1. Group Policy – Tips, Tricks and Best Practices
John Howard
IT Pro Evangelist, Microsoft UK.

2. Agenda Planning / Building / Testing / Deploying
Specific Group Policy “Features”
Troubleshooting

3. Recommended Reading Group Policy, Profiles and Intellimirror
For Window Server 2003, Windows 2000 and Windows XP
By Jeremy Moskowitz

4. Quick Refresh
By default, how often does Group Policy initiate a refresh after a user has logged on?
Does the version number between the AD and Sysvol parts of the GPO need to match in order for Group Policy to apply?
What is the biggest .adm file?

5. Planning OU Design Why create OU’s Segment by role
Domain controllers
Computers
Users
Redirect default OU for new accounts
redirusr.exe and redircmp.exe 1
Use delegation of administration
Create/Update/Link GPOs

6. Planning GPO Design Normalise GPOs – GP Common Scenarios 2
Naming conventions
Clear purpose and intent
3-token string: Scope/Purpose/Managed By
e.g. WW-Outlook-OTG
What about the number of GPOs?
MYTH: Fewer GPOs=Better performance
FACT: Number of settings is more important

7. Planning GPO Design Avoid Cross-Domain GPO links
Performance overhead
Alternative - GPMC scripts
Use the following sparingly
Enforce (no override)
Block Inheritance
Loopback
Keep it simple

8. Planning GPO Design – WMI Filters
XP and Windows Server 2003 Only
Performance hit
Limit to known lifetime if possible
Scriptomatic 3

9. Planning: Deployment Test, Stage, Production, Validate
The right thing to do
Pilot significant changes
…but not just with IT Staff!
Use GPMC features to assist 4
Sample scripts eg CreateXMLFromEnvironment and CreateEnvironmentFromXML
Documentation – HTML or XML reports
Backup/Copy/Import functions
Modelling

10. Planning: Deployment Test, Stage, Production, Validate

11. Planning Disaster Recovery
Group Policy can affect every computer and user
Authoritative Restore is not nice! 
GPMC Backup and Restore is 
Consider scripted solution
Secure your backup location
Test your restore

12. Planning Disaster Recovery
What is not backed up and why
Are characteristics of other objects in Active Directory
IPSec Settings
WMI Filters
GPO Links
Active Directory Backup or Scripted Solution
DCGPOFix – Never use!

13. Planning Group Policy Dependencies
DNS misconfiguration 5
File Replication Service 6
Sonar
Ultrasound
Policies directory – sysvol
Don’t change ACLs or contents manually
Don’t delete “my disk was full”
Only use supported tools

14. Planning Group Policy Dependencies
ICMP
Checking if a DC contactable
Slow Link Detection
If ICMP blocked, disable slow link detection

15. So Many Policy Settings Where Do I Start?
Policy Settings Reference Spreadsheet 7
Consider the common scenarios
Think small – iterative deployment
Security
OS/Application Configuration
IE Maintenance
Software Installation

16. Windows 2000 Domains Fixing Mismatched ACL’s
Windows 2000 domains created prior to SP4
Just let GPMC fix it for you
Relax – is very minor problem!

17. Domain Upgrades Upgrading To Windows Server 2003
Impact to FRS replication traffic
For Cross-domain GP Modelling, ACE on GPO’s
Only if GPO existed before WS2003 upgrade
To manage use GrantPermissiononGPO or GrantPermissionOnAllGPOs
Alternative in Windows Server 2003 SP1

18. Cross Forest Logon 8 Forest is security boundary
User from Forest A logs onto Machine in Forest B
Differences in behaviour depending on OS
Windows Server 2003, Windows XP From SP1, Windows 2000 From SP4:
User policy settings come from Forest B (similar to loopback)
“Allow Cross-Forest User Policy and Roaming User Profiles” policy setting

19. Group Policy “Features”
Administrative Templates
Security
Machine and User Scripts
Folder Redirection
Resultant Set of Policy (RSoP)
Software Installation
GPMC Scripting

20. Features Administrative Templates
What is an “adm” file?
Zero role for a client
Only for administrative User Interface
KB – “Recommendations for Managing Group Policy Administrative Template Files”
Superset principle from WS2003 RTM onwards
Historical .adm files available online
Never edit the OS-shipped .adm files

21. Features Administrative Templates
Know the benefits of a “true policy” (as compared to preferences)
Security (local administrators)
Cleanup (if GPO is out of scope)
IE changes in XP SP2

22. Features Security Settings
Not always highest security settings
In XP SP2 “Dangerous” settings warnings 9

23. Features Security Settings

24. Features Security Settings
Domain Level Policies 11
Account Policies
Rename or Disable Admin/Guest Account
Kerberos
From W2K SP4 and XP SP2, you can add a domain group to a local group on a computer 12

25. Features Security Settings
Avoid modifying default GPOs
Unfortunately, some applications may expect it
User Rights and Password policy
Applications may update these when installed on DCs
Replication to all DCs
Domain Controller Consistency
OU Selection (don’t change)
Don’t use security filtering

26. Features Machine/User Scripts
Async logon/off scripts finish order
Startup scripts security context
Access to both script and referenced resources
Local only copy of script
Consider environment variables
HKLM update rights for user scripts
Event logs event sources
Processing GPO -> UserEnv
Running of a script -> UserInit

27. Features Folder Redirection
Don’t pre-create folders
On Windows 2000…
Do not use folder redirection to same machine used for roaming user profiles
Fixed in Windows 2003
Application data folder redirection
Recommend not to.
Cannot redirect to mapped drive
Folder redirection before mapping of drives

28. Features RSoP No Group Policy Results data available for
IPSec, Wireless, and Disk Quota
Windows 2000 (can simulate)
Always simulated
Slow links status, WMI Filters, Loopback
Modelling doesn’t know about the LGPO
Estimation

29. Features Software Installation
Async Policy Processing
Multiple reboots
Wait For Network At Computer Startup and Logon?
Machine assignment of software
Requires reboot
Gotcha for MMCs
Limit security filtering
Remember the application administrators

30. Features GPMC Scripting
The 32 sample scripts
Building Blocks
GPMC API Samples
HTML or XML reports for documentation

31. Features Miscellaneous …
Wireless: Need to be on wired network to get certificates for wireless policy (for 802.1x)
GPMC: Drag a GPO across domains to an OU or domain and you get a cross-domain link (not a copy of the GPO); Instead, drag to Group Policy Objects node (note: No links will exist at this point)

32. Troubleshooting Know your reporting options Know your tools
Group Policy Modeling, Group Policy Results - Proactive
Know your tools
With Operating System: GPUpdate (/force)
WS 2003 Resource Kit: GPOTool, GPMonitor (push)
Download Center: GPInventory (gather WMI/RSoP)
Help and Support
Group Policy Troubleshooting Whitepaper 13
Consider the GP Management Pack (GPMP) for MOM

33. Troubleshooting Using the Local GPO (LGPO)
A good option if you don’t have access to change GPOs in a domain (not all settings will be available – software installation and folder redirection, for example)
Updating the LGPO on a domain-joined PC has no impact when using cached credentials
Read the Explain Text for Admin Templates and Help for Security Settings
Remember the /force switch
If you move a user/computer to a new OU, the change will not take place immediately (GetUserNameEx caches the location of a user/computer for 30 mins); Reboot/Logon to resolve
Consider using a Virtual PC - especially helpful for tattooing security settings; Undo when done!

34. We Want To Hear From You…
Please visit the new Windows Server Feedback site:
“Help us improve Windows Server by providing us with your suggestions and ideas; All feedback submitted will be sent to the Windows Server Development Team for review and analysis Your ideas can impact Windows Server in many ways, and might even be incorporated into new Service Packs, Feature Packs, or the next Windows Server release “

35. References
Redirecting the Users and Computers Containers in Windows Server KB
Group Policy Common Scenarios Using GPMC
Scriptomatic Tool
Staging Group Policy Deployments (Chapter 3, Windows Server 2003 Deployment Kit - Designing a Managed Environment Book)
Monitoring and Troubleshooting the File Replication Support Webcast: DNS In the Active Directory Part 2: Best Practices, Common Problems and Troubleshooting
File Replication Service (FRS) – includes Sonar and Ultrasound
Group Policy Settings Reference Spreadsheet (with history)
Cross Forest Logon, Loopback and User Policy Logon KB
Recommendations for Managing Group Policy Administrative Template Files KB

36. References
10.Client, Service and Program Incompatibilities That May Occur When Modifying Security Settings and User Rights Assignments KB
11 Threats and Countermeasures: Security Policy Settings in WS 2003 and XP
12 Adding Domain Groups to Local Machine Groups on Member Computers KB
13 Troubleshooting Group Policy with Windows Server

37. © 2004 Microsoft Corporation. All rights reserved
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.