s you can ensure that certain
icon or a file type associated with applications are always available
the application, which is a on that computer, regardless of
method called document who is using it. However,
activation. If the user does not assigning software to a computer
activate the application by using does not work if the computer is
one of these methods, the a domain controller.
software will not be installed,
thus saving hard disk space and
time.
Publish Using Add or Remove Programs. Using document activation.
A user can open Control Panel When an application is published
and double-click Add or in Active Directory, the file name
Remove Programs to display the extensions for the documents that
set of applications available. The it supports are registered in
user can then select the desired Active Directory. If a user
application and click Add. double-clicks an unknown file
type, the computer sends a query
to Active Directory to determine
whether there are any
applications associated with the
file name extension. If Active
Directory contains such an
application, the computer installs
it.
30 Module 2: Group Policy

Group Policy Best Practices

Introduction Planning Group Policy involves creating an OU structure, creating GPOs, and
linking GPOs to the appropriate OUs. You might also configure additional
settings such as delegation or enforcement.
Group Policy planning Use the following tips to help you plan Group Policy.
tips
! Create as few GPOs as possible. The more GPOs a computer or user has to
process, the longer the boot or logon will to take. In addition, having a large
number of GPOs makes troubleshooting difficult.
! If a GPO is used strictly for user or computer configuration settings, disable
the unused portion of the GPO.
! Limit the use of enforcement and block inheritance.
! Use the GPMC to create documentation and regular backups of your GPO
settings.
! When linking GPOs, try to link each GPO to only one site, domain, or OU.
 Module 2: Group Policy 31

Lab 2: Controlling the User Environment

Introduction After completing this lab, you will be able to:

! Deploy an application using GPOs.
! Control computer security using security templates and GPOs.
! Control the user environment using GPOs.
! View the effects of application deployment and a controlled user
environment.

Note This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations.

Prerequisites Before working on this lab, you must have:

! JumpStartDC1 and JumpStart_Client1 images for Virtual PC.

Estimated time to
complete this lab:
60 minutes
32 Module 2: Group Policy

Exercise 1
Deploying an Application Using Group Policy
In this exercise, you will use Group Policy to deploy an application.

Instructions
Ensure that you have started the JumpStartDC1 and Jumpstart_Client1 virtual
machines. Log on to the JumpStartDC1 virtual machine as administrator with
the password P@ssw0rd.

Scenario
You are the network administrator for Coho Winery. Users in the main office
will need to use Microsoft FrontPage 2003. To ensure that users have the
application available to them regardless of the computer they log on to, you use
Group Policy to deploy Microsoft FrontPage 2003 to users in the Winery OU.

! Create a new Group Policy object at the Winery OU to deploy

Microsoft FrontPage 2003
1. Ensure that you are logged on to JumpstartDC1 as Administrator with a
password of P@ssw0rd.
2. Click Start, click Administrative Tools, and click Group Policy
Management.
3. In the Group Policy Management Console, expand
Forest:Cohowinery.com, expand Domains, and expand cohowinery.com.
4. Right-click Winery and click Create and Link a GPO Here.
5. In the New GPO dialog box type FrontPage–Winery and click OK.
6. In the console tree, expand Winery, right-click FrontPage-Winery, and
click Edit.

! Assign the application to users in the Winery OU

1. In Group Policy Object Editor, in the User Configuration node, expand
Software Settings.
2. Right-click Software installation, point to New, and click Package.
3. In the Open dialog box, type \\DC1\Frontpage\FP11N.MSI and then click
Open.
4. In the Deploy Software dialog box, click Assigned and then click OK.

! Add the .adm template to ensure FrontPage is deployed fully

configured
1. In Group Policy Object Editor, expand User Configuration, right-click
Administrative Templates, and then click Add/Remove Templates….
2. In the Add/Remove Templates box, click Add.
3. In the Policy Templates dialog box, click FP11.ADM and then click Open.
4. In the Add/Remove Templates box, click Close.
 Module 2: Group Policy 33

! Configure Microsoft FrontPage 2003 settings

1. In the console tree, expand User Configuration, expand Administrative
Templates, and then expand Microsoft Office FrontPage 2003.
2. Under Microsoft Office FrontPage 2003, click New Page or Web Links
and then, in the details pane, double-click Custom Link #1.
3. In the Custom Link #1 Properties dialog box, click Enabled.
4. In the Display Name box, type CohoWinery
5. In the Full path including filename (required) box, type
http://www.cohowinery.com and click OK.
6. Close Group Policy Object Editor.
7. Close Group Policy Management.
34 Module 2: Group Policy

Exercise 2
Securing a Client Computer
In this exercise, you will control security of a Windows XP client by deploying
a predefined security template to the client.

Scenario
To comply with your organizational security requirements, you will deploy the
High Security Template for a Windows XP Desktop from the Windows XP
Security Guide.

! Create a Group Policy to apply the security template

1. Ensure that you are logged on to JumpstartDC1 as Administrator with a
password of P@ssw0rd.
2. Click Start, click Administrative Tools, and click Group Policy
Management.
3. In the Group Policy Management Console, expand
Forest:Cohowinery.com, expand Domains, expand cohowinery.com, and
expand Winery.
4. Right-click Desktops-XP and then click Create and Link a GPO Here.
5. In the New GPO dialog box, type XP Desktop High Security and then
click OK.
6. In the console tree, expand Desktops-XP, right-click XP Desktop High
Security, and then click Edit.

! Configure the GPO with the High Security Template

1. In Group Policy Object Editor, navigate to the Computer Configuration
node, expand Windows Settings, right-click Security Settings, and then
click Import Policy.
2. In the Import Policy From dialog box, set the Look in box to C:\Security
Templates, click High Security – Desktop.inf, and then click Open.
3. Close Group Policy Object Editor.

! Move the Client1 computer into the Desktops-XP OU

1. Click Start, click Administrative Tools, and click Active Directory Users
and Computers.
2. Expand cohowinery.com and click the Computers container.
3. In the details pane, right-click Client1 and then click Move.
4. In the Move dialog box, expand Winery, click Desktops-XP, and then click
OK.
5. Close Active Directory Users and Computers.
 Module 2: Group Policy 35

Exercise 3
Controlling the User Environment
In this exercise, you will use Group Policy to control the user environment.

Scenario
You want to ensure that users in your organization only have their needed
desktop environment and are unable to run applications that pose a threat to
network security and productivity.

! Create a Group Policy object for controlling the user environment

1. Ensure that you are logged on to JumpstartDC1 as Administrator with a
password of P@ssw0rd.
2. In Group Policy Management, expand Forest:Cohowinery.com, expand
Domains, expand cohowinery.com, and expand Winery.
3. In the console tree, right-click Winery and click Create and Link a GPO
Here.
4. In the New GPO dialog box, type User Environment and click OK.
5. In the console tree, expand Winery, right-click User Environment, and
then click Edit.

! Configure software restrictions in the user environment GPO

1. In Group Policy Object Editor, navigate to the User Configuration node,
expand Windows Settings, and expand Security Settings.
2. In the console tree, right-click Software Restriction Policies and click New
Software Restriction Policies.
3. In the console tree, expand Software Restriction Policies and then click
Additional Rules.
4. In the console tree, right-click Additional Rules and click New Path Rule.
5. In the New Path Rule dialog box, in the Path box, type application.exe, set
the Security Level box to Disallowed, and then click OK.
6. In the console tree, right-click Additional Rules and then click New Hash
Rule.
7. In the New Hash Rule dialog box, click Browse.
8. In the Open dialog box, set the Look in box to c:\windows\system32, in
the File name box, type sol.exe, and then click Open.
9. In the New Hash Rule dialog box, verify that the Security Level box is set
to Disallowed, and then click OK.
36 Module 2: Group Policy

! Restrict the user environment

Note These settings only represent a very small portion of the settings that
should and could be used to control the user environment.

1. In Group Policy Object Editor, under the User Configuration node,

expand Administrative Templates and click Control Panel.
2. In the details pane, double-click Prohibit access to the Control Panel.
3. In the Prohibit Access to the Control Panel Properties dialog box, click
Enabled and then click OK.
4. In the console tree, under the User Configuration node, expand
Administrative Templates and click System.
5. In the details pane, double-click Prevent access to the command prompt.
6. In the Prevent Access to the command prompt Properties dialog box,
click Enabled and then click OK.
7. In the details pane, double-click Prevent access to registry editing tools.
8. In the Prevent access to registry editing tools Properties dialog box, click
Enabled and click OK.
9. In the console tree, under the User Configuration node, expand
Administrative Templates and click Start menu and Taskbar.
10. In the details pane, double-click each of the following items, click Enabled,
and then click OK.
a. Remove common program groups from Start Menu
b. Remove Network Connections from Start Menu
c. Remove Run menu from Start Menu
d. Remove and prevent access to the Shut Down command
11. Close Group Policy Object Editor.
12. Close Group Policy Management.
 Module 2: Group Policy 37

Exercise 4
Experiencing the Effects of your GPO settings
In this exercise, you will log on to see how GPOs affect users and computers.

Instructions
Start the JumpStart_Client1 virtual machine if it is not already started.

Scenario
You have implemented GPOs to deploy software, secure the computer, and
control the user environment.

! Experience the effects of the GPO settings as an Administrator

1. Log on to Client1 as Administrator with a password of P@ss0wrd.
2. Click Start, point to All Programs, point to Games, and then click
Solitaire.
3. Play a quick game before the instructor catches you.
4. Log off as Administrator.

! Experience the effects of the GPO settings as a user

1. Log on to Client1 as Bsmith with a password of P@ssw0rd.
2. Click Start, point to All Programs, and notice that you have no shortcut for
Games or for Solitaire. You also do not have access to the Run command.
3. Right-click on free area on the Desktop and click Properties. Notice that
you are not allowed to access your desktop properties.

! Experience the effects of application deployment

1. Click Start, point to All Programs, point to Microsoft Office, and click
Microsoft FrontPage 2003.

Note The Microsoft FrontPage version used for the demonstration is an

evaluation version—the full product does not require a serial number from the
end user.

2. On the Product Key page, type VF33W-46HBT-MH4X4-4RMR9-

DTM2Q for the serial number and then click Next.
3. Follow the wizard, accepting all defaults and the License Agreement.
4. Close Microsoft FrontPage2003.
38 Module 2: Group Policy

Summary

Summary ! Introduction to Group Policy

! Using Group Policy for Organizational Control
! Lab 2: Controlling the User Environment
 Module 2: Group Policy 39

Clinic Evaluation

Your evaluation of this clinic will help Microsoft understand the quality of your
learning experience.
At a convenient time before the end of the clinic, please complete a clinic
evaluation, which is available at http://www.CourseSurvey.com.
Microsoft will keep your evaluation strictly confidential and will use your
responses to improve your future learning experience.
THIS PAGE INTENTIONALLY LEFT BLANK