Group Policy For Healthcare Desktop Management

Group Policy for
Healthcare Desktop Management
Prepared by
Microsoft
Version 1.0.0.0 Baseline
First published
27 September 2007
Prepared by Microsoft
Copyright
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property
Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.
Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
© Microsoft Corporation and Crown Copyright 2007
Disclaimer
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in
time, these links may become invalid. Microsoft is not responsible for the content of external Internet sites.
The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No
association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
Page ii
Group Policy for Healthcare Desktop Management
TABLE OF CONTENTS
1 Executive Summary ....................................................................................................................... 1
2 Introduction .................................................................................................................................... 2
2.1 Value Proposition...................................................................................................................... 2
2.2 Knowledge Prerequisites .......................................................................................................... 2
2.2.1 Skills and Knowledge ........................................................................................................ 2
2.2.2 Training and Assessment .................................................................................................. 3
2.3 Infrastructure Prerequisites ...................................................................................................... 3
2.4 Audience ................................................................................................................................... 3
2.5 Assumptions ............................................................................................................................. 3
3 Using This Document .................................................................................................................... 4

3.1 Document Structure .................................................................................................................. 5
4 Envision .......................................................................................................................................... 7
4.1 Goals ........................................................................................................................................ 7
4.2 Healthcare Computer Categories ............................................................................................. 8
5 Plan ................................................................................................................................................. 9
5.1 Organisational Units ............................................................................................................... 10
5.2 Group Policy Objects .............................................................................................................. 14
5.2.1 GPO Design .................................................................................................................... 14
5.3 Default Organisational Units ................................................................................................... 20
5.4 Default Group Policy Objects ................................................................................................. 20
5.4.1 Default Domain Policy ..................................................................................................... 21
5.4.2 Default Domain Controllers Policy................................................................................... 22
5.5 Adding or Amending the Defaults ........................................................................................... 23
5.5.1 Adding to the Default OUs............................................................................................... 24
5.5.2 Adding to the Default GPOs ............................................................................................ 24
5.6 All Available Settings .............................................................................................................. 26
5.6.1 Microsoft Windows Available Settings ............................................................................ 26
5.6.2 Microsoft Office Available Settings .................................................................................. 27
5.7 Application Deployment via Group Policy .............................................................................. 30
5.7.1 Recommended Use and Limitations ............................................................................... 30
5.7.2 Software Distribution Point Servers................................................................................. 31
5.7.3 Limitations ....................................................................................................................... 31
5.7.4 Application Deployment Methods .................................................................................... 34
6 Develop ......................................................................................................................................... 36

6.1 Baseline Settings .................................................................................................................... 36
6.2 Category Settings ................................................................................................................... 38
Page iii
6.2.1 General Office / Administrative / Clinical ......................................................................... 38

6.2.2 Ward, Maternity, Desktop Support and Finance ............................................................. 38
6.2.3 Public / Cybercafe, Theatre and Library Catalogue ........................................................ 38
6.3 GPO Building Blocks .............................................................................................................. 42
6.3.1 Redirected Folders .......................................................................................................... 42
6.3.2 WSUS .............................................................................................................................. 44
6.3.3 Internet Explorer .............................................................................................................. 46
6.3.4 Blocking Internet Explorer 7 ............................................................................................ 47
6.3.5 Look and Feel .................................................................................................................. 48
6.3.6 Security Hardening .......................................................................................................... 49
6.3.7 Software Installs .............................................................................................................. 51
6.3.8 Software Restriction ........................................................................................................ 52
6.3.9 GPO Administration ......................................................................................................... 53
6.3.10 Microsoft Office................................................................................................................ 54
6.3.11 Removable Storage Devices ........................................................................................... 62
6.3.12 Power Management ........................................................................................................ 66
6.3.13 BitLocker and the Trusted Platform Module .................................................................... 67
6.4 Migration ................................................................................................................................. 69
6.4.1 System Policy Migration .................................................................................................. 69
6.4.2 GPO Migration Table ....................................................................................................... 69
6.4.3 ADMX Migrator ................................................................................................................ 70
7 Stabilise ........................................................................................................................................ 74

7.1 Testing Environment ............................................................................................................... 74
8 Operate ......................................................................................................................................... 75

8.1 Group Policy Management Console ....................................................................................... 75
8.1.1 Management Using GPMC ............................................................................................. 76
8.1.2 ADM Templates ............................................................................................................... 77
8.1.3 ADMX Templates ............................................................................................................ 78
8.1.4 The Central Store ............................................................................................................ 79
8.1.5 Importing and Exporting Templates ................................................................................ 80
8.1.6 GPO Replication .............................................................................................................. 80
8.1.7 Microsoft Office ADM Templates..................................................................................... 81
8.2 Advanced Group Policy Management .................................................................................... 81
8.2.1 Planning........................................................................................................................... 82
8.2.2 Installation and Configuration .......................................................................................... 83
8.2.3 Change Control ............................................................................................................... 95
8.2.4 Offline Editing .................................................................................................................. 95
8.2.5 Role-Based Delegation ................................................................................................... 96
8.2.6 GPMC Integration ............................................................................................................ 98
8.3 Windows XP and Windows Vista Coexistence ..................................................................... 101
8.4 Troubleshooting .................................................................................................................... 102
8.4.1 Group Policy Operational Log ....................................................................................... 102
Page iv
8.4.2 Help and Support .......................................................................................................... 103

8.4.3 GPO Tool....................................................................................................................... 104
8.4.4 Recovery Tools.............................................................................................................. 104
APPENDIX A Skills and Training Resources............................................................................... 105

PART I Microsoft Active Directory.............................................................................................. 105
PART II GPO Editor and GPMC ................................................................................................. 105
PART III Supplemental Training Resources ............................................................................ 106
APPENDIX B How To Guides ........................................................................................................ 107

PART I Installing GPMC............................................................................................................. 107
PART II Create an Organisational Unit ....................................................................................... 109
PART III Creating a GPO......................................................................................................... 113
PART IV Assigning an Application Through a GPO ................................................................ 114
PART V Example Delegation of Administration .......................................................................... 116
PART VI Creating a Custom MMC Snap-In ............................................................................. 123
PART VII Importing a GPO ....................................................................................................... 126
PART VIII Linking an Existing GPO ........................................................................................... 130
PART IX Installing the ADMX Migrator .................................................................................... 131
APPENDIX C Document Information ............................................................................................ 135

PART I Terms and Abbreviations .............................................................................................. 135
PART II References .................................................................................................................... 137
Page v
1 EXECUTIVE SUMMARY
Organisations are increasingly looking at ways to reduce the management overhead that comes
with having to support large numbers of users and their computers. Helpdesk and support
personnel often need to be knowledgeable in multiple operating systems as well as numerous
applications and at times rely on the user to be at least partially computer literate to assist them in
solving problems on that user’s particular setup.
Introducing a desktop management infrastructure enables network administrators to provide a set
of standards across the estate to both users and computers. This provides benefits to users and
administrators as well as the organisations themselves.
The users benefit from a desktop estate that is consistent in its look and usability, therefore no
matter which client machine they may use, they are presented with an interface that is familiar and
easy to use. Providing an interface to users which focuses on displaying only those components
which are used as part of their job allows them to locate items quicker and more efficiently.
The network administrators / support personnel are able to take advantage of a desktop
management solution in similar ways to the users. When receiving a support call from a user, the
helpdesk can focus on the issue at hand rather than first trying to understand what type of setup
this particular user has. Also, if an application becomes available and is required by multiple users,
this can be deployed remotely to those users requiring it.
The organisation benefits through the more centralised approach to managing the desktop estate
and as such can pull resources together to work more efficiently and in turn reduce the effort
required to support a greater number of users and therefore reducing the Total Cost of Ownership
(TCO).
This document focuses on the use of Microsoft Group Policy to assist in providing a Desktop
Management infrastructure. It provides guidance on the creation of Organisational Units (OUs) and
Group Policy Objects (GPOs) and how to leverage Group Policy to deploy applications. Also
included are some common scenarios for using group policies with the policy templates attached
which can be imported into a test environment for convenience. The guidance covers the built-in
® ®
policy settings available for Windows XP Service Pack 2, Windows Vista , and those that may be
imported for the management of Microsoft Office 2003 and Microsoft 2007 Office system. It also
covers advanced management through the use of the Advanced Group Policy Management
(AGPM) add-on, available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software
Assurance.
Page 1
2 INTRODUCTION
Currently within an environment using the Microsoft Windows® desktop operating systems, local
policies can be implemented to provide an element of control over the desktop estate. With
Windows NT 4.0, System Polices were introduced allowing administrators to configure such items
as the Control Panel applets, the desktop wallpaper and screensaver, and to hide certain drives
within Windows Explorer. Windows XP Professional with Service Pack 2 (SP2) provides thousands
of settings to target almost all areas of the operating system. This can be managed through
Microsoft Group Policy Management Console (GPMC) and the Group Policy Object Editor (GPO
® ®
Editor) or Novell ZENworks .
Managing these settings centrally provides administrators with a powerful way in which to maintain
a desktop management infrastructure. Additional tools available come in the form of patch
management, ensuring the operating system is kept up-to-date with the latest security fixes and
service packs. This can be managed utilising Microsoft Windows Server® Update Services 1
(WSUS), Microsoft Systems Management Server 2 (SMS), LANDesk Patch Manager, or Novell
ZENworks Patch Management to name a few.
Additionally, application deployment further enhances a desktop management infrastructure by
again centrally managing a suite of applications and specifying a target audience of users or
computers. Similarly to patch management, application deployment can be managed through
Microsoft Group Policy, Microsoft SMS, LANDesk® Management Suite, or Novell ZENworks.
2.1 Value Proposition

This document will enable an IT administrator to understand the relationship between OUs and
GPOs. Through recommendations and best practice guidance, the document will assist in the
creation of an OU hierarchy which allows for a centralised approach to Group Policy
implementation and provides IT administrators with a set of common uses of Group Policy along
with the configuration settings and GPO properties to use.
2.2 Knowledge Prerequisites

To implement the recommendations made throughout this document effectively, a number of
knowledge-based and environmental infrastructure prerequisites should be in place. This section
outlines the knowledge and skills required to use the Group Policy for Healthcare Desktop
Management guidance, while section 2.3 details the necessary infrastructure prerequisites.
Section 2.2.1 details the prerequisite skills and knowledge, and section 2.2.2 details the information
and suggested training resources or skill assessment.
2.2.1 Skills and Knowledge

The technical knowledge and minimum skills required to use this guide are:
Understanding of Microsoft Active Directory
MMC snap-in, Active Directory Users and Computers
Creation of User, Computer, Groups, and OU objects
1
Healthcare organisation-specific guidance is available – Windows Server Update Services3.0 Design Guide {R1} and
Windows Server Update Services 3.0 Operations Guide {R2}.
2
Healthcare organisation-specific deployment guidance about Microsoft Systems Management Server 2003 {R3, R4} is
available.
Page 2
GPO Editor and GPMC

Creating GPOs
Configuring computer and user settings within group policies
Navigation of the GPMC
Selecting source Domain Controllers (DCs) within GPMC
Understanding of Windows XP / Windows Vista
Understanding of Microsoft Office 2003 / 2007 Microsoft Office system
2.2.2 Training and Assessment

Guidelines on the basic skill-sets that are required in order to make best use of this Deliverable are
detailed in APPENDIX A. The list in APPENDIX A represents the training courses and other
resources available. However, all courses listed are optional and can be provided by a variety of
certified training partners.
2.3 Infrastructure Prerequisites

The following are prerequisites for implementing Microsoft Group Policy for Desktop Management:
Microsoft Active Directory® is installed (this can be a Windows 2000 or Window Server
2003 Active Directory domain)
Client machines or users which are to be targeted are a member of the Active Directory
domain
2.4 Audience
The guidance contained in this document is targeted at a variety of roles within the healthcare IT
organisation. Table 1 provides a reading guide for this document, illustrating the roles and the
sections of the document that are likely to be of most interest.
Executive
Summary
Envision
Stabilise
Develop
Operate
Role Document Usage
Plan
IT Manager Review the relevant areas within the document to understand 9 9

the justification and drivers, and to develop an understanding of
the implementation requirements
IT Architect Review the relevant areas within the document against local 9 9 9 9
architecture strategy and implementation plans
IT Professional/ Detailed review and implementation of the guidance to meet 9 9 9 9 9 9

Administrator local requirements
Table 1: Document Audience
2.5 Assumptions
The guidance provided in this document assumes that healthcare organisations that want to share
services and resources between sites already have suitable IP Addressing schemes in place to
enable successful site to site communication – that is, unique IP Addressing schemes assigned to
each participating healthcare organisation with no overlap. Active Directory, and the underlying
Domain Naming Services (DNS), require the use of unique IP Addressing schemes at adjoining
sites in order for cross site communication to function successfully. The use of NAT (Network
Address Translation) within an Active Directory environment is neither recommended nor supported
by Microsoft.
Page 3
3 USING THIS DOCUMENT

This section enables you to navigate your way quickly around the document, so that you can go
directly to the sections describing how to design and implement Group Policy for Desktop
Management. For more details on the entire document structure, refer to section 3.1.
The flowchart in Figure 1 shows the main tasks involved in designing and implementing Group
Policy for Desktop Management:
Figure 1: Quick Start Flowchart
Table 2 below breaks down the tasks into the sections of this document that should be read and
understood in order to perform an initial ‘quick-start’ deployment of Group Policy for Healthcare
Desktop Management.
Page 4
Task Section
Design Organisational Units Section 5.1, Organisational Units
Design Group Policy Objects Section 5.2, Group Policy Objects
Add to the Default Organisational Units and Group Section 5.3, Default Organisational Units
Policy Objects in Test Environment Section 5.4, Default Group Policy Objects
Section 5.5, Adding or Amending the Defaults
Develop Additional Group Policy Objects in Test Section 6.1, Baseline Settings
Environment Section 6.2, Category Settings
Section 6.3, GPO Building Blocks
Deploy in Test Environment Section 7.1, Testing Environment

APPENDIX B , How To Guides, PART VIII, Linking an Existing GPO
Migrate using the Group Policy Management Console Section 6.4.1, System Policy Migration
to the Live Environment APPENDIX B, How To Guides, PART VII, Importing a GPO
Table 2: Quick Start Reference
3.1 Document Structure

This document contains five sections that deal with the project lifecycle, as illustrated in Figure 2:
Envision
Plan
Develop
Stabilise
Operate
Each section is based on the Microsoft IT Project Lifecycle as defined in the Microsoft Solutions
Framework (MSF) Process Model, and the Microsoft Operations Framework (MOF). The IT Project
Lifecycle is described in more detail in the MSF Process Model White Paper 3 and the MOF
Executive Overview 4 . The MSF Process Model and MOF describe a high-level sequence of
activities for building, deploying and managing IT solutions. Rather than prescribing a specific
series of procedures, they are flexible enough to accommodate a broad range of IT projects.
The MSF Process Model typically has one additional section prior to Operate, namely Deploy.
However, this stage is not relevant to this document and so has been removed.
3
MSF Process Model White Paper {R5}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en
4
MOF Executive Overview {R6}: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
Page 5
Figure 2: MSF Process Model Phases and Document Structure
Page 6
4 ENVISION
The Envision phase addresses one of the most fundamental requirements for success in any
project - unification of the project team behind a common vision. There must be a clear vision of
what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a
high-level view of the overall goals and constraints, will serve as an early form of planning; it sets
the stage for the more formal planning process that will take place during the planning phase.
Figure 3 acts as a high-level checklist, illustrating the sequence of events which should be
undertaken when envisioning Group Policy for desktop management within a healthcare
organisation.
Goals
Healthcare
Computer
Categories
Figure 3: Sequence for Envisioning Group Policy for Desktop Management
4.1 Goals
This guidance provides details on how an OU structure and Group Policy implementation can help
towards a managed desktop environment. It focuses on the following elements:
Current Best Practice approach to OUs
Current Best Practice approach to GPOs
Adding to the Default OUs and GPOs
Providing a set of Baseline and Incremental GPOs
Managing the GPOs efficiently using GPMC
Page 7
4.2 Healthcare Computer Categories

As part of the information gathering process to aid in the creation of this document, a Computer
Usage Questionnaire was completed by UK-based healthcare organisations to understand the
various ways in which computers are used. A number of different uses that are common across the
results of this questionnaire are provided here:
Computer Role Characteristics

General Office / Administrative / Clinical Classic style Start Menu
Background and Screensaver set
Home Drive Set
Automatic Updates configured
Internet Explorer Security pages hidden
Logon Scripts
Ward / Maternity / Desktop Support / Finance Specific Software installs
Public / Cybercafe Locked down:

No access to Control Panel applets
No right-click of desktop
Unable to change Internet Explorer options
No screensaver
Theatre Screensaver timeout set

Inability to change display settings
Certain Control Panel applets hidden
Start Menu customisation (Add Logoff, Prevent changes, Remove Network
Connections and Run option)
Internet Explorer Favourites specified
Library Catalogue Ensure consistent desktop configuration for every user (loopback)
Disallow Windows Messenger
No access to Control Panel
Disable Autoplay on CD drives
Remove ability to change password or lock computer
Load Internet Explorer at logon
Hide Internet Explorer Options
Remove access to Windows Update
Table 3: Healthcare Computer Categories
Note
Some Computer Roles have been grouped together purely due to the common characteristics between
them. The Ward / Maternity / Desktop Support all have specific software installed, but this is not
necessarily the same software.
Page 8
5 PLAN
The Plan phase is where the bulk of the implementation planning is completed. During this phase
the areas for further analysis are identified and a design process commences.
Figure 4 acts as a high-level checklist, illustrating the sequence of events which the IT Manager
and IT Architect need to determine when planning for Group Policy for desktop management within
a healthcare organisation.
Figure 4: Sequence for Planning Group Policy for Desktop Management
Page 9
5.1 Organisational Units

Organisational Units (OUs) are the containers within Active Directory where objects reside. These
objects can be users (relating to people or service accounts), computers (servers or clients), and
groups (containing multiple users or computers). They can also contain other OUs (sub-OUs) to
create a hierarchical structure within a domain, and are primarily used to group objects for
management purposes.
The best practice approach to OUs is to ensure users, computers, groups, service accounts and
administrator accounts each reside in their own OU. The reason for this is to enable administrators
to link GPOs directly to the OUs containing the users and computers as well as match GPOs to
objects of a common object class. For example, a GPO which contains computer based policy
settings will only apply to an OU containing just computers.
This approach will also allow non-administrators to apply policies on OUs that do not contain
security sensitive users and groups such as Domain Admins and so on through the use of
delegation of administration. It can also help minimise any effect of incorrect amendments or
deletions that could cause issues to the whole organisation if carried out at the root level, assuming
the parent containers are protected correctly. In line with this the restore of a specific group of
users can be completed independently of groups, and as such can be marked as an authoritative
restore.
Recommendation
OUs should represent a logical structure of the Active Directory. Each OU should have a justification for its
purpose such as a delegation of administration boundary, application of group policies, or hiding certain
objects within the Active Directory structure from administrators that do not need to view it.
If the purpose of the OU does not fit within one of these categories, then the OU is probably not required
and the reason to create the OU should be re-evaluated.
The number of OU levels should be kept to below 5 otherwise the implementation of a deeper level of
OUs could become a complex structure to administer.
The design of the OU structure should first focus on delegation of administration and then focus on Group
Policy and restriction of visibility. This is because the scope of a Group Policy can be controlled via
security group membership whereas the scope of an OU can only be controlled by utilising sub-OUs.
The default Users and Computers containers are not OUs and as such cannot have Group Policy applied
to them. Instead, create OUs specific to these object types and have group policies apply to these.
The design of an OU structure should be documented in terms of an OU hierarchy diagram and a

list of the OUs that require creating. For each OU required, the following should be detailed:
The purpose for the OU
The owner of the OU
A list of users or groups that have admin control over the OU or the objects within
The type of control that users and groups have over the objects in the OU
The application of group policies to OUs
Whether visibility of the objects are limited anywhere
An example OU structure is provided below to show some of the points highlighted above. This OU
structure has been based upon a healthcare organisation having multiple entities of which there are
common elements between them, whilst at the same time each requiring their own certain level of
autonomy. This comprises of multiple sites where most administrative functions are carried out
from a central location, housing centralised accounts and some resources but allowing a local
administrator to support their local site and as such their own accounts and resources.
Page 10
Note
The figures below show an example OU structure which relates to the text above. Whilst this section
details recommendations around OU structures these figures are purely to form an example structure and
should not be deemed as a recommendation for use as it may not be suitable for your environment.
Figure 5 represents the root level OU structure to support the example environment.
Figure 5: Root Level OU Structure
As can be seen above, just two OUs have been created over and above the defaults 5 at the root
level:
OU Purpose
Centralised Centralised account and resource objects
Healthcare Organisation Distributed accounts and resource objects

Table 4: Example Root Level OUs and Their Purpose
Keeping the root level clean, (minimising the number of containers), allows for easier visibility of the
containers, their purpose, and as such keeps the administrative focus clear.
Each of the OUs created above have the same set of sub-OUs, and their names typically identify
where the different object types reside, as can be seen in Figure 6.
Note
The same sub-OU structure has been created within each root level OU to allow administrators to keep a
sense of uniformity across entities and in doing so, simplify centralised administration. This is especially
important when linking GPOs to these OUs as creating one GPO to target Kiosk workstations can be
linked to sub-OUs in multiple entities.
5
The default containers are detailed further in section 5.3.
Page 11
Figure 6: Generic Low Level Account and Resource OUs
Note
The names of the OUs used in Figure 6 should not be deemed as recommended names, but an example
of what the OUs could be called. If a documented naming convention is in place for your healthcare
organisation that covers OUs, then this should be used.
Each of the OUs created have their specific purpose and as mentioned previously, should be
documented along with the OU owner. The OUs, and their purpose, are:
OU Purpose
Computers Top level OU for delegation of administration and policy - holds only OUs
- Activity Based Computers Management OU for highly managed workstations
- - Clerical Admin Stations Clerical Administrative desktop computer accounts
- - Kiosk Stations Kiosk or public access computer accounts
- - Nurse Stations Nurses station computer accounts
- - Shared Stations Desktop computer accounts for machines which are used by multiple users
- Knowledge Based Computers Management OU for lightly managed workstations
- - Laptops Laptop based computer accounts
- - Tablet PCs Tablet PC based computer accounts
Page 12
OU Purpose
- Unmanaged Computers Computer accounts that are unmanaged – possibly machines in the process of being
built, or IT administrative machine
Data Administrators Contains user and group accounts for ‘Data’ administrators of Computer accounts, to
allow them to be managed separately from regular users. Enable auditing for this OU so
that it is possible to track changes to administrative users and groups
Groups Top level OU containing groups of all types, except for administrative groups, which are
managed separately. Level also used for delegation of administration and policy
application
Servers Top level OU for delegation of administration and policy, holds only OUs
- Application Management OU for application servers, SQL server, SharePoint Portal Server (SPS)
- File and Print Management OU for file and print servers
- Mail Management OU for messaging servers, Contact
- Management Management OU for management servers, SMS, RIS, WSUS, MOM
- Network Services Management OU for servers running network services, WINS, DHCP, ISA
- Web Management OU for Web servers, Internet Information Server (IIS)
Service Accounts Top level OU - Some services that require access to network resources run as user
accounts. This OU is created to separate service user accounts from the user accounts
contained under the Centralised or Distributed Healthcare Organisation Users OU. Also,
placing the different types of user accounts in separate OUs enables management of
them according to their specific administrative requirements
Users Top level OU for delegation of administration and policy, holds only OUs
- Activity Based Users Management OU for highly managed user accounts
- - Clerical Admin Users Clerical admin user accounts for non-administrative personnel
- - Kiosk Users User accounts for Kiosk use
- - Nurse Station Users User accounts for Nurses
- - Shared Station Users User accounts for shared computer use
- Knowledge Based Users Management OU for lightly managed user accounts
- - Laptop Users User accounts for laptop users
- - Tablet PC Users User accounts for Tablet PC users
- Unmanaged Users New User accounts awaiting relocation to managed OUs

Table 5: Example OUs and Their Purpose
With the OU structure above, Group Policy can be linked where appropriate to provide a
centralised desktop management infrastructure. An example of the GPOs linked to the above OU
structure is detailed within Figure 7.
Recommendation
Whilst Windows Vista has more configurable options via Group Policy than previous versions of Windows,
it is usual for the business and user requirements to still be valid and, as such, Vista clients should remain
in the same OU as other clients. Windows Vista clients should not be separated from other clients purely
on the basis of the difference in operating system versions.
Also, any GPO settings specific to Windows Vista will be ignored by earlier version of the Windows
operating system.
Page 13
OUs are typically created through the Active Directory Users and Computers MMC snap-in.
However, there are several methods for creating OUs as detailed in APPENDIX B. During the
methods shown, the OUs being created are part of the previous diagrams.
5.2 Group Policy Objects

Group Policy, introduced with Windows 2000 Server, provides a directory based desktop
configuration management solution. Group Policy provides administrators with the ability to specify
settings for registry based policies, security, software installation, scripts, folder redirection, Remote
Installation Services, and Internet Explorer. Also with the addition of further administrative
templates, Group Policy can extend an administrators control to other applications such as
Microsoft Office.
Group Policy settings that are specified are contained within a GPO. These GPOs can then be
linked to certain Active Directory containers such as sites, domain, and OUs. The GPOs can be
applied to either users or computers, or both together.
GPOs can be created using a variety of methods, much in the same way OUs can be. With the
introduction of the GPMC, the creation of a GPO is very simple process and used in conjunction
with the GPO Editor, also known as the Group Policy snap-in or GPEdit.
Recommendations
The number of GPOs applied to an Active Directory object should be kept to a minimum as a greater
number being applied at logon could affect logon times.
5.2.1 GPO Design

There are several ways in which a GPO can be designed however there are two key focus points
that will be the basis of the GPO design; either a functional or geographical approach. The
approach taken will be determined by the way in which the users and computers are administered.
It is important to have an understanding of how groups of users and/or computers requirements
differ, as this will dictate the settings applied to them. Understanding these requirements allows for
common elements across these groups of object types to be set at a higher level within the Active
Directory hierarchy allowing GPOs at a lower level to further refine the more global settings.
The approach to designing GPOs will have started with the OU design and as such can now be
defined further to benefit from the available options which GPOs can be configured with to ensure
their scope of control is relevant.
Following on from the example OU structure provided above, Figure 7 below provides an example
of where appropriate GPOs would be linked to.
Page 14
Figure 7: Example GPO Links
Within Figure 7, the OUs are denoted by the icon whereas the GPO links are denoted by the
icon.
Note
The figure above is only provided as an example of where GPOs could be linked to and should not be
deemed as a recommendation to use this exact format.
Recommendation
While not always possible, it is advisable to create the GPOs for managing the operating system and
Microsoft Office suite before using the workstations. This ensures the workstations are managed via
Group Policy as soon as they are added to the Active Directory domain. If a newer version of the Microsoft
Office suite is deployed, the group policies will already be in place for post-deployment management.
5.2.1.1 Group Policy Linking

A newly created GPO does not have any effect on users or computers until it has been associated
with an Active Directory container (which already contains objects); this is known as linking a GPO.
The benefits of this allow a single GPO to be created, in a GPOs container, being subsequently
linked to as few or many OUs as required.
For example, within the example OU structure as shown in Figure 6 on page 12, a specific
Healthcare Organisation sub-OU for Laptops exists, as it would for the Centralised OU structure
(the top level OU is shown in Figure 5). A GPO could be created that allows access to the Modem
Control Panel applet and as such is then linked to both the Centralised and Healthcare
Organisation Laptops sub-OUs.
Page 15
5.2.1.2 Block Inheritance

This feature allows an administrator to specify that any policy linked to a parent Active Directory
container will not apply to objects within a container where this setting is enabled. Whilst this is a
useful and powerful feature, it should be used with caution and only in a situation specifically
requiring it.
Recommendation
The use of Block Inheritance should be kept to an absolute minimum as this can greatly increase the
administrative overhead involved in maintaining the GPOs.
5.2.1.3 Enforce Policy

The Enforce policy, also known as the No Override option, provides an administrator with the ability
to ensure a GPO linked at a higher level container is always applied to the lower level containers
within it, regardless of the Block Inheritance setting. As with the block inheritance setting, a policy
should only be enforced if specific circumstances require it.
Recommendation
The Enforce (No Override) option should not be used except for ensuring a Domain wide policy is applied
on all objects and only then when it sets account or password policy configuration. If used more widely, it
will, along with Block Inheritance, dramatically complicate troubleshooting.
5.2.1.4 Loopback Processing

Loopback Processing provides the ability to ensure that all users of a certain type of computer are
provided with a computer specific configuration, regardless of what that users specific policy
settings configure. This function is useful when used with kiosk based or public machines and the
wish is to maintain a consistent configuration no matter who is logging on. However its use should
be kept minimised as it can easily hinder a troubleshooting task.
5.2.1.5 Security Group Filtering

When a Group Policy is created and linked to a container, by default, the Authenticated Users
which reside within that container have the Allow Apply Group Policy rights, to apply any settings a
GPO may contain.
Note
The Authenticated Users group name refers to both users and computers, both of which need to
authenticate to the domain as part of the logon process or boot up process respectively.
By specifying additional permissions onto GPOs, it is possible to filter which objects within a
container will have the settings applied. For example, an OU may contain the users within a
department and a GPO linked to that OU may set a Software Restriction Policy. However you may
wish to allow a couple of these users to run certain software that is being targeted by this policy as
they have received the necessary training to use it. As such, these users could become a member
of a security group that is then added to the permissions, and the Deny Apply Group Policy right is
enabled for this security group.
The net result is although they are an Authenticated User and this has the Apply Software
Restriction Policy permission, they are also a member of the security group that has the Deny
permission enabled and as such a Deny takes precedence over an Allow. In effect, this means
these users are not restricted in running the software.
The use of Security Group Filtering can assist in reducing the number of containers required and as
such the level of OUs that would otherwise be required to provide the same functionality.
Page 16
Recommendations
Whilst Security Group Filtering is a very useful and powerful element to Group Policy application, if not
documented well regarding the permissions of the policies, it could become confusing to new GPO
Administrators who are required to support it. Used carefully though, it will enhance and ease GPO usage
and maintenance.
When setting the Deny permission to a group, consider also setting the Deny Read permission for this
group. The reason for this is if a user has the rights to read a GPO, then when the GPOs are being
applied, the GPO will still be read and as such processed, even though no configuration changes will
occur because of the Deny permission. By setting the Deny Read permission, the policy will not be read
and as such speed the processing of GPOs for that user or computer resulting in a potentially faster
logon.
5.2.1.6 User and Computer Settings

Within a GPO, there are two clear sections available for setting configurations; Computer
Configuration Settings and User Configuration Settings. As the names suggest, each configuration
settings section either focuses on the computer or user.
It is therefore possible to have policies that target just users, just computers or both. As such a
GPO can have a status out of the following four options:
Enabled – Both user and computer configuration settings will apply
User Configuration Settings Disabled – Only computer configuration settings will apply
Computer Configuration Settings Disabled – Only user configuration settings will apply
All Settings Disabled – No configuration settings will apply
Recommendation
When creating GPOs, try and target each GPO to either the User or Computer Configuration Settings and
disable the unused section of that GPO. By doing this, it will speed up the GPO processing for users as
when the GPO is processed it will ignore the disabled section. It also speeds up the refresh of GPOs as
typically a GPO targeting computer configuration does not need to be refreshed as frequently as the user
configuration.
5.2.1.7 Tools and Utilities

A number of tools exist for use in managing Group Policy, each with their own role for the various
tasks involved in maintaining the GPOs created within the environment. The following table lists
some of these tools with a summary each tools use:
Tool Usage
GPMC Group Policy Management Console
This is possibly the most useful tool available to a GPO Administrator and should be used for the creation and
maintenance of all GPOs created. It allows for the linking, delegating, exporting, importing, copying, and backing
up of GPOs. Further details on the use of the GPMC can be found in section 8.1 later in this document.
GPOTool A tool which provides information on the consistency of Group Policy objects and provides information on the
replication of the Group Policy Containers and the Group Policy Templates within Active Directory. It can be
used to provide a high level ‘Policies OK’ to a verbose output detailing issues being experienced. This tool is
provided as part of the Windows Server 2003 Resource Kit.
admX A useful tool that parses an ADM Template file into a readable format for documentation purposes. It can also be
used to show the differences between two similar ADM files. This tool is provided as part of the Windows Server
2003 Resource Kit.
GPMonitor A tool which can be used to perform historical analysis of what has changed between different Group Policy
refresh intervals on clients and servers. This tool is provided as part of the Windows Server 2003 Resource Kit.
Page 17
Tool Usage
GPInventory A tool that allows the collection of information from clients and servers across the network and saves the results
in a text file. This tool can be downloaded from Microsoft using the following URL:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=1D24563D-CAC9-4017-AF14-
8DD686A96540
Table 6: Group Policy Tools and Utilities
5.2.1.8 Baseline and Incremental Policies

As can be seen from the example given in Figure 7 on page 14, GPOs that are typically linked to
the top level OUs contain a Baseline GPO. As a general rule of thumb, a baseline policy contains
settings that are common across all object types being targeted within that OU hierarchy. The
incremental policies then further enhance the configurations depending upon the target audience.
A simple example for the inclusion of a common setting would be a standard background. This
configuration setting would be placed within a baseline policy as it would be desirable across all
client machines.
There are also occasions where a setting would be required across the majority of the estate but
not on all machines. In this scenario, to set this configuration on the majority of machines could
involve the creation of a separate GPO, with this being linked to multiple locations. A better solution
would be to set the configuration option with the baseline policy and effectively reverse that
configuration option within a GPO for those that should not have it applied.
For example, the majority of computers do not need access to the Modem Control Panel Applet
and as such the hiding of this applet can be specified within the Baseline policy. An additional
incremental policy would then be created that enables the Modem Control Panel applet to be
visible. This policy would then be linked to the specific target audience and applied with a higher
priority, so taking precedence over the baseline policy where appropriate.
Recommendation
When using incremental policies to effectively reverse settings that have been configured using baseline
policy, ensure that by doing so it is assisting in the overall aim of reducing the administrative overhead. If
you find that more users / computers require the setting than initially planned, it may well be worth
removing the configuration options from the baseline policy and setting it in an incremental policy.
An alternative solution would be to specify the users or computers that shouldn’t receive the GPO within a
security group and alter the permissions of the GPO, such that this group was denied the Apply Group
Policy Object right. This alternative solution would only be suitable if the entire GPO was not required by
those users or computers. It is not possible to specify that only part of the GPO is applied; this would
require separate GPOs to configure the required options.
5.2.1.9 Conflicts
Conflicts can occur within GPOs whereby a setting can be made within both the computer and user
configuration settings.
There are a couple of results that can occur when a conflict arises; the result however is completely
dependent upon the setting in question.
One result could be that either the Computer Configuration Setting or User Configuration Setting
takes precedence, therefore effectively ignoring the other configuration option.
For example, within both Computer Configuration Settings and User Configuration Settings, it is
possible to set ‘Prohibit user configuration of Offline Files’. If this is set to ‘Disabled’ within the
Computer Configuration Settings and set to ‘Enabled’ within the User Configuration Settings, and
the authenticating user has the right to apply both policy objects, the Computer Configuration
Settings takes precedence.
Page 18
Another result could be that the two settings are combined. For example, in both the Computer
Configuration Settings and User Configuration Settings, it is possible to set ‘Administratively
assigned offline files’. If this is configured in both configurations, the settings will be combined
and all specified files will be available for offline use.
This can be advantageous to users, however it could also cause potential problems if all potential
conflicts are not understood. Therefore, careful consideration should be given to all settings that
could be involved in a potential conflict.
Note
Within the GPO Editor, each policy setting is accompanied by help text which describes in detail what the
setting is for. This text also gives details of any conflicts that could occur if the setting is available and
configured in both the Computer Configuration Settings and User Configuration Settings.
5.2.1.10 Microsoft Office Considerations

With the release of new versions of Microsoft Office, more settings become available for
administrators to take advantage of. However, there is an important difference between the Group
Policy administrative templates provided for Microsoft Office and those provided for the operating
system. Each version of Microsoft Office requires its own template to manage the configuration
options available, while each release of the Group Policy templates for Microsoft Windows includes
all settings for all previous versions of the operating system.
While the same configuration option may be available within Microsoft Word 2003 and Microsoft
Office Word 2007, the location of the registry entry controlling the options differs from one version
to the other. This means conflicts do not exist between the Office templates which can reside within
the same GPO and apply to a machine without causing any problems.
Note
While there are many settings similar between the versions of Office available, it should be understood
that as newer versions become available, there are typically more settings available for an administrator to
configure from a centralised location. The settings configured within Office 2003, would have to be
duplicated to a GPO focusing on the same settings for 2007 Office system.
When designing a GPO to configure Microsoft Office options, take into consideration that if the
target environment includes more than one version of Microsoft Office, a GPO will be required for
each version of Microsoft Office installed.
This type of scenario is common when a newer version of the application is being deployed in
stages throughout an environment. If two departments share documents and one department has
been upgraded and another has not, centrally managing the way documents are saved enables the
departments to continue sharing without raising any issues.
An administrator also needs to determine when to use Group Policy settings to enforce
configuration of an Office application feature or option and when to set the option with the Office
Customization Tool (OCT) 6 . While Microsoft 2007 Office system configuration options can be
customised using both Group Policy and the OCT, important differences exist between these two
approaches.
Group Policy is used to configure the available Microsoft 2007 Office system policy settings. These
settings have access control list (ACL) restrictions that prevent non-administrative users from
changing them.
The OCT is used to create a setup customisation file (.MSP file). Administrators can use the OCT
to customise features and configure user settings. However, users can modify most of the settings
after the installation.
6
Office Customization Tool in the 2007 Office system {R8}: http://technet.microsoft.com/en-us/library/cc179097.aspx
Page 19
Recommendation
If a configuration option needs to be enforced, this should be set via the Group Policy. If a configuration
option is for a preference or default state and users are therefore free to change this option, the OCT
should be used.
5.3 Default Organisational Units

With the creation of an Active Directory domain (through the running of the DC Promotion wizard
on a new Windows server) a number of containers are created to house Active Directory objects.
These objects are:
Object Type Name 7 Description

Built In Domain (builtinDomain) Builtin Default container for built-in user accounts
Container Computers Default container for upgraded computer accounts
Container ForeignSecurityPrincipals Default container for security identifiers (SIDs) associated with objects
from external, trusted domains, (Administrators should not manually
change the contents of this container).
Container Program Data Default location for storage of application data.
Container System Default container for built-in system settings
Container Users Default container for upgraded user accounts
LostAndFound LostAndFound Default container for orphaned objects
msDS-QuotaContainer NTDS Quotas Default quota specifications container
Organisational Unit Domain Controllers Default container for domain controllers

Table 7: Default Objects Created in Active Directory
During the creation of a domain, only one OU is created; the DCs OU.
Note
A common mistake is to class both the Computers container and the Users container as OUs however
these are default containers for backward compatibility and should not be used on an on-going basis for
housing new objects within them. As they are not OUs, GPOs cannot be applied to objects within them
except for GPOs linked to the root of the domain and as such through inheritance.
5.4 Default Group Policy Objects

When an Active Directory domain is created, part of the process (amongst many other activities) is
to create two GPOs. These two GPOs are the:
Default Domain Policy (DDP)
Default Domain Controllers Policy (DDCP)
These two GPOs provide the base settings for the domain, including all objects within it, and further
settings for the DCs.
7
Some objects are not visible by default. From within Active Directory Users and Computers, the Advanced Features option
from the View menu can be selected to view all objects.
Page 20
5.4.1 Default Domain Policy

By default, the DDP contains a standard set of configuration settings that dictate a Password
Policy, Account Lockout policy, Kerberos Policy, and Public Key Policies.
The following table provides the default settings provided within the DDP.
Policy Path Setting

Computer Configuration > Windows Settings > Enforce password history: 24 passwords remembered
Security Settings > Account Policies > Maximum password age: 42 days
Password Policy
Minimum password age: 1 day
Minimum password length: 7 characters
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled
Computer Configuration > Windows Settings > Account lockout duration: Not Defined
Security Settings > Account Policies > Account Account lockout threshold: 0 invalid logon attempts
Lockout Policy
Reset account lockout counter after: Not Defined
Computer Configuration > Windows Settings > Enforce user logon restrictions: Enabled
Security Settings > Account Policies > Maximum lifetime for service ticket: 600 minutes
Kerberos Policy
Maximum lifetime for user ticket: 10 hours
Maximum lifetime for user ticket renewal: 7 days
Maximum tolerance for computer clock synchronisation: 5 minutes
Computer Configuration > Windows Settings > Network security: Force logoff when logon hours expire: Disabled
Security Settings > Local Policies > Security
Options
Computer Configuration > Windows Settings > Enroll certificates automatically: Enabled
Security Settings > Public Key Policies > Renew expired certificates, update pending certificates, and remove revoked
Autoenrollment Settings certificates: Disabled
Update certificates that use certificate templates: Disabled
Computer Configuration > Windows Settings > Accessible via right-clicking Encrypting File System and selecting Properties
Security Settings > Public Key Policies > Allow users to encrypt files using Encrypting File System (EFS): Enabled
Encrypting File System
Computer Configuration > Windows Settings > Accessible via right-clicking Trusted Root Certification Authorities and selecting
Security Settings > Public Key Policies > Properties
Trusted Root Certification Authorities Allow users to select new root certification authorities (CAs) to trust: Enabled
Client computers can trust the following certificate stores: Third-Party Root
Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet
the following criteria: Registered in Active Directory only
User Configuration > Windows Settings > Choice Options:

Remote Installation Services Automatic Setup: Not Configured
Custom Setup: Disabled
Restart Setup: Disabled
Tools: Disabled
Table 8: Default Domain Policy Settings
Page 21
5.4.2 Default Domain Controllers Policy

The Default Domain Controllers Policy (DDCP), as its name suggests, targets the DCs and by
default contains configuration settings for Auditing, User Rights Assignments as well as Security
Options on the servers.
The following table provides the default settings provided within the DDCP:
Policy Path Setting

Computer Configuration > Windows Settings > Audit account logon events: Success
Security Settings > Local Policies > Audit Audit account management: Success
Policy
Audit directory service access: Success
Audit logon events: Success
Audit object access: No auditing
Audit policy change: Success
Audit privilege use: No auditing
Audit process tracking: No auditing
Audit system events: Success
Computer Configuration > Windows Settings > Access this computer from the network: BUILTIN\Pre-Windows 2000 Compatible
Security Settings > Local Policies > User Access, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT
Rights Assignment 8 AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Act as part of the operating system:
Add workstations to domain: NT AUTHORITY\Authenticated Users
Adjust memory quotas for a process: BUILTIN\Administrators, NT
AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Allow log on locally: BUILTIN\Print Operators, BUILTIN\Server Operators,
BUILTIN\Account Operators, BUILTIN\Backup Operators,
BUILTIN\Administrators
Back up files and directories: BUILTIN\Server Operators, BUILTIN\Backup
Operators, BUILTIN\Administrators
Bypass traverse checking: BUILTIN\Pre-Windows 2000 Compatible Access, NT
AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Change the system time: BUILTIN\Server Operators, BUILTIN\Administrators, NT
AUTHORITY\LOCAL SERVICE
Create a pagefile: BUILTIN\Administrators
Create a token object:
Create permanent shared objects:
Debug programs: BUILTIN\Administrators
Deny access to this computer from the network:
ADCONTOSO\SUPPORT_388945a0
Deny log on as a batch job:
Deny log on as a service:
Deny log on locally: ADCONTOSO\SUPPORT_388945a0
Enable computer and user accounts to be trusted for delegation:
Force shutdown from a remote system: BUILTIN\Server Operators,
Generate security audits: NT AUTHORITY\NETWORK SERVICE, NT
8
A number of these User Rights Assignments do not have a user/group associated with it, meaning whilst the policy setting
has been defined, a user or group has not been given this user right. For example, the Act as part of the operating system
policy is defined as not allowing any user/group to do this.
Page 22
Policy Path Setting

Increase scheduling priority: BUILTIN\Administrators
Load and unload device drivers: BUILTIN\Print Operators,
Lock pages in memory:
Log on as a batch job: ADCONTOSO\SUPPORT_388945a0, NT
Log on as a service: NT AUTHORITY\NETWORK SERVICE
Manage auditing and security log: BUILTIN\Administrators
Modify firmware environment values: BUILTIN\Administrators
Profile single process: BUILTIN\Administrators
Profile system performance: BUILTIN\Administrators
Remove computer from docking station: BUILTIN\Administrators
Replace a process level token: NT AUTHORITY\NETWORK SERVICE, NT
Restore files and directories: BUILTIN\Server Operators, BUILTIN\Backup
Operators, BUILTIN\Administrators
Shut down the system: BUILTIN\Print Operators, BUILTIN\Server Operators,
BUILTIN\Backup Operators, BUILTIN\Administrators
Synchronise directory service data:
Take ownership of files or other objects: BUILTIN\Administrators
Computer Configuration > Windows Settings > Domain controller: LDAP server signing requirements: None
Security Settings > Local Policies > Security Domain member: Digitally encrypt or sign secure channel data (always) : Enabled
Options
Microsoft network server: Digitally sign communications (always) : Enabled
Microsoft network server: Digitally sign communications (if client agrees) : Enabled
Network security: LAN Manager authentication level: Send NTLM response only
Computer Configuration > Windows No auto-restart for scheduled Automatic Updates installations: Enabled
Components > Windows Update
Table 9: Default Domain Controllers Policy Settings
Note
Table 9 above contains only those User Rights Assignments visible as part of a default installation. Should
other applications such as Internet Information Services (IIS) and Terminal Services be installed, then
various User Rights Assignments will have additional user accounts such as IWAM_servername,
IUSR_servername, and TsInternetUser.
5.5 Adding or Amending the Defaults

The default values provide the basics for an initially installed Active Directory domain, but that does
not necessarily mean the requirements for most organisations are met with these values. As such,
these defaults need to be altered to better meet these requirements and provide a foundation on
which to build the rest of the domain hierarchy.
This section provides some detail around which of the defaults require amendments and why, as
well as providing a best practice approach to including these amendments.
Page 23
5.5.1 Adding to the Default OUs

Only one OU is provided out of the box and this is intended for the DCs. The two other containers
which receive the most focus are the computers and users containers.
Note
As mentioned before, these containers cannot have group policies linked directly to them and as such are
not suitable for use as part of a centralised desktop management solution.
It is for this reason that additional OUs must be created to house the many objects that become
part of the domain, otherwise an administrator would need to create multiple GPOs and link all of
them to the root of the domain to ensure they are applied to the users and computers. However, to
ensure they only apply to those users and computers which should receive that configuration, a
complicated filter system would need to be created, utilising not just security groups but also
Windows Management Instrumentation (WMI) filters.
The end result would be a highly complicated implementation, becoming increasingly difficult to
administrate and troubleshoot when issues occur.
Recommendation
The DCs OU should remain in its default location (as should the DC computer accounts within this OU)
due to the security-sensitive nature of their function and the DDCP being applied to them, as detailed
further in section 5.5.2.
5.5.2 Adding to the Default GPOs

The default GPOs provide a base upon which to start applying a common configuration. However,
as has been demonstrated already, the default configuration is very basic. As such, it is necessary
to build upon these GPOs to customise them to fit within your environment.
There are common areas of focus for the two default GPOs provided; domain wide security and
security hardening for DCs.
Recommendations
Due to the important roles that these default GPOs provide, it is recommended that the following process
is implemented to ensure they are not amended incorrectly or removed inadvertently.
The DDP should be copied, with the new copy being renamed to Mandatory Domain Policy (MDP). The
DDP should then have its GPO Status set to Disabled, and the GPO Link removed from the root of the
Domain. This will ensure the original master policy is untouched in case of issues with the MDP (and any
backups of it) as the DDP is not easily recreated due to the Global Unique Identifier (GUID) associated
with it; creating a new GPO with exactly the same settings as a DDP will still always have a different
GUID.
As with the DDP, the same process should be followed for the DDCP. Copy this policy and rename the
new copy to Domain Controllers Baseline. Disable the DDCP and remove the GPO Link from the built in
Domain Controllers OU.
With the DDP and DDCP safely stored, appropriate amendments can be made to configure the
items that these policies target, commonly the Password policy and Account Lockout policy; these
amendments can now be made within the MDP GPO.
Note
The reason for naming the copy of the DDP as ‘MDP’ is to provide the policy with a more meaningful
name as to its purpose. This policy contains domain-wide security settings and will be enforced; as such
this is a mandatory domain policy.
Domain wide security consists of stipulating a policy to ensure passwords chosen by users conform
to a set standard (such as a minimum number of characters) and as to whether it must contain a
numbers and special characters as well as letters. This is a decision to be made by administrators
Page 24
who must always take into account the requirements of users being able to remember their
passwords without them writing it down and also ensuring that the network remains a secure place
for data and so on.
Table 10 provides the recommended settings for both medium- and high-secure environments as
detailed within the Microsoft security hardening guidelines for Windows networks:
Setting Medium High

Enforce password history 24 passwords remembered 24 passwords remembered
Maximum password age 42 days 42 days
Minimum password age 1 day 1 day
Minimum password length 7 characters 8 characters
Password must meet complexity requirements Enabled Enabled
Store passwords using reversible encryption Enabled Enabled
Account lockout duration 30 minutes 0 minutes (Infinite)
Account lockout threshold 10 invalid logon attempts 10 invalid logon attempts
Reset account lockout counter after 30 minutes 30 minutes

Table 10: Password and Account Lockout Policy Recommendations
Recommendations
Organisations who want to enable users to reuse passwords sooner and keep them for longer should
reduce the number of passwords remembered, (Enforce password history) and increase the maximum
password age. However, it is sensible to refrain from specifying the password age to the number of days
corresponding with days in a month, (or a pattern of), as users will tend to reuse the same password and
append the month number on to the end. The number of passwords remembered should also be kept
greater than 12 so as to not correspond to the number of months in the year.
An additional amendment to be made to the MDP is for an environment where Microsoft Remote
Installation Services (RIS) is not utilised. As detailed in the last row of Table 8, the User
Configuration Settings are applying configuration options to be shown within the RIS welcome
screens. If RIS is not in use, these settings can be changed as follows:
Policy Path Setting

User Configuration > Windows Settings > Choice Options:
Remote Installation Services Automatic Setup: Not Configured
Custom Setup: Not Configured
Restart Setup: Not Configured
Tools: Not Configured
Table 11: Removing RIS Configuration Policy Settings
Changing these settings allows the GPO Administrator to disable the User Configuration Settings of
this GPO (as no other settings within this section are configured). By disabling these settings in the
GPO, the speed in which this policy is applied increases and as such helps towards the overall
perceived performance of the startup and logon sequence which users experience.
Page 25
The DDCP, as stated earlier, focuses on the Domain Controllers and not on the user or client
computers. As such, typical amendments/additions to this policy are made in line with the Microsoft
Windows Server 2003 Security Guide 9 . This document focuses on the additional security measures
that organisations can make to secure their server infrastructure based on the types of servers in
use. By implementing additional security over and above the defaults provided, organisations can
reduce the surface area open to attack by malicious users. This includes disabling services as well
as setting permissions on the various Windows components that are not in use on a specific type of
server.
5.6 All Available Settings

There are currently 1400 base configuration settings available to a GPO Administrator on a
Windows XP SP2 client. With the introduction of Windows Vista, this figure has increased by
approximately 700 new settings. This does not include additional templates which can be imported
and does not cover other areas that can be managed through Group Policy, such as Microsoft
Office versions and Internet Explorer® 7. Adding in templates to cover other areas of the operating
system that would normally only be controlled via direct registry manipulation and templates that
control the Microsoft Office suite of products increases the number of settings to well over 8,700 10 .
As search capabilities are not included within the GPMC, finding a specific setting could be time
consuming. For this reason, Microsoft provides settings reference spreadsheets to help
administrators locate those settings that are available as well as providing additional information on
each of these settings. The spreadsheets can be downloaded from the Microsoft Web site from the
URLs given in sections 5.6.1 and 5.6.2.
5.6.1 Microsoft Windows Available Settings

Microsoft provides a spreadsheet containing all default settings available through Group Policy,
which is available for download from: http://go.microsoft.com/fwlink/?linkid=54020.
Note
This does not include any additional templates available to be imported.
This spreadsheet lists the Group Policy settings described in the Administrative Template files
(ADMX) and the Security Settings shipped with Windows Vista. This includes all Administrative
Template policy settings supported by the following operating systems:
Windows Vista
Microsoft Windows Server 2003
Windows XP Professional with SP2 or earlier service packs
Windows 2000 with SP4 or earlier service packs
This spreadsheet also includes the following categories of security policy settings:
Microsoft Windows Server 2003
Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy)
Local Policies (Audit Policy, User Rights Assignment, and Security Options)
Event Log
9
Windows Server 2003 Security Guide {R9}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
10
This figure is derived from the available settings specified in the spreadsheets, as referenced within this document, for
Windows Vista, Windows XP Professional Service Pack 2 with Internet Explorer 7, Microsoft Office 2003 and Microsoft 2007
Office System, plus additionally available Microsoft Office products, such as Microsoft Office OneNote®, Microsoft
Publisher, Microsoft Office Visio®, Microsoft Office Groove™ and so on.
Page 26
Restricted Groups
System Services
Registry
File System policy settings
Note
This does not include security settings that exist outside of the Security Settings extension (scecli.dll),
such as Wireless Network extension, Public Key Policies, or Software Restriction Policies
The spreadsheet also includes:

A separate worksheet for the security policy settings that have shipped since Windows XP
SP2
A consolidated worksheet for easy searching
Using column filters, you can easily filter the information in the spreadsheet by operating system,
component, or machine/user configuration. You can also search for information by using text or
keywords.
5.6.2 Microsoft Office Available Settings

As with the settings reference available for the built-in GPOs available as part of the operating
system, Microsoft provides settings references to the Microsoft Office product suites.
5.6.2.1 Microsoft Office 2003

The settings available through the additional templates for Microsoft Office 2003 are detailed within
a set of spreadsheets. The spreadsheets form part of the Microsoft Office 2003 Resource Kit, they
can be downloaded: http://www.microsoft.com/office/orkarchive/2003ddl.htm
From this page, download the “Office 2003 Policy template Files and Deployment Planning Tools”
(ORKSP2AT.EXE dated March 30, 2006). This executable contains a number of files covering
three areas:
.ADM files: the Group Policy templates that would be imported to make the Office 2003
settings available within GPMC
The available settings spreadsheets; contain available Office 2003 settings including User
Interface (UI) options
.OPA files: user settings files for use with the Office Custom Installation Wizard (CIW)
The spreadsheets list the Group Policy settings provided in the Administrative Template (.ADM)
files available as part of the same download. Table 12 contains information on the Group Policy
template files covered in the spreadsheets for various Office 2003 products.
Application Group Policy Template File

Microsoft Access™ 2003 ACCESS11.ADM
Microsoft Clip Organizer GAL11.ADM
Microsoft Excel® 2003 EXCEL11.ADM
Microsoft FrontPage® 2003 FP11.ADM
Microsoft InfoPath® 2003 INF11.ADM
Microsoft Office 2003 11 OFFICE11.ADM
11
The template file, OFFICE11.ADM, contains settings that are used across the Microsoft Office 2003 applications.
Page 27

Microsoft OneNote® 2003 ONENT11.ADM
Microsoft Outlook® 2003 OUTLK11.ADM
Microsoft PowerPoint® 2003 PPT11.ADM
Microsoft Project 2003 PROJ11.ADM
Microsoft Publisher 2003 PUB11.ADM
Microsoft Visio 2003 Visio11.adm
Microsoft Word 2003 WORD11.ADM

Table 12: Office 2003 Group Policy Templates Covered within Settings Spreadsheet
While the spreadsheets contain the available settings for the Office products, they do so in a
slightly different way to the spreadsheet available for the default templates included as part of the
operating system. Table 13 provides descriptions of the fields covered in the spreadsheets.
Field Description
Program The name of the application.
Class Either “Local Machine” or “Current User”, referring to the registry trees “HKEY_LOCAL_MACHINE”
and “HKEY_CURRENT_USER” respectively.
Categories The policy settings available are organised into Categories which typically follow the path required to
access the option within the application’s user interface.
Policy The name of the policy setting. This is usually that of the corresponding user interface option.
Part, Sub-Part If the policy consists of multiple configuration options, these are provided here. Usually policies
requiring more than a tick box to either enable or disable.
New? If this setting is new to Office 2003, a “Yes” will be placed here.
SP1? If this setting is new to Office 2003 Service Pack 1, a “Yes” will be placed here.
Policy? If this setting can be modified through Office group policies, a “Yes” will be placed here.
CIW? If this setting can be modified through the Custom Installation Wizard, a “Yes” will be placed here.
Possible Settings Provides the settings that can be used for this policy.
Default Setting The default setting that will be used if not configured. If blank, there is no default setting.
Secure Setting This value is specified for certain security related policies only, with the setting considered to be the
most secure provided.
Associated Registry Key The registry key that relates to the specific policy or part of the policy.
Registry Value Name The name of the registry value that relates to the specific policy or part of the policy.
Registry Values The actual data placed within the registry to configure this policy setting. This could either be the same
as the Possible Setting or a numerical value corresponding to the setting.
Notes If provided, this gives additional information regarding the expected values or action taken by the
policy.
Explanation The text that explains what the setting is for and how it can be used. Many of these will simply state
“Checks/Unchecks the corresponding user interface option” as the policy relates directly to a user
interface option and as such an explanation of the policy can be found within the Office online help.
Table 13: Office 2003 Settings Spreadsheet Field Descriptions
Page 28
5.6.2.2 2007 Microsoft Office System

The settings available through the additional templates for 2007 Microsoft Office system are
detailed within a spreadsheet. This can be downloaded from:
http://go.microsoft.com/fwlink/?LinkId=78161
The download containing the spreadsheet for 2007 Office system settings also includes the .adm
template files.
The spreadsheet lists the Group Policy settings provided in the Administrative Template (.adm) files
available for the following 2007 Office system products:
Table 14 contains information on the Group Policy template files covered in the spreadsheet for
various 2007 Office system products.

Microsoft Office Access 2007 access12.adm
Calendar Printing Assistant for Microsoft Office Outlook 2007 cpao12.adm
Microsoft Office Excel 2007 excel12.adm
Microsoft Office Groove 2007 groove12.adm
Microsoft Office InterConnect 2007 ic12.adm
Microsoft Office InfoPath 2007 inf12.adm
Microsoft Office 2007 System 12 office12.adm
Microsoft Office OneNote 2007 onent12.adm
Microsoft Office Outlook 2007 outlk12.adm
Microsoft Office PowerPoint 2007 ppt12.adm
Microsoft Office Project 2007 proj12.adm
Microsoft Office Publisher 2007 pub12.adm
Microsoft Office SharePoint Designer 2007 spd12.adm
Microsoft Office Visio 2007 visio12.adm
Microsoft Office Word 2007 word12.adm

Table 14: 2007 Office System Group Policy Templates Covered within Settings Spreadsheet
While the spreadsheet contains the available settings for the Office products, they do so in a
slightly different way to that of the spreadsheet available for the default templates included as part
of the operating system. Table 15 provides descriptions of the fields covered in the spreadsheet.
Field Description
Class Either “Local Machine” or “Current User”, referring to the registry trees “HKEY_LOCAL_MACHINE”
and “HKEY_CURRENT_USER” respectively.
Categories The first category is the application name followed by further categories detailing the policy settings
available and are organised in a way which typically follows the path required to access the option
within the application’s user interface.
Policy The name of the policy setting. This is usually that of the corresponding user interface option.
Part If the policy consists of multiple configuration options, these are provided here. Usually policies
requiring more than a tick box to either enable or disable.
12
The template file, office12.adm, contains settings that are used across the 2007 Microsoft Office system products.
Page 29
Field Description
Possible Settings Provides the settings that can be used for this policy.
Default Setting The default setting that will be used if not configured. If blank, then there is not default setting.
Associated Registry Key The registry key that relates to the specific policy or part of the policy.
Registry Value Name The name of the registry value that relates to the specific policy or part of the policy.
Registry Values The actual data placed within the registry to configure this policy setting. This could either be the same
as the Possible Setting or a numerical value corresponding to the setting.
Notes If provided, this gives additional information regarding the expected values or action taken by the
policy.
Explanation The text that explains what the setting is for and how it can be used. Many of these will simply state
“Checks/Unchecks the corresponding user interface option” as the policy relates directly to a user
interface option and as such an explanation of the policy can be found within the Office online help.
Table 15: 2007 Office System Settings Spreadsheet Field Descriptions
5.7 Application Deployment via Group Policy

Group Policy provides a method of distributing software to computers and users associated with
Active Directory containers such as domains, sites or OUs by utilising the software installation
extensions.
It provides the ability to have a consistent environment of managed software, provides disaster
recovery for applications (installed on Windows 2000 and XP), and allows the removal as well as
upgrading and patching of applications.
Group Policy Software Installation (GPSI) utilises the Windows Installer Service installed as part of
the operating system on Windows 2000, Windows XP, Windows Server 2003 and Windows Vista.
Recommendation
As a minimum, Windows 2000 SP3 is required to take full advantage of the Windows Installer Service that
is fully Group Policy aware. Alternatively, the Windows Installer 2.0 Redistributable 13 should be installed
on Windows 2000 clients that do not yet have SP3 installed.
5.7.1 Recommended Use and Limitations

The software installation extensions of Group Policy provide the ability to manage installed
applications and allow administrators to provide users with a reliable method of ensuring the
applications required for their job are installed to a consistent manor across multiple machines.
That said, utilising Group Policy for deploying applications does have its limitations and as such
care should be taken in understanding the different elements involved in deploying an application
using this mechanism. This will ensure the right decision is made regarding:
The placement of the application source (a single or multiple distribution point)
Replication between multiple distribution points
Method of installation (assigned or published)
Types of applications to install
13
Windows Installer 2.0 Redistributable Windows 2000 and Windows NT 4.0 {R13}:
Page 30
5.7.2 Software Distribution Point Servers

When utilising GPSI, a software distribution share is required to allow access by those computers
and users who have an application either assigned or published to them.
This distribution share can typically reside on a server already serving as a file server but will
usually depend upon size and number of application packages required to be deployed, as well as
accessibility from all computers and users requiring the application.
There are two methods available for software distribution points:
Universal Naming Convention (UNC) path to a server share
Distributed File System (DFS)
5.7.2.1 UNC Paths

By using UNC paths, a user or application can specify the physical server and share names to gain
access to file information. For example: \\Server\Share\Path\File_name.ext.
However, as networks grow and as organisations begin using existing storage for new purposes,
mapping a single drive letter to individual shares becomes inefficient. Also, despite the fact that
users and applications can refer to UNC names directly, the increasing number of places users
must go to retrieve data can be overwhelming.
Caution
If using UNC paths, be aware that if in the future the software package requires moving to a different
server, the GPO Editor does not allow the changing of paths for the installation source.
5.7.2.2 DFS
DFS provides fault tolerance for software distribution points by mapping a specific logical name to
shared folders on multiple file servers. This way, software remains available for installation,
regardless of whether one of the physical servers where the software deployment files reside
becomes unavailable. DFS also improves storage scalability because administrators can deploy
additional or higher-performance file servers and present the storage on the new computers as new
directories in an existing namespace.
When using DFS in combination with Group Policy–based software deployment, organisations
benefit from its load-sharing abilities and location-independence. These features simplify
management and optimise the installation for users. Instead of allowing all users to install software
from a single server, and causing potential performance issues with the server, a DFS namespace
can distribute network traffic across multiple servers.
Recommendation
DFS should be used due to the benefits gained through fault tolerance and scalability.
5.7.3 Limitations
Whilst GPSI allows administrators to use the GPO Editor to centrally manage the installation of
software on client computers within an organisation, there are areas of software installation that
GPSI should not or cannot be used for.
5.7.3.1 Active Directory

A fundamental requirement to use GPSI is Active Directory. Applications cannot be deployed to any
client machines that are not part of an Active Directory directory services implementation.
Therefore all machines that are required to have software installed using this mechanism must
become members of the domain where Group Policy is being deployed.
Page 31
5.7.3.2 Installation Status

GPSI is able to deploy, update, or remove applications on a per-user or per-computer basis but
should be viewed as a tool based primarily around a software delivery mechanism. Deploying an
application through GPSI delivers the package to the destination computer and/or user, however
once delivered relies completely upon the Windows Installer Service to actually install the delivered
package. With this in mind, it does not provide any detailed feedback on the status of an installation
or help toward troubleshooting.
5.7.3.3 Dependencies
Applications cannot be deployed where a dependency lies between them. The reason for this is
because there is no way of specifying any order in which the applications are installed from within
GPSI.
5.7.3.4 Scheduling
When an application is made available through the GPSI, for example assigned to a user, that
application is installed when the user next logs on. It is not possible to schedule the installation of
this application and as such this could potentially result in a large number of requests for the new
application at the same time, (usually when users start work in the morning), causing additional
pressure on the network resources.
5.7.3.5 Network Bandwidth

When deploying applications to either users or computers, the available network bandwidth should
be taken into account, especially when deploying applications which are fairly large in size.
Deploying applications using GPSI does not involve any bandwidth-aware technology, for example
it cannot use just 50% of the available bandwidth allowing the user to use the other 50%.
By default, only those users connected at a greater speed than 500Kbps will receive new
assignments. This setting can be configured to a lower or higher figure as appropriate by enabling
the following Group Policy setting and specifying an alternate connection speed:
Figure 8: Group Policy Slow Link Detection
This setting can be found under Computer Configuration > Administrative Templates > System
> Group Policy.
Page 32
Another Group Policy setting can be used if applications should always be installed:
Figure 9: Software Installation Policy Processing
This setting can be found under Computer Configuration > Administrative Templates > System
> Group Policy.
Enabling the Software Installation policy processing option provides a check box to ‘Allow
processing across a slow network connection’ which if checked will process any GPO
containing an assigned application even across a 56Kbps modem connection.
Recommendation
Whilst it is possible to assign applications across a slow network connection, this is not a recommended
practice and should be avoided. Utilising this can cause significant delays for the user involved.
5.7.3.6 Software Usage Monitoring

When publishing an application to a user, the operating system allows the user to install using
either the Add/Remove Programs Control Panel applet or through document invocation (when a
user clicks on a document which must open in the application to be installed). Whilst the application
is available to that user, it does not mean the user will necessarily install it. Therefore accurate
software usage cannot be provided using GPSI.
Note
If an application has been published to a user but the user did not install it and the application is
subsequently removed from the published list of applications available, the application will still appear in
the Add/Remove Programs list until the user selects to install it. At the point when the installation is
initiated, it will discover that the application is no longer available and remove the link to it.
5.7.3.7 Application Packages

For full application life cycle management, Installations of applications rely on the software being
packaged as a Microsoft Installer (MSI). Whilst it is possible to install applications without them
being in this format using a Zero Administration Package (ZAP) file, all the benefits of using MSI
are lost.
Page 33
The benefits of using an MSI package are:

Applications can be self-repairing
Applications are installed using elevated privileges (ZAP files install using the credentials of
the current user)
Applications can be published or assigned (ZAP files can only be published)
The user is in full control of the installation
Applications can be removed if no longer required (Installations through a ZAP cannot be
removed using GPSI)
Recommendation
Application installs within a managed environment should use the MSI format.
With the above in mind, applications that are not currently in a MSI format will require a resource to
repackage the application. This can be accomplished using various tools, such as WinINSTALL LE,
which is a free tool although aimed at light usage; others include InstallShield and Wise for
Windows Installer, which whilst not free are aimed at providing a more robust solution. This is
especially useful when, for example, there is potential for DLL conflicts during deployment of a
larger number of applications.
5.7.4 Application Deployment Methods

Applications can be deployed using two different methods, assigning and publishing. Each should
be understood to benefit from the best method and ensure that the right users obtain the right
software.
5.7.4.1 Assigning Applications

Applications can be assigned to both users and computers. When assigning an application to a
computer, it will be installed the next time the machine is rebooted, whilst assigning to a user
installs the application at next log on.
An application assigned to the computer will be installed in its entirety for all users who use the
machine. However, when assigned to the user, the application will not completely install until its
first use. If the application package has been configured to allow it, this latter method allows for a
more streamlined approach of deploying the application as only those components required at that
point in time will be downloaded from the source. If an application component not initially installed
is required later, for example the help file, this is downloaded and installed when required.
A useful option available to applications deployed through GPOs, is the ability to remove the
software once the GPO does not apply anymore and as such the software should no longer be
available to the user/computer. Within the properties of an application, the ‘Uninstall this
application when it falls out of the scope of management’ option can be used to accomplish
this.
Caution
If this GPO is deemed to no longer apply and the above setting has been enabled, then the GPO should
not be deleted straight away otherwise the application will remain installed on the client machines.
Instead, time should be given to allow the change to propagate to the client machines and ensure the
application is removed.
An example of assigning an application to a computer is provided in the How To guides within

APPENDIX B.
Page 34
5.7.4.2 Publishing Applications

The publishing of applications can only be used with users. Publishing simply makes the
application available to the user within the Add/Remove Programs Control Panel applet and as
such allows the user to install when they require it. Publishing also allows the user to remove the
application should they wish to but still have it available to install at a later date until it is removed
from the GPO.
Caution
If an application has been published to a group of users, ensure this same group does not have a policy
applied to them whereby access to the Add/Remove Programs Control Panel applet has been removed.
Whilst the user will still be able to install the application through document invocation, they will be unable
to configure or remove the application.
Page 35
6 DEVELOP
During the Develop phase, the solution components are built based on the planning and designs
completed during the earlier phases. Further refinement of these components will continue into the
stabilisation phase.
Figure 10 acts as a high-level checklist, illustrating the sequence of events which the IT Manager
and IT Architect need to determine when planning for Group Policy for desktop management within
a healthcare organisation.
Figure 10: Sequence for Developing Group Policy for Desktop Management
6.1 Baseline Settings

The following sections detail some characteristics required on computers that can be set via Group
Policy configuration settings. Common elements across all computers can be found in Table 16
below, with more specific settings detailed in the sections after.
Page 36
These base settings focus on two key areas:

Configuration of components that are common across every computer within the
environment
A general look and feel providing a consistent view to users no matter which computer they
may use
This could provide the basis for the top-level baseline policies as used within the example OU and
GPO structures.
Focus Function GPO Setting

Start Menu Access to shortcuts User Configuration > Administrative Templates > Start Menu and Taskbar
Remove links and access to Windows Update 14 : Enabled
Remove My Pictures icon from Start Menu 15 : Enabled
Remove My Music icon from Start Menu15: Enabled
Turn off personalised menus14: Enable
Remove Set Program Access and Defaults from Start Menu 16 : Enabled
Desktop Cleanup wizard User Configuration > Administrative Templates > Desktop
Remove the Desktop Cleanup Wizard15: Enabled
Desktop Wallpaper User Configuration > Administrative Templates > Desktop > Active Desktop
Active Desktop Wallpaper14: Enabled
Wallpaper Name: <Path> 17 \<FileName>.jpg
Wallpaper Style: Center
Control Panel View style User Configuration > Administrative Templates > Control Panel
Force classic Control Panel Style15: Enabled
System Welcome screen User Configuration > Administrative Templates > System
Don’t display the Getting Started welcome screen at logon 18 : Enabled
Internet Explorer Prevent changing Internet User Configuration > Administrative Templates > Windows Components >
Explorer Homepage Internet Explorer
Disable changing home page settings 19 : Enabled
Disable changing Advanced page settings19: Enabled
Disable changing Temporary Internet files settings19: Enabled
Disable changing connection settings19: Enabled
Internet Explorer Prevent viewing property User Configuration > Administrative Templates > Windows Components >
pages Internet Explorer > Internet Control Panel
Disable the Security page19: ; (Checked)
Disable the Content page19: ; (Checked)
Table 16: Group Policy Common Configuration Base Settings
14
This setting is supported on at least Microsoft Windows 2000
15
This setting is supported on at least Microsoft Windows XP or Windows Server 2003
16
This setting is supported on at least Microsoft Windows 2000 SP3 or Windows XP SP1
17
Where <Path> is either a local path (C:\Windows) or a UNC path (\\Server\Share)
18
This setting is supported on Microsoft Windows 2000 only
19
This setting is supported on at least Microsoft Internet Explorer version 5.0
Page 37
6.2 Category Settings

Based upon the categories identified and listed in section 4.2, the sections below provide further
detailed settings designed to enhance those provided by the baseline policy; these policies are
known as the incremental GPOs.
6.2.1 General Office / Administrative / Clinical

The baseline settings in Table 16 above cover the needs of this computer role, with the exception
of automatic updates and logon scripts. The automatic updates policy settings available for
configuration very much depends on the method through which computers obtain their updates.
Recommendation
Updates to the Windows Operating System should be carried out through the use of a patch management
application such as Windows Server Update Services or LANDesk Patch Manager. This is so that the
updates can be downloaded once for the entire estate and then installation is controlled from a centralised
point.
The settings recommended for Automatic Updates whilst using a patch management solution are
outlined in section 6.3.2. Therefore, Table 17 below identifies the location for specifying either
logon or logoff scripts for users as well as the startup and shutdown scripts for computers.

Scripts Startup Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)
Startup: Script Name / Script Parameters
Scripts Logon User Configuration > Windows Settings > Scripts (Logon/Logoff)
Logon: Script Name / Script Parameters
Scripts Logoff User Configuration > Windows Settings > Scripts (Logon/Logoff)
Logoff: Script Name / Script Parameters
Scripts Shutdown Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)
Shutdown: Script Name / Script Parameters
Table 17: Group Policy Logon / Logoff / Startup / Shutdown Script Settings
6.2.2 Ward, Maternity, Desktop Support and Finance

Within the computer categories identified within Table 3 on page 3, the difference between these
types of computers is that specific software is being installed. Therefore, these categories of
computers are covered by using the Baseline Settings outlined in section 6.1 above.
The applications required by these computers could be deployed utilising GPSI, as detailed in
section 5.7, and the GPO building block for software installs, as detailed in section 6.3.7.
6.2.3 Public / Cybercafe, Theatre and Library Catalogue

These categories of computer are similar in that their general focus is the preferred configuration of
a locked down environment providing specific usage, typically that of Internet Explorer, which all
users of this machine use under a generic logged-on user account. As such the two categories
have been brought in under the same machine type usage and if a specific function is not required
then this can be customised further to suit, as with all categories within this section.
Microsoft provides a common scenario example which fits the general aim of this computer. Named
the Kiosk computer, it focuses on computers used by the general public providing a browser-based
function. The following table details the settings used to lock down this category of computer along
with some additional best practice settings.
Page 38
Note
If the user account has already logged on to the machine once before and, as such, a local profile has
been created, the GPO can take multiple reboots and/or logons to take effect.

Security Local Policies Computer Configuration > Windows Settings > Security Settings > Local Policies
> User Rights Assignment
Shut down the system (SeShutdownPrivilege):
Define these policy settings: ; (Checked)
Add User or Group…: Administrators
Security Local Policies Computer Configuration > Windows Settings > Security Settings > Local Policies
> Security Options
Network security: LAN Manager authentication level: ; (Checked); Send
NTLMv2 Response only\refuse LM & NTLM
Windows Logon Computer Configuration > Administrative Templates > System > Logon
Run these programs at user logon 20 : Disabled
Do not process the run once list20: Enabled
Do not process the legacy run list20: Enabled
Windows Logon Computer Configuration > Administrative Templates > Windows Components >
Internet Explorer
Security Zones: Use only machine settings 21 : Enabled
Windows Folder locations User Configuration > Windows Settings > Folder Redirection > Desktop
Desktop Properties – Target tab:
Setting: Basic: Redirect everyone’s folder to the same location
Target folder location: Redirect to the local userprofile location
Desktop Properties – Settings tab:
Grant the user exclusive rights to Desktop: ; (Checked)
Move the contents of Desktop to the new location: ; (Checked)
Policy Removal – Leave the folder in the new location when policy is
removed: ; (Checked)
Windows Folder locations User Configuration > Windows Settings > Folder Redirection > My Documents
My Documents Properties – Target tab:
Setting: Basic: Redirect everyone’s folder to the same location
Target folder location: Redirect to the local userprofile location
My Documents Properties – Settings tab:
Grant the user exclusive rights to Desktop: ; (Checked)
Move the contents of Desktop to the new location: ; (Checked)
Policy Removal – Leave the folder in the new location when policy is
removed: ; (Checked)
20
This setting is supported on at least Microsoft Windows 2000.
21
This setting is supported on at least Microsoft Internet Explorer version 5.0.
Page 39

Windows Start Menu View User Configuration > Administrative Templates > Start Menu and Taskbar
Remove My Documents icon from Start Menu20: Enabled
Remove My Pictures icon from Start Menu 22 : Enabled
Remove Logoff on the Start Menu20: Enabled
Remove and prevent access to the Shut Down command20: Enabled
Windows Desktop view User Configuration > Administrative Templates > Desktop
Hide and disable all items on the desktop20: Enabled
Remove My Documents icon on the desktop20: Enabled
Windows Control Panel User Configuration > Administrative Templates > Control Panel
Prohibit access to the Control Panel20: Enabled
Windows Control Panel User Configuration > Administrative Templates > Control Panel > Add or
Remove Programs
Hide Add/Remove Windows Components page20: Enabled
Windows Control Panel User Configuration > Administrative Templates > Control Panel > Display
Screen Saver timeout 23 : Disabled
Windows Shell User Configuration > Administrative Templates > System

Custom user interface20: Enabled
Interface file name: %ProgramFiles%\Internet Explorer\IExplore.exe –k
Prevent access to the command prompt20: Enabled
Prevent access to registry editing tools20: Enabled
Turn off Autoplay20: Enabled
Turn off Autoplay on: All drives
Windows Security User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
Remove Lock Computer20: Enabled
Remove Change Password20: Enabled
Remove Logoff20: Enabled
Windows Explorer User Configuration > Administrative Templates > Windows Components >
Windows Explorer
Do not track Shell shortcuts during roaming20: Enabled
Remove UI to change keyboard navigation indicator setting20: Enabled
Turn off Windows+X hotkeys22: Enabled
Windows Explorer User Configuration > Administrative Templates > Windows Components >
Windows Explorer > Common Open File Dialog
Hide the dropdown list of recent files20: Enabled
Internet Explorer Menus User Configuration > Administrative Templates > Windows Components >
Internet Explorer
Search: Disable Find Files via F3 within the browser21: Enabled
22
This setting is supported on at least Microsoft Windows XP or Windows Server 2003.
23
This setting is supported on at least Microsoft Windows 2000 SP1.
Page 40

Internet Explorer Menus User Configuration > Administrative Templates > Windows Components >
Internet Explorer > Browser menus
File menu: Disable Save As... menu option21: Enabled
File menu: Disable New menu option21: Enabled
File menu: Disable Open menu option21: Enabled
File menu: Disable Save As Web Page Complete21: Enabled
File menu: Disable closing the browser and Explorer windows21: Enabled
Hide Favorites menu21: Enabled
Tools menu: Disable Internet Options... menu option21: Enabled
Disable Context menu21: Enabled
Disable Open in New Window menu option21: Enabled
Windows Toolbars User Configuration > Administrative Templates > Windows Components >
Internet Explorer > Toolbars
Disable customising browser toolbar buttons21: Enabled
Disable customising browser toolbars21: Enabled
Configure Toolbar Buttons21: Enabled
Table 18: Group Policy Public / Cybercafe Settings
Additional areas of focus when providing a Kiosk based computer should also be taken into
account and these are detailed within Table 19 below:
Focus Description
Accessibility to Typically not available unless wanting to provide user access to additional applications whereby shortcut icons
Desktop can be placed here. Consider using Active Desktop to provide a Web-page based background which provides
these shortcuts or simply creating a profile that contains these shortcuts
Allow new explorer The out of the box settings for the Kiosk computer is to not allow new windows to be opened. The basis for this is
windows to ensure that large numbers of windows are not left open, which could be confusing to the users. However,
many Web pages provide links which once clicked, spawn a new Internet Explorer window. If opening new
windows is not allowed, a message is displayed to the user stating that this option has been removed by a
policy, and to see the administrator. This is not an intuitive message and one that is not easily understood by
users, therefore consider allowing new windows to be opened
Allow the closing of If using the above setting to allow new windows to be spawned, then the ability to close them should also be
explorer windows provided. If not, the result would be many instances of Internet Explorer open without the option to close them
Mandatory Profile Making the profile of the logged-on user for the Kiosk computer mandatory ensures any changes made, (for
example Internet Explorer taken out of Full Screen mode and resized), would be lost when the user is logged off.
When the user logs back on again, Internet Explorer will open in Full Screen mode providing the Kiosk computer
experience
Roaming Profile Whilst making the profile ‘mandatory’ ensures the consistent state of windows and so on, making the profile
‘roaming’ enables administrators to centrally manage the profile whilst being able to assign this profile to multiple
users should this method be used within their environment
Automatic Logon Providing automatic logon ensures an additional level of security by not having to communicate to users what the
user credentials are. This is typically carried out through various entries within the Windows Registry which
provide the credentials. The issue with this is the password is stored in plain text within the registry. Therefore,
consider using the free downloadable Windows PowerToys from Microsoft 24 , specifically the TweakUI utility
which allows the Autologon credentials to be set without displaying the password in clear text in the registry
Table 19: Kiosk Computer Additional Areas of Focus
24
Microsoft PowerToys for Windows XP {R14}:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Page 41
6.3 GPO Building Blocks

The purpose of this section is to highlight some common usage areas of Group Policy that are
typically found in organisations both large and small. Each policy described here can be used in
isolation or combined to form a wider configuration area that a GPO targets.
Note
These sample GPOs are not meant as a recommendation of configuration that should be set but are more
for providing a foundation that can be built upon should the GPO focus be required within your healthcare
organisation.
For each example given, the Group Policy settings will be provided, as well as the configuration
settings for the GPO itself, such as:
User or computer configuration settings disabled
Access control lists
Block inheritance where appropriate
Enforce where appropriate
Note
The GPO building blocks contain settings applicable to multiple versions of Microsoft Windows. The
version of Windows that each setting is targeting has been identified as part of the tables within the
building block sections below.
Where a building block contains a setting applicable to Windows Vista as well as Windows XP, the GPO
can be linked to an OU containing Windows XP clients, but the client computer will ignore the setting
which is only supported on Windows Vista. However, if the GPO is applied to a Windows Vista client, all
settings including those for Windows XP will be applied if the Windows Vista client supports it.
6.3.1 Redirected Folders

This example provides the settings commonly utilised to support users who frequently roam
between computers, or even offices, and require continued access to their desktop and files
regardless of which computer they use.
The settings here enhance the use of the Profile configuration options of a user account by
specifying a Profile path of a server share as well as a Home Folder. This alone will allow a user to
roam from computer to computer, however, one drawback is the location of their documents.
Typically users will be used to saving data to a mapped drive such as the H: or U: drive. By utilising
the Redirected Folders option within Group Policy, users can save their data to a common area
known as the My Documents folder. Unbeknown to the user, this folder is actually redirected to the
network home share/path and therefore the data is managed centrally as well as part of any
backup procedures in place for the file servers.
Figure 11 shows the profile settings within the users properties which link to the redirected folder
configuration detailed in Table 20.
Page 42
Figure 11: User Properties Profile Settings
Table 20 details the folder redirection configuration details:
Policy Path Properties

User Configuration > Windows Settings > Target tab
Folder Redirection > Desktop Setting: Basic – Redirect everyone’s folder to the same location
Target folder location: Create a folder for each user under the root path
Root Path: \\ServerName\HomePath
Settings tab
Grant the user exclusive rights to My Documents: ; (Checked)
Move the contents of My Documents to the new location: ; (Checked)
Policy Removal: Leave the folder in the new location when policy is removed
User Configuration > Windows Settings > Target tab

Folder Redirection > My Documents Setting: Basic – Redirect everyone’s folder to the same location
Target folder location: Create a folder for each user under the root path
Root Path: \\ServerName\HomePath
Settings tab
Grant the user exclusive rights to My Documents: ; (Checked)
Move the contents of My Documents to the new location: ; (Checked)
Policy Removal: Leave the folder in the new location when policy is removed
Table 20: Redirected Folders GPO Example
Page 43
Table 21 details the properties of the GPO:
Property Setting
Block Inheritance Unchecked
Enforced (No Override) Unchecked
GPO Status Computer Configuration Settings Disabled
Permissions 25 Authenticated User: Read & Apply Group Policy

Creator Owner: (none explicitly set)
Domain Admins (DomainName\Domain Admins): Read, Write Create All Child Objects, and Delete All
Child Objects
Enterprise Admins (DomainName\Enterprise Admins): Read, Write Create All Child Objects, and
Delete All Child Objects
System: Read, Write Create All Child Objects, and Delete All Child Objects
Table 21: Look and Feel GPO Properties
6.3.2 WSUS
Windows Server Update Services 26 (WSUS), a free tool from Microsoft, provides patch
management for installed operating systems, as well as a number of installed applications
throughout an organisations estate. It provides organisations with a managed way in which to
customise which updates are applied within the environment as well as when they are applied.
Within a Windows OS, the Automatic Updates feature is the client component which provides the
user with a way to stay up-to-date with released security patches to service packs, whether it is
from Microsoft Update or a server running WSUS.
Table 22 illustrates the settings which are configured on client computers (servers and
workstations) to take advantage of a WSUS implementation.
25
All permissions detailed here are Allow permissions unless stated otherwise.
26
Healthcare organisation-specific guidance is available – Windows Server Update Services 3.0 Design Guide {R1} and
Windows Server Update Services Operations Guide {R2}.
Page 44
Policy Path Setting

Computer Configuration > Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box 27 : Enabled
Administrative Templates > Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box27:
Windows Components > Not Configured (has no effect due to the policy setting above to not display the option)
Windows Update
Configure Automatic Updates28: Enabled
Configure Automatic Updating: 4 – Auto download and schedule the install
Scheduled install day: 0 – Every day
Scheduled install time: 14:00
Specify intranet Microsoft update service location28: Enabled
Set the intranet update service for detecting updates: http://ServerName
Set the intranet statistics server: http://ServerName
Enable client-side targeting28: Enabled
Target group name for this computer: GroupName
Reschedule Automatic Updates scheduled installations28: Enabled
Wait after system startup (minutes): 30
No auto-restart for scheduled Automatic Updates installations28: Enabled
Automatic Updates detection frequency28: Not Configured (default interval of 22 hours will be used)
Allow Automatic Updates immediate installation28: Enabled
Delay Restart for scheduled installations28: Not configured (No effect as No auto-restart is Enabled)
Re-prompt for restart with scheduled installations 28 : Enabled
Wait the following period before prompting again with a scheduled restart (minutes): 30
Allow non-administrators to receive update notifications28: Not Configured
Turn on recommended updates via Automatic Updates 29 : Enabled
Enabling Windows Update Power Management to automatically wake up the system to install
scheduled updates29: Enabled
Table 22: Windows Server Update Services GPO Example
Recommendation
The setting ‘Enabling Windows Update Power Management to automatically wake up the system to
install scheduled updates’ enables healthcare organisations to take advantage of clients’ power
management functionality. For operating systems prior to Windows Vista, client machines would typically
be left on overnight to enable remote management tasks, such as applying updates, to be carried out.
This is no longer required with Windows Vista. Using this setting enables a healthcare organisation to
save energy and therefore reduce the TCO of managing a computer. See section 6.3.12 for a building
block specifically focused on Windows Vista power management.
27
This setting is supported on at least Windows XP SP2.
28
This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.
29
This setting is supported on at least Windows Vista.
Page 45
Property Setting
GPO Status User Configuration Settings Disabled

Child Objects
Table 23: Windows Server Update Services GPO Properties
6.3.3 Internet Explorer

Internet Explorer comes with a multitude of configurable options including proxy settings, security
zones and privacy settings, being able to customise the name shown within the Internet Explorer
Title Bar and even applying a custom picture to the toolbar. As more and more applications
become Web-based, Internet Explorer is being used more and as such organisations wish to show
a difference between the out of the box look and that providing business functions to its users.
Table 24 provides a sample of configuration settings that slightly change the way Internet Explorer
looks and hides certain configuration options, which should a user have access to, could
compromise security or usability of a Web-based application.
Policy Path Setting

User Configuration > Windows Settings > Internet Explorer Customise Home page URL: ; (Checked)
Maintenance > URLs > Important URLs Home page URL 31 : http://www.contoso.com
User Configuration > Windows Settings > Internet Explorer Customise Title Bars: ; (Checked)
Maintenance > Browser User Interface > Browser Title Title Bar Text: Contoso
User Configuration > Administrative Templates > Windows Disable changing home page settings 32 : Enabled
Components > Internet Explorer Disable changing Advanced page settings32: Enabled
Disable changing Temporary Internet files settings32: Enabled
Disable changing connection settings32: Enabled
User Configuration > Administrative Templates > Windows Disable the Security page32: ; (Checked)
Components > Internet Explorer > Internet Control Panel Disable the Content page32: ; (Checked)
Table 24: Example Internet Explorer GPO Configuration
30
31
The example URL provided for the Home page can be replaced with one deemed more appropriate for your healthcare
organisation.
32
This setting is supported on at least Microsoft Internet Explorer version 5.0.
Page 46
Property Setting

Child Objects
Table 25: Internet Explorer GPO Properties
6.3.4 Blocking Internet Explorer 7

This example is also an Internet Explorer based GPO, but one that serves a completely different
function to that in section 6.3.3. Internet Explorer 7 is being distributed through Automatic Updates
and flagged as a high-priority update.
The purpose of this is to assist Microsoft customers in being as up-to-date as possible and thus
ensuring a more secure operating environment to run applications as well as browse the Internet.
The nature of a more secure Internet Explorer application however, requires Web-based
applications to be tested thoroughly prior to allowing the rollout of such an update. As such, time
and resource is required which may mean the update to Internet Explorer 7 needs to be delayed.
Note
Where organisations have implemented the use of WSUS, SMS or other update management solutions,
the blocking of Internet Explorer 7 can be fully controlled through these technologies and as such this
GPO solution is not required.
Also, Windows Vista includes Internet Explorer 7 and, as such, this policy has no effect on a Windows
Vista client.
This GPO simply contains one configuration setting as follows:
Policy Path Setting

Computer Configuration > Administrative Templates > Windows Do not allow delivery of Internet Explorer 7 through Automatic
Components > Windows Update > Automatic Updates Blockers Updates 34 : Enabled
Table 26: Internet Explorer 7 Blocker GPO Example
This GPO setting is not available through the default templates and as such will need to be added
into the GPO created for this task. The ADM template can be downloaded from:
http://go.microsoft.com/fwlink/?linkid=65788. This download is a compressed executable which
contains a number of files, two of which are:
A command file for creating the registry key so Automatic Updates will not install Internet
Explorer 7
An ADM template file for utilising Group Policy to create the registry key
33
34
This setting is supported on at least Microsoft Windows XP SP2.
Page 47
Notes
Once this ADM template has been added, the setting will not be visible until the option to ‘Only show
policy settings that can be fully managed’ has been unchecked. This setting is available through the
View > Filtering menu with Administrative Templates highlighted.
In order to allow Automatic Updates to install Internet Explorer 7, this policy setting should be set to
Disabled rather than simply removed, otherwise the registry key that is created will remain and continue
to disallow the installation of Internet Explorer 7.
Property Setting

Child Objects
Table 27: Internet Explorer GPO Properties
6.3.5 Look and Feel

The Look and Feel GPO example is one that often provides an immediate response from users as
it instantly configures the organisation’s client machine with a consistent look and feel no matter
which machine a user may use. It is especially useful in environments where a mix of Windows
operating systems exists or where an upgrade from one OS to another is being rolled out, for
example Windows XP to Windows Vista. The new interface that Windows Vista brought with it
could confuse users that are yet to be trained on it. As such, it can be made to look like a Windows
36
XP machine allowing users to continue to use the new operating system and keeping them up-to-
date.
Table 28 focuses on the Start menu, desktop, screen saver and Control Panel applets to provide a
starting point for items that can be configured to provide a consistent look:
Policy Path Setting

User Configuration > Administrative Templates > Start Remove links and access to Windows Update 37 : Enabled
Menu and Taskbar Remove My Pictures icon from Start Menu 38 : Enabled
Remove My Music icon from Start Menu38: Enabled
Turn off personalised menus37: Enable
Remove Set Program Access and Defaults from Start Menu 39 : Enabled
35
36
While the majority of Windows Vista can be made to look like Windows XP, the green Start button is not available on
Windows Vista and as such remains as the Windows Button (the Windows Vista Pearl).
37
38
This setting is supported on at least Microsoft Windows XP or Windows Server 2003.
39
This setting is supported on at least Microsoft Windows 2000 SP3 or Windows XP SP1.
Page 48
Policy Path Setting

Remove Games link from Start Menu 40 : Enabled
Remove Search Computer link40: Enabled
Do not search Internet40: Enabled
User Configuration > Administrative Templates > Desktop Remove the Desktop Cleanup Wizard38: Enabled
User Configuration > Administrative Templates > Desktop Active Desktop Wallpaper37: Enabled
> Active Desktop Wallpaper Name: <Path> 41 \<FileName>.jpg
Wallpaper Style: Center
User Configuration > Administrative Templates > Control Force classic Control Panel Style38: Enabled
Panel
User Configuration > Administrative Templates > System Don’t display the Getting Started welcome screen at logon 42 : Enabled
User Configuration > Administrative Templates > Turn off Windows Sidebar40: Enabled
Windows Components > Windows Sidebar
Table 28: Look and Feel GPO Example
Property Setting

Child Objects
Table 29: Look and Feel GPO Properties
6.3.6 Security Hardening

The purpose of security hardening is to focus on the components of a computer that are not used
which could be disabled without reducing the functionality to the user, and in turn reducing the
surface area of attack which could be open to malicious intent.
This example focuses on the user rights assignments and security option settings associated with
Domain Membership and Network Access. Table 30 details these options:
Policy Path Setting

Computer Configuration > Access this computer from the network
Windows Settings > Security Define these policy settings: ; (Checked)
Settings > Local Policies > User
40
41
Where <Path> is either a local path (C:\Windows) or a UNC path (\\Server\Share).
42
This setting is supported on Microsoft Windows 2000 only.
43
Page 49
Policy Path Setting

Rights Assignments Add User or Group: Administrators
Act as part of the operating system
Define these policy settings: ; (Checked)
Add User or Group: None (no one to be able to act as part of the OS)
Computer Configuration > Accounts: Limit local account use of blank passwords to console logon only: Enabled
Windows Settings > Security Domain member: Digitally encrypt or sign Secure channel Data (always) : Enabled
Settings > Local Policies >
Domain member: Digitally encrypt Secure channel Data (when possible) : Enabled
Security Options
Domain member: Digitally sign Secure channel Data (when possible) : Enabled
Domain member: require strong (windows 2000 or later) session key: Enabled
Network access: Allow anonymous SID/Name translation: Disabled
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Network access: Let Everyone permissions apply to anonymous users: Disabled
Network access: Remotely Accessible Registry Paths: Enabled
Network access: Shares that can be accessed anonymously: Enabled (COMCFG; DFS$)
Network access: Sharing and Security Model for Local Accounts: Classic
Network security: Do not store LAN manager hash value on next password change: Enabled
Network security: LAN Manager Authentication Level: Send NTLMv2 responses only\refuse LM
Table 30: Security Hardening GPO Example
Warning
The settings in Table 30 should be understood completely prior to their implementation as they can have
serious consequences on the operations of both client computers and applications. For example, the last
setting for configuring the LAN Manager Authentication Level prevents any Windows 95 machines from
communicating with a machine which has this setting configured in this way.
Property Setting

Child Objects
Table 31: Security Hardening GPO Properties
44
Page 50
Note
This security hardening GPO example highlights just a small number of the key security options available
to be configured through Group Policy within an Active Directory domain environment. These settings
were derived from the Windows XP Security Guide 45 . The Windows Vista Security Guide 46 is also
available.
6.3.7 Software Installs

As the name suggests, this example GPO provides the basis for deploying a simple application to
be installed on a set of computers or made available to a group of users. For more on deploying
applications through Group Policy, see section 5.7.
Note
This GPO building block can take multiple reboots and/or logons to take effect, depending upon whether
the application is assigned to the computer or user.
Table 32 details the configuration for assigning an application to a computer:
Policy Path Setting

Computer Configuration Package Properties: Deployment tab (created by Action > New > Package)
> Software Settings > Deployment type: Assigned
Software Installation
Deployment options:
Uninstall this application when it falls out of the scope of management: ; (Checked)
Table 32: Software Installs GPO Example
Warning
When importing a GPO which has a Software Installation package associated to it, ensure that the import
source files do not have the read-only attribute set as this will cause an ‘Access Denied’ error when the
import wizard regenerates the application assignment script (.aas file) associated with the package.
Property Setting

Child Objects
Enterprise ADmins (DomainName\Enterprise Admins): Read, Write Create All Child Objects, and
Table 33: Software Installs GPO Properties
45
Windows XP Security Guide {R16}: http://go.microsoft.com/fwlink/?linkid=14840
46
Windows Vista Security Guide {R17}: http://go.microsoft.com/?linkid=5639874
47
Page 51
6.3.8 Software Restriction

At times within an organisation it can be a common requirement to limit the types of applications or
files that can be run on a client machine. This software restriction policy example provides the basis
for specifying that all VBScript files cannot be run except those within a certain folder, such as a
logon script folder.
Table 34 details these options:
Policy Path Setting

Computer Configuration > Windows Settings > Select New Software Restriction Policies 48 (from the Action menu)
Security Settings > Software Restriction Policies Enforcement
Apply software restriction policies to the following: All software files except
libraries (such as DLLs)
Apply software restriction policies to the following users: All users except local
administrators
Computer Configuration > Windows Settings >

Unrestricted: Set as default (denoted by the ticked list icon ( ))
Security Settings > Software Restriction Policies
> Security Levels
Computer Configuration > Windows Settings > New Path Rule (Right-click Additional Rules, select New Path Rule)
Security Settings > Software Restriction Policies Path: *.VBS
> Additional Rules
Security Level: Disallowed
Description: Disallowing all .VBS files
New Path Rule (Right-click Additional Rules, select New Path Rule)
Path: *.VBE
Security Level: Disallowed
Description: Disallowing all .VBE (VBScript Encrypted) files
New Path Rule (Right-click Additional Rules, select New Path Rule)
Path: \\ServerName\LoginScript\*.VBS
Security Level: Unrestricted
Description: Allowing all .VBS files within the LoginScript share
Table 34: Software Restriction GPO Example
Property Setting

Child Objects
Table 35: Software Restriction GPO Properties
48
This setting is supported on Microsoft Windows XP.
49
Page 52
The above example has used just one of four different types of rule to dictate the allowed or
unrestricted policy. The rules available are:
Certificate Rule – Specifies that a software publisher's certificate must exist before a
program is allowed to run
Hash Rule – A digital fingerprint that uniquely identifies a software program or executable
file even if the program or executable file is moved or renamed
Internet Zone Rule – A zone rule can be used to identify software that is downloaded from
any of the defined zones that are in Internet Explorer such as Internet, Intranet, Restricted
Sites, Trusted Sites, and My Computer
Path Rule – Specifies either a folder, a fully qualified path to a program, or a registry path
which will use the path value that is stored in the registry for that application
Note
Software Restriction Policies evaluate the rules defined in a specific order. Rules that more specifically
match a program take precedence over rules that more generally match the same program. The order in
which the rules are processed start with the Hash rule, followed by the Certificate Rule, Path Rule, Zone
Rule, and lastly the Default Rules (as created when a New Software Restriction Policy is created).
6.3.9 GPO Administration

The purpose of this GPO is to ensure that the GPO Administrators within an organisation, using
versions of Windows prior to Windows Vista, all use the most up-to-date ADM template files from
their local machines without updating the set of ADM templates within the SYSVOL folder. For
more information refer to section 8.1.2. For healthcare organisations, where Windows Vista will be
used to manage Group Policy, administrators have the option to utilise a new feature known as the
Central Store. For more information refer to section 8.1.4.
Table 36 details these options:
Policy Path Setting

Computer Configuration > Administrative Templates > Always use local ADM files for Group Policy Object Editor 50 : Enabled
System > Group Policy
User Configuration > Administrative Templates > System > Turn off automatic update of ADM files 51 : Enabled
Group Policy
Table 36: GPO Administration GPO Example
Property Setting
GPO Status Enabled
50
This setting is supported on at least Microsoft Windows Server 2003.
51
Page 53
Property Setting
Child Objects
Table 37: GPO Administration GPO Properties
Note
The above example utilises configuration settings from both the user and computer configuration and as
such the GPO status is set to Enabled. These settings could be placed within other policies that take
advantage of disabling either the user or computer portions of a policy.
6.3.10 Microsoft Office

This building block consists of multiple GPOs due to the possible versions that can be managed
and, following current best practice as detailed in section 5.5.2, keeping the computer and user-
based settings separate. This section is, therefore, split to include both a computer GPO and a user
GPO for both Microsoft Office 2003 and 2007 Microsoft Office system.
6.3.10.1 Office 2003 Computer-Based GPO

This GPO focuses on centrally-managing Microsoft Office 2003 which has been installed on
workstations within the Active Directory domain. Table 38 lists the settings which specifically target
configuration options to set the macro security level behaviour at the computer level.
Policy Path Setting

Computer Configuration > Administrative Templates > Access: Macro Security Level: Enabled
Microsoft Office 2003 > Security Settings Security Level: High
Computer Configuration > Administrative Templates > Excel: Macro Security Level: Enabled
Computer Configuration > Administrative Templates > Outlook: Macro Security Level: Enabled
Computer Configuration > Administrative Templates > PowerPoint: Macro Security Level: Enabled
Computer Configuration > Administrative Templates > Publisher: Macro Security Level: Enabled
Computer Configuration > Administrative Templates > Word: Macro Security Level: Enabled
Table 38: Office 2003 Computer-Based GPO Example
52
Page 54
Table 39 details the properties of the GPO.
Property Setting

Child Objects
Table 39: Office 2003 Computer-Based GPO Properties
Note
The default Macro Security Level setting for all the Microsoft Office applications being configured in Table
38 is ‘High’ with the exception of Microsoft Access 2003 which is set to Medium.
While the default configuration for the Macro Security Level of the majority of Microsoft Office 2003
applications is set to High, configuring this setting through Group Policy ensures that the
workstations remain in a secure state. For example, if a user had the permissions to configure the
Macro Security Level to Low, the GPO would ensure the setting would return to its default state of
High the next time the GPO was applied during normal Group Policy refresh.
Recommendation
When configuring the Macro Security level, ensure that you provide users with a secure, yet usable,
system. Setting the level to Very High will only allow macros installed in a trusted location to run; other
signed (or unsigned) macros will be disabled. However, setting the level to Low means all macros,
executables and Microsoft Visual Basic for Applications (VBA) programs can run without the knowledge or
approval of the user. Consider, therefore, setting the Macro Security Level to High, only changing this to
Medium where absolutely necessary due to the documents being opened.
Warning
When setting the Microsoft Access 2003 Macro Security Level to either Medium or High, the latest service
pack for Microsoft Jet 4.0 must be installed if unsafe expressions are also to be blocked without affecting
common functionality. Windows XP Service Pack 2 includes a service pack for Microsoft Jet 4.0. If
Windows XP Service Pack 2 is not installed, then Microsoft Jet 4.0 Service Pack 8 should be installed.
This can be downloaded from the following location: http://support.microsoft.com/kb/239114.
6.3.10.2 Office 2003 User-Based GPO

This GPO is for centrally-managing Microsoft Office 2003 which has been installed on workstations
within an Active Directory domain. The settings listed below target configuration options available to
the user via the Microsoft Office user interface. There are two main areas of focus which this GPO
provides settings for:
Removing access to online content thereby improving the speed at which help is displayed
to the user while also reducing network traffic out to the internet
Improving the user interface by hiding errors, which may confuse users, and providing
additional tips/shortcut keys which could help increase user productivity
53
Page 55
Table 40 details these options.
Policy Path Setting

User Configuration > Administrative Templates > Enable Customer Experience Improvement Program: Disabled
Microsoft Office 2003 > Help > Help | Customer
Feedback Options…
User Configuration > Administrative Templates > Disable reporting of error messages: Enabled
Microsoft Office 2003 > Improved Error Reporting Check to disable reporting of error messages: Enabled
User Configuration > Administrative Templates > Disable reporting of non-critical errors: Enabled
Microsoft Office 2003 > Improved Error Reporting Check to disable reporting of non-critical errors: Enabled
User Configuration > Administrative Templates > User templates path: Enabled
Microsoft Office 2003 > Shared Paths User templates path: S:\UserTemplates
User Configuration > Administrative Templates > Always show full menus: Enabled
Microsoft Office 2003 > Tools | Customize | Options Check to enforce setting on; uncheck to enforce setting off: Enabled
User Configuration > Administrative Templates > List font names in their font: Enabled
User Configuration > Administrative Templates > Menu animations: Disabled

Microsoft Office 2003 > Tools | Customize | Options
User Configuration > Administrative Templates > Show Screen Tips on Toolbars: Enabled
User Configuration > Administrative Templates > Show shortcut keys in Screen Tips: Enabled
User Configuration > Administrative Templates > Hide Spotlight entry point: Enabled
Microsoft Office 2003 > Tools | Options | General | Check to Hide Spotlight entry point: Enabled
Service Options > Online Content
User Configuration > Administrative Templates > Online content options: Enabled
Microsoft Office 2003 > Tools | Options | General | Online content options: Never show online content or entry points
Service Options > Online Content
User Configuration > Administrative Templates > Recently used file list: Enabled
Microsoft Office Excel 2003 > Tools | Options… > Entries on recently used file list: 8
General
User Configuration > Administrative Templates > Startup Task Pane: Disabled
Microsoft Office Excel 2003 > Tools | Options… > View
User Configuration > Administrative Templates > Message format/editor: Enabled

Microsoft Office Outlook 2003 > Tools | Options… > Use the following Format/Editor for e-mail messages: Rich Text/Outlook
Mail Format > Message format
Use Microsoft Word to read rich text e-mail messages: Disabled
User Configuration > Administrative Templates > Empty Deleted Items Folder: Enabled
Microsoft Office Outlook 2003 > Tools | Options… > Empty the Deleted Items folder upon exiting: Enabled
Other
Microsoft Office PowerPoint 2003 > Tools | Options… > Enable recently used file list: Enabled
General
Size of recently used file list: 8
Microsoft Office PowerPoint 2003 > Tools | Options… >
View
Page 56
Policy Path Setting

Microsoft Office Word 2003 > Tools | Options… > Number of entries: 8
General
Microsoft Office Word 2003 > Tools | Options… > View
> Show
Table 40: Office 2003 User Based GPO Example
Property Setting

Child Objects
Table 41: Office 2003 User-Based GPO Properties
The configuration settings specified in Table 40 have been placed within the same GPO.
Depending on the amount of control needed over the GPO, the components focusing on each
Microsoft Office application could be contained in a separate GPO. This would result in a GPO
which contains the shared Office 2003 settings and a separate GPO for each of the Office
applications: Excel, Outlook, PowerPoint and Word.
Separating out the settings into individual GPOs allows an administrator to raise a change request
to amend a GPO focusing on, for example, Word only. If the settings were all contained within the
same GPO, this could incur additional time for testing as the GPO would be targeting a larger
number of settings.
The downside to having five different GPOs in this particular case, could, however, outweigh the
benefits due to the additional number of GPOs to be administered. With the number of settings in
the above building block being relatively low, it would be more beneficial to have a single GPO. If
the number of settings increased greatly, it could be more beneficial to have separate GPOs.
Recommendation
Consider the number of settings that are to be configured within a GPO and weigh up the pros and cons
regarding the number of GPOs to administer against the overhead of maintaining a large number of
settings within a single GPO. Therefore, a GPO with a larger number of settings within it could be
managed more easily if it were split into multiple GPOs.
It is not uncommon to have a GPO which contains just a single configuration option set if it proves easier
to administer than a GPO with many configuration options set across multiple focuses.
Note
It is not possible to configure the look of Microsoft Office 2003 to make it look and feel like previous
versions of Microsoft Office.
54
Page 57
6.3.10.3 2007 Office System Computer-Based GPO

The majority of the computer-based settings that were previously available for Microsoft Office
2003 have been changed to allow the configuration to be set at the user level within the 2007
Microsoft Office system. This allows administrators a greater level of control over which users
receive certain configuration options and where some users do not.
The primary focus of the computer-based settings for the 2007 Office system is to configure the
security available in Internet Explorer-based functions within the Office applications. These
configuration options are known as Feature Controls and were introduced with Microsoft Windows
XP Service Pack 2. The Feature Controls enable administrators to turn certain security restrictions
on or off. The settings are typically associated with an Internet Explorer Maintenance Policy and
allow applications hosting the WebBrowser Control greater granularity of security.
Recommendation
The 2007 Office system computer-based settings should be left as not configured unless the effect on the
application’s functionality for a specific setting is fully understood.
6.3.10.4 2007 Office System User Based GPO

This GPO focuses on centrally-managing the 2007 Office system which has been installed on
workstations within an Active Directory domain. The settings listed below target configuration
options available to the user via the Microsoft Office user interface. There are three main areas of
focus which this GPO provides settings for:
Removing access to online content thereby improving speed at which help is displayed to
the user, while reducing network traffic out to the internet
Improving the user interface by hiding errors, which may confuse users, and providing
additional tips/shortcut keys, which could help increase user productivity
Ensuring compatibility with previous versions of Microsoft Office which is useful during a
staged deployment of the 2007 Office system 55
Table 42 details these options.
Policy Path Setting

User Configuration > Administrative Templates > Always show full menus: Enabled
Microsoft Office 2007 system > Global Options > List font names in their font: Enabled
Customize
Menu animations: Disabled
Show Screen Tips on Toolbars: Enabled
Show shortcut keys in Screen Tips: Enabled
User Configuration > Administrative Templates > Microsoft Office Online: Disabled
Microsoft Office 2007 system > Help
User Configuration > Administrative Templates > Disable reporting of errors messages: Enabled
Microsoft Office 2007 system > Improved Error Disable reporting of non-critical errors: Enabled
Reporting
User Configuration > Administrative Templates > Automatically receive small updates to improve reliability: Disabled
Microsoft Office 2007 system > Privacy > Trust Center Enable Customer Experience Improvement Program: Disabled
User Configuration > Administrative Templates > User templates path: Enabled
Microsoft Office 2007 system > Shared Paths User templates path: S:\UserTemplates
55
For information about migrating from Office 2003 to 2007 Office System, please refer to the 2007 Microsoft Office System
Migration Guide {R19}.
Page 58
Policy Path Setting

User Configuration > Administrative Templates > Hide Spotlight entry point: Enabled
Microsoft Office 2007 system > Tools | Options | Online content options: Enabled
General | Service Options… > Online Content
Online content options: Never show online content or entry points
User Configuration > Administrative Templates > Disable access to updates, add-ins, and patches on the Office Online
Microsoft Office 2007 system > Tools | Options | website: Enabled
General | Web Options… Disable customer-submitted templates downloads from Office Online:
Enabled
Prevents users from uploading document templates to the Office Online
community: Enabled
User Configuration > Administrative Templates > Save Excel files as: Enabled
Microsoft Office Excel 2007 > Excel Options > Save Save Excel files as: Excel 97-2003 Workbook (*.xls)
User Configuration > Administrative Templates > Empty the Deleted Items folder when Outlook closes: Enabled
Microsoft Office Outlook 2007 > Tools | Options… >
Other
User Configuration > Administrative Templates > Save files in this format: Enabled
Microsoft Office PowerPoint 2007 > PowerPoint Options Save files in this format: PowerPoint 97-2003 Presentation (*.ppt)
> Save
User Configuration > Administrative Templates > Block saving of Open XML file types: Enabled
Microsoft Office Word 2007 > Block file formats > Save
User Configuration > Administrative Templates > Compatibility mode on file creation: Enabled
Microsoft Office Word 2007 > Word Options > Save Save files in this format: Enabled
Save files in this format: Word 97 – 2003 Document (*.doc)
User Configuration > Administrative Templates > VBA Macro Warning Settings: Enabled
Microsoft Office Word 2007 > Word Options > Security No Warnings for all macros but disable all macros
> Trust Center
Table 42: 2007 Office System User-Based GPO Example
Property Setting

Child Objects
Table 43: 2007 Office System User-Based GPO Properties
56
Page 59
Note
The GPO settings above, pertaining to the ‘Save files in this format’ setting, allow a healthcare
organisation to continue to use a format that is support across an environment which has multiple version
of Microsoft Office. Once all workstations have been upgraded to the 2007 Microsoft Office system, this
configuration option can be set back to ‘Not Configured’. This will then cause the default file type to
revert back to the Open XML (Extensible Markup Language) format now used by the Microsoft Office
applications. This is further controlled through the use of blocking the ability to save as an Open XML file.
Note
It is not possible to configure the 2007 Office system to make it look and feel like previous versions of
Microsoft Office.
While this example GPO includes settings which aid in the migration from one Office version to
another, it is worth mentioning the availability of the Microsoft Office Compatibility Pack. This
Compatibility Pack 57 allows users of Office 2003 to open files saved using the default file format
within the 2007 Office system.
The 2007 Microsoft Office System Migration Guide 58 , which specifically focuses on the migration of
previous Microsoft Office versions to 2007 Office system, is also available to healthcare
organisations.
6.3.10.5 Disabling Microsoft Office Menus and Buttons

As part of the planning for the deployment and management of Microsoft Office, there may be
certain tasks that users should not have access to. It is possible to disable functionality of the
application via menu items, buttons and shortcut keys.
The Group Policy settings which have been predefined include only a few options. These are
located in the following path within the GPO:
User Configuration > Administrative Templates > Microsoft Office Application Version >
Disable items in user interface > Predefined
where the Application is Access, Excel, PowerPoint, Word and so on, and Version is either 2003 or
2007.
From this location within the GPO, it is possible to specify either the commands, shortcut keys or
both that need to be disabled. However, the predefined set of commands to choose from
represents only a fraction of the commands that are available within the application’s user interface.
Another path within the GPO provides a custom configuration option used to specify the command
identifiers which Group Policy should disable. This is completed by discovering the Command
59
Name and Policy ID of the option to be disabled. Whilst Microsoft provides a spreadsheet to
enable administrators to identify the Policy ID for the 2007 Office system, it does not do so for
Microsoft Office 2003.
57
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats {R20}:
http://office.microsoft.com/en-us/products/HA101686761033.aspx
58
2007 Microsoft Office System Migration Guide {R19}:
http://www.microsoft.com/industry/healthcare/technology/hpo/office/2007officesystemmigration.aspx
59
The spreadsheet providing the commands Control IDs, and Policy IDs, can be downloaded from 2007 Office System
Document: Lists of Control IDs {R21}: http://go.microsoft.com/fwlink/?LinkId=80644. This download page provides download
links to two files: 2007OfficeControlIDsExcel2003.exe and 2007OfficeControlIDsExcel2007.exe. These files contain the
Control IDs for the Microsoft Office Suite of products.
Page 60
To discover the Policy ID for a Microsoft Office 2003 application command, create a macro in VBA
to provide the information, for example, in a message box. This process can be found in Managing
Users' Configurations by Policy 60 within the Microsoft Office 2003 Resource Kit..
To disable a keyboard shortcut, a policy setting requires the input of both the key and modifier ID.
This can be easily obtained using values which are associated with key strokes.
Table 44 details the values.
Modifier or Key Value

ALT 16
CONTROL (CTRL) 8
SHIFT 4
A-Z A sequential number between 65 and 90, where A = 65, and Z = 90

Table 44: Shortcut Key and Modifier Values
Should multiple modifiers be used, the values should be added together. For example, if CTRL +
ALT are used, the modifier would be 24.
The process given below uses the example of disabling the Insert > Hyperlink option from within
Microsoft Word 2003 which has a Policy ID of 1576, a keyboard shortcut key and modifier ID of
75,8.
1. Open Microsoft Word 2003 and select Insert > Hyperlink.
2. The Insert Hyperlink dialog box appears, allowing the user to select or type the hyperlink
as shown below. This can also be accessed via the shortcut key CTRL+K.
3. Click Cancel and close Microsoft Word 2003.

4. Amend the appropriate GPO on the Domain Controller with the following entries:
60
Managing Users' Configurations by Policy {R22}: http://office.microsoft.com/en-us/ork2003/HA011402401033.aspx
Page 61
Policy Path Setting

User Configuration > Administrative Templates > Microsoft Disable command bar buttons and menu items: Enabled
Office Word 2003 > Disable items in user interface > Enter a command bar ID to disable: 1576
Custom
User Configuration > Administrative Templates > Microsoft Disable shortcut keys: Enabled
Office Word 2003 > Disable items in user interface > Enter a key and modifier to disable: 75,8
Custom
5. On the client workstation, update the group policies by running the following command
within a Command Prompt:
C:\>gpupdate /force /wait:0
This will re-apply the policies to this workstation immediately.
6. Open Microsoft Word 2003 and select the Insert menu, and, as shown below, the
Hyperlink option is now disabled with a customised message stating: Insert Hyperlink:
Disabled by the IT Dept. Call Ext 12345 for further assistance. (Ctrl+K)
The default message of ‘Disabled by your system administrator’ can be customised, as shown
above, using the following Group Policy setting: User Configuration > Administrative Templates
> Microsoft Office 2003 > Disable items in user interface > Tooltip for disabled toolbar buttons
and menu items.
6.3.11 Removable Storage Devices

Prior to Windows Vista, organisations have struggled to control the fact that users can insert a USB
key and copy data onto it. In a healthcare environment, where the safety and security of patient
data is paramount, IT departments have had an uphill battle in ensuring data is not copied onto
removable storage devices in a controlled and managed way. This has historically been managed
through the securing of files, such as the USBSTOR.INF file, by disabling the USB Host Controller
or USB Root Hub.
With Windows Vista, an IT department can take advantage of Group Policy to manage what
removable storage devices can be used within the environment. The policy settings can be used to:
Prevent the installation of a device
Allow a device to be installed only if it is on the Approved list
Page 62
Prevent a device to be installed if it is on the Prohibited list

Deny either read or write access to removable storage devices
Note
If a devices class has been specified in both the Approved list and the Prohibited list, the device will not be
installed as the Prohibited list takes precedence.
The available removable storage devices which can be managed by policy settings, by default,
within Windows Vista are:
CD and DVD drives
Floppy Disk drives (including USB Floppy drives)
Removable Disk drives, such as USB keys
Tape drives
WPD drives (Windows Portable Device such as music players, phones and Personal
Digital Assistants (PDAs))
The ability to specify a custom class is also provided for devices that do not fit into the above
categories but need to be controlled.
The policy settings available to a GPO Administrator, to specify whether the removable storage
devices can be read or written to, are controlled using a user or computer based policy. This allows
an administrator to have granular control over which users can use these devices and which
cannot.
However, the policy settings which control the device installation are only available through a
computer based policy. A common scenario would be to disable the installation of devices on
users’ computers, whilst still allowing administrators the ability to install these devices. The policy
settings would then further define whether users could only read from these devices, or write to
them as well.
This GPO building block is split into two components. One component focuses on the device
installation aspect and, as such, is a computer based GPO. The second component focuses on the
device usability from a user and, as such, is a user based GPO. This follows the current best
practice approach of separating the computer based policy settings from the user based policy
settings where possible, as detailed in section 5.5.2.
Page 63
Table 45 details the device installation options:
Policy Path Setting

Computer Configuration > Administrative Templates > Display a custom message when installation is prevented by a policy
System > Device Installation > Device Installation (balloon text) 61 : Enabled
Restrictions Enter the text you wish users to see (Max 128 chars) Detail Text: You are
not authorised to install this type of device. For further assistance,
please call the Helpdesk on ext. xxxx 62 .
Display a custom message when installation is prevented by a policy
(balloon title)61: Enabled
Enter the text you wish users to see (Max 63 chars) Detail Text:
Unauthorised Device Installation Attempt.
Allow installation of devices using drivers that match any of these device
IDs61: Enabled
Device Classes (Show > Add):
USBSTOR\DiskWD______1600BEVExternal_
Prevent installation of devices not described by other policy settings64:
Enabled
Table 45: Removable Storage Devices Installation GPO Example
Recommendation
A policy setting exists to allow administrators to continue to install devices regardless of the settings
configured in the other configuration options available. This setting is ‘Allow administrators to override
Device Installation Restrictions policies’. While this setting could aid an administrator in still allowing a
device to be installed, it could become confusing to a user.
The reason for this is when this setting is enabled, rather than displaying a warning or a custom message
if one has been specified, it prompts the user for administrative credentials. This could result in a call to
the helpdesk requesting assistance in installing the device or, if the user clicks the available Cancel
button, the installation of the device will stop without providing any further feedback and again result in a
potential helpdesk call.
It is therefore recommended to not enable this setting, but instead have a security group containing users
who should not have these restrictions configured. This security group would then be denied the Apply
Group Policy right in the permissions of the GPO.
Property Setting

SG GPO Allow Removable Storage Device Install: DENY – Read & DENY - Apply Group Policy
Child Objects
61
This setting is supported by at least Windows Vista.
62
The example text provided for the custom message should be replaced with one deemed appropriate for your healthcare
organisation.
63
Page 64
Property Setting
Table 46: Removable Storage Devices Installation GPO Properties
Table 47 details the removable storage access options:
Policy Path Setting

User Configuration > Administrative Templates > CD and DVD: Deny write access 64 : Enabled
System > Removable Storage Access Removable Disks: Deny write access64: Enabled
Floppy Drives: Deny write access64: Enabled
Tape Drives: Deny write access64: Enabled
WPD Devices: Deny write access64: Enabled
Table 47: Removable Storage Read and Write Access GPO Example
Note
For this example GPO, the write access is being denied to users where this GPO applies. The Removable
Disks policy setting has been specified here and, when used in conjunction with the settings in Table 45,
other removable devices will not be able to be connected and, as such, a USB key would not be available
to the user.
To allow specific users the ability to write to certain removable devices, the use of a security group should
be used which is denied the Apply Group Policy right within the permissions of the GPO.
Property Setting
Permissions 65 SG GPO Removable Storage Deny Write: Read & Apply Group Policy
Child Objects
Table 48: Removable Storage Read and Write Access GPO Properties
Recommendation
The above example illustrates a simple introduction of a removable storage device policy should one be
required. If a more granular control is needed such as configuration of custom classes and specifying
compatible IDs, further details and guidance are available in the article Step-By-Step Guide to Controlling
Device Installation and Usage with Group Policy 66 , which should be read in conjunction with this
document.
64
65
66
Step-By-Step Guide to Controlling Device Installation and Usage with Group Policy {R23}:
http://technet2.microsoft.com/WindowsVista/f/?en/library/9fe5bf05-a4a9-44e2-a0c3-b4b4eaaa37f31033.mspx
Page 65
6.3.12 Power Management

With healthcare organisations having to manage hundreds and thousands of computers, the
amount of energy required to power them increases. This ultimately results in higher running costs
and increases the TCO. With this in mind, Group Policy can help by centrally managing the power
management options that almost all up-to-date computers have built-in.
Windows Vista provides 33 new policy settings that allow a GPO Administrator to manage the
actions that computers take regarding power management. These policy settings cover topics such
as:
Notification Settings
Button Settings
Hard Disk Settings
Sleep Settings
Video and Display Settings
Power Plan Settings
These policy settings enable a healthcare organisation, who understands how their users use their
computers, to configure power management settings to reduce the amount of power consumed,
resulting in lowering the TCO.
Recommendation
The building block settings provided here act only as an example of what can be set. It is recommended
that a healthcare organisation implements a GPO which baselines a standard policy across all client
computers. This is then amended to suit the needs of groups of users or departments, as appropriate,
through the use of incremental GPOs.
Table 49 details the power management options:
Policy Path Setting

Computer Configuration > Administrative Templates > Select the Power Button Action (Plugged In) 67 : Enabled
System > Power Management > Button Settings Power Button Action: Hibernate
Select the Lid Switch Action (Plugged In)67: Enabled
Lid Switch Action: Sleep
Select the Power Button Action (On Battery)67: Enabled
Power Button Action: Hibernate
Select the Lid Switch Action (On Battery)67: Enabled
Lid Switch Action: Hibernate
Computer Configuration > Administrative Templates > Turn Off the Hard Disk (Plugged In)67: Enabled
System > Power Management > Hard Disk Settings Turn Off the Hard Disk (seconds): 1200
Turn Off the Hard Disk (On Battery)67: Enabled
Turn Off the Hard Disk (seconds): 600
Computer Configuration > Administrative Templates > Turn on Applications to Prevent Sleep Transitions (Plugged In)67: Enabled
System > Power Management > Sleep Settings Require a Password When a Computer Wakes (Plugged In)67: Enabled
Turn on Applications to Prevent Sleep Transitions (On Battery)67: Enabled
Require a Password When a Computer Wakes (On Battery)67: Enabled
Computer Configuration > Administrative Templates > Turn Off Adaptive Display Timeout (Plugged In)67: Enabled
67
This setting is supported on at least Microsoft Windows Vista.
Page 66
Policy Path Setting

System > Power Management > Video and Display Turn Off Adaptive Display Timeout (On Battery)67: Enabled
Settings Turn Off the Display (Plugged In)67: Enabled
Turn Off the Display (seconds): 600
Turn Off the Display (On Battery)67: Enabled
Turn Off the Display (seconds): 300
Table 49: Power Management GPO Example
Property Setting

Child Objects
Table 50: Power Management GPO Properties
6.3.13 BitLocker and the Trusted Platform Module

Windows BitLocker Drive Encryption, commonly referred to as BitLocker, is a security feature which
enables a user to encrypt all data stored on a Windows simple volume.
The Trusted Platform Module (TPM) is a microchip that is built into a computer. It is designed to
provide basic security-related functions, such as creating cryptographic keys and encrypting them
so that they can be decrypted only by the TPM.
BitLocker uses the TPM to help protect the Windows operating system and user data, and helps to
ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
BitLocker can also be used without a TPM; however the default behaviour of the BitLocker setup
wizard needs to be changed. This change can be managed through the use of Group Policy. To be
able to use this option a USB key must be used in conjunction with BitLocker to be able to store the
startup key on it. This is the only option available for non-TPM configurations. This key must be
inserted prior to starting the computer.
Also available, through the use of Group Policy, is the ability to backup both the TPM owner
information and the BitLocker recovery information to Active Directory.
68
Page 67
Note
To be able to backup the TPM owner information and BitLocker recover information to Active Directory,
appropriate schema extensions must be made, and access control settings configured, on the domain.
For more information, see the article Configuring Active Directory to Back up Windows BitLocker Drive
Encryption and Trusted Platform Module Recovery Information 69 .
Table 51 details the options:
Policy Path Setting

Computer Configuration > Administrative Templates > Turn on TPM backup to Active Directory Domain Services 70 : Enabled
System > Trusted Platform Module Services Require TPM backup to AD DS: ; (Checked)
Computer Configuration > Administrative Templates > Turn on BitLocker backup to Active Directory Domain Services70: Enabled
Windows Components > BitLocker Drive Encryption Require BitLocker backup to AD DS: ; (Checked)
Select BitLocker recovery information to store: Recovery passwords
and key packages
Control Panel Setup: Enable advanced startup options70: Enabled
Allow BitLocker without a compatible TPM: ; (Checked)
Settings for computers with a TPM:
Configure TPM startup key option: Require startup key with TPM
Configure TPM startup PIN option: Disallow startup PIN with TPM
Control Panel Setup: Configure recovery options70: Enabled
Configure 48-digit recovery password option: Disallow recovery
password
Configure 256-bit recovery key option: Disallow recovery key
Table 51: BitLocker and Trusted Platform Module GPO Example
Property Setting

Child Objects
Table 52: BitLocker and Trusted Platform Module GPO Properties
69
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
Information {R24}:
http://technet2.microsoft.com/WindowsVista/en/library/3dbad515-5a32-4330-ad6f-d1fb6dfcdd411033.mspx?mfr=true
70
This setting is supported on at least Microsoft Windows Vista.
71
Page 68
6.4 Migration
There are three aspects to migration that a GPO Administrator will need to be aware of:
Migration of system policies to group policies
Migration of a GPO created within a test environment to be imported into a live
environment
Migrating ADM templates and ADMX files
6.4.1 System Policy Migration

Prior to the introduction of Group Policy in Windows 2000, system policies were used to provide an
element of control over the desktop estate. These system policies, whilst fairly basic and limited in
their use, did provide configuration options that are still part of most organisations requirements. As
such, Microsoft provides the Group Policy Migration utility to specifically migrate Windows NT 4.0
System Policy settings to either Windows 2000 or Windows Server 2003.
The Group Policy Migration utility (Gpolmig.exe) is available as part of the Windows 2000 Resource
Kit. This utility translates current System Policy settings into Group Policy settings and maps the
necessary registry settings to the registry settings for Windows 2000 or Windows XP.
Note
The location of the registry settings that implement software policy has changed in Windows 2000 from
those in Windows NT 4.0, and the migration may therefore not have an effect on some applications and
components.
A Microsoft Knowledge Base article titled How to use the Group Policy Migration utility to migrate
Windows NT System Policy settings to Windows 2000 or Windows Server 2003 72 exists that details
the usage of this utility, and most importantly, the troubleshooting points which details some
common scenarios of issues that are experienced.
6.4.2 GPO Migration Table

A migration table assists a GPO Administrator in copying and importing GPOs from one domain to
another. This is typically useful when creating a GPO within a test environment and rather than
creating it from scratch within the live environment, it can be exported and subsequently imported
instead.
An issue arises when the GPO contains domain specific information as part of the configuration
settings. This domain specific information could include:
Users
Groups (Domain Local, Domain Global, and Universal)
Computers
UNC paths
Free Text or Security Identifier (SID)
As such, a migration table can be created and is used to amend such settings appropriately.
72
How to use the Group Policy Migration utility to migrate Windows NT System Policy settings to Windows 2000 or Windows
Server 2003 {R25}: http://support.microsoft.com/kb/317367
Page 69
The migration table is created using the Migration Table Editor (MTE), provided as part of the
GPMC. A migration table consists of one or more mapping entries. Each mapping entry consists of
a type, source reference, and destination reference. If you specify a migration table when
performing an import or copy, each reference to the source entry will be replaced with the
destination entry when writing the settings into the destination GPO.
The migration table will apply to any references in the settings within a GPO, whether you are
performing an import or copy operation. In addition, during a copy operation, if you choose the
option to preserve the discretionary access control list (DACL) on the GPO, the migration table will
also apply to both the DACL on the GPO and the DACLs on any software installation settings in the
GPO.
Migration tables are specified when performing import and copy operations. There are three
options for using migration tables with import and copy:
Do not use a migration table – This option copies the GPO exactly as it is. All references
to security principals and UNC paths are copied identically.
Use a migration table – This option maps any references in the GPO that are in the
migration table. References that are not contained in the migration table are copied as is.
Use a migration table exclusively – This option requires that all references to security
principals and UNC paths that are referenced in the source GPO be specified in the
migration table. If a security principal or UNC path is referenced in the source GPO and is
not included in the migration table, the import or copy operation fails.
In addition, cross-domain copy operations will apply the migration table to the DACL on the GPO
(and any software installation settings) if you choose the option to ‘Preserve or migrate the
existing permissions’.
When performing a copy or import, the wizard scans the source GPO to determine if there are any
references to security principals or UNC paths in the GPO. If there are, you have the opportunity to
specify a migration table. During across-domain copy operation, if the option to ‘Preserve or
migrate the permissions on the GPO’ is specified, the wizard will always present the opportunity
to specify a migration table because a DACL, by definition, contains security principals.
73
The whitepaper Migrating GPOs Across Domains with GPMC is available from Microsoft to
download which details extensively the operation of migrating GPOs from one domain to another.
6.4.3 ADMX Migrator

The ADMX Migrator enables GPO Administrators to convert ADM templates to the ADMX file
format and take advantage of the additional capabilities that it provides.
Recommendation
The ADMX Migrator should only be used to migrate custom ADM Templates. Do not use the ADMX
Migrator to migrate the default ADM Templates that are included as part of the Windows operating
system. For example, the INETRES.ADM template is provided with the operating system and, as such,
should not be migrated. However, the OFFICE12.ADM template does not come with the operating system
and, as such, can be migrated using the ADMX Migrator.
The ADMX Migrator allows multiple ADM templates to be converted at a time. The ADMX Migrator
creates a unique namespace which can be renamed and will display a warning if a collision is
detected due to duplicate names. Also, any items that cannot be validated against the ADMX
schema are preserved in an Unsupported section. ADMX Migrator is also available through a
Command Window and is recommended that this is used for multiple ADM Template conversions.
73
Migrating GPOs Across Domains with GPMC {R26}: http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
Page 70
Note
Any annotations that exist in ADM templates are removed during the conversion process.
The ADMX Migrator can be downloaded 74 and can be installed on a Windows Server or Windows
Client machine. For installation on:
A server – a minimum of Windows Server 2003 Service Pack 1 is required with MMC
version 3.0 75 installed
A client – a minimum of Windows XP Service Pack 2 is required with MMC version 3.0 76
installed
Note
Windows Vista includes MMC version 3.0 and, as such, already meets the minimum installation
requirements.
For instructions on the installation of the ADMX Migrator, see APPENDIX B.

Recommendation
Prior to migrating any ADM Templates using the ADMX Migrator, it is recommended that the ADM
Templates are copied to a local folder by the GPO Administrator. When migrating the ADM Templates,
use the local copy. This ensures that the migration cannot affect the production copy of the ADM
Templates.
To migrate a custom ADM Template to an ADMX file:
1. Open ADMX Migrator, (click Start or the Windows Button , point to All Programs, point
to FullArmor, point to FullArmor ADMX Migrator, and then click ADMX Migrator).
74
ADMX Migrator {R27}: http://go.microsoft.com/fwlink/?LinkId=77409
75
Microsoft Management Console 3.0 for Windows Server 2003 (KB907265) {R28}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4c84f80b-908d-4b5d-8aa8-27b962566d9f&DisplayLang=en
76
Microsoft Management Console 3.0 for Windows XP (KB907265) {R29}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-cf20902ffae0&DisplayLang=en
Page 71
2. Within the ADMX Migrator MMC snap-in, click Generate ADMX from ADM… from the
right hand Actions pane (as circled in the figure below).
3. In the Open dialog box, navigate to the folder containing the ADM Template, click the file
and click Open.
Page 72
Once the ADM Template has been migrated, the following dialog box displays:
4. Click Yes to load the ADMX Template into the ADMX Editor.
Additionally, the ADMX Migrator provides an ADMX Editor with a graphical user interface for
creating and editing Administrative Templates. This allows the selection of settings from menus
rather than entering them manually in a text file, speeding up the template creation process and
reducing the chance for error.
Figure 12 below shows the imported ADM Template in the ADMX Migrator in editing mode. The
imported CADWarning AMDX file contents have been expanded in the left hand pane and shows
the settings contained within it. Below the settings pane are a number of tabs to select from. These
options assist a GPO Administrator in ensuring the ADMX file is being created in the correct format.
Figure 12: ADMX Migrator Template Editor View
Page 73
7 STABILISE
The Stabilise phase involves testing the solution components whose features are complete,
resolving and prioritising any issues that are found. Testing during this phase emphasises usage
and operation of the solution components under realistic environmental conditions.
This involves testing and acceptance of the OU structure as well as the GPOs that are created both
as part of this document and subsequent policies.
Figure 13 acts as a high-level checklist, illustrating the critical components which an IT professional
responsible for stabilising the design of Group Policy for desktop management needs to determine.
Figure 13: Sequence for Stabilising Group Policy for Desktop Management
7.1 Testing Environment

The use of Group Policy to provide a desktop management environment is a powerful tool for
administrators. The possibility of making a single change within a centralised location that is then
deployed to users almost instantly, depending upon replication configuration and Group Policy
refresh intervals, allows administrators to ensure that changes required can be carried out quickly
and efficiently.
However, this will also increase the scope for large scale issues to occur. If a change is made by
mistake, for example, the authentication level is amended to only allow NTLMv2 and refuse
LM/NTLM, but 30% of the estate still uses operating systems earlier than Windows NT 4.0 Service
Pack 4, then these machines will basically stop communicating with the network.
Whilst that may be an extreme example, it does highlight the need for a test environment where the
development of new GPOs and on-going amendments of current GPOs can be carried out. As
much as possible the test environment should mimic the live environment allowing for proper
meaningful testing of GPOs. As a minimum, the test environment should have at least an Active
Directory domain, (a single domain controller would suffice), and a variety of the different client
machines that are used. As well as the machine types, a sample of test users should also be
created along with appropriate security groups to allow the testing of security group filtering.
With a test environment in place, changes can be made without fear of introducing a potentially
major problem onto the live network. The effect can be seen on the test computers and users prior
to making the change live, to ensure it provides the desired effect.
As well as a test environment providing administrators with the ability to see what the changes will
do for users and computers, GPO Administrators can utilise the Resultant Set of Policy wizard to
determine which policies will affect which users and computers without actually applying them.
Page 74
8 OPERATE
During the Operate phase, the deployed solution components are proactively managed to ensure
they provide the required levels of solution reliability, availability, supportability, and manageability.
Figure 14 acts as a high-level checklist, illustrating the critical components for which an IT
professional is responsible for in a managed and operational Group Policy environment.
Figure 14: Sequence for Operating Group Policy for Desktop Management
8.1 Group Policy Management Console

The GPMC is a comprehensive tool for the management of Group Policies. Previously, several
tools were needed to accomplish Group Policy related tasks such as Active Directory Users and
Computers, Active Directory Sites and Services, and Resultant Set of Policy (RSoP) that can now
be carried out using the GPMC.
The GPMC should not be viewed as a replacement to any existing administration tools provided,
but one that enhances what is available at the same time as providing additional functions within a
single console.
Page 75
The most commonly used functions available through the GPMC are:
Creating, Deleting and Renaming GPOs and WMI filters
Linking GPOs and WMI filters
Delegation – Including permissions on GPOs and WMI filters, policy related permissions on
sites, domains and OUs, and creation rights for GPOs and WMI filters
Backup – Also called the export operation, this transfers the contents of a GPO from Active
Directory to the file system
Restore – Returns a GPO to the state it was in when last backed-up
Import – Transfers the policy settings from a backed-up GPO in the file system to a GPO in
the Active Directory
Copy – Transfers the policy settings from an existing GPO in the Active Directory to a new
GPO in the Active Directory
Reporting – Including reporting on GPO settings and RSoP data
Note
Whilst the import and copy operations appear similar they differ in that the source for the import must be
from the file system, and the destination must be an existing GPO whereas the source for the copy must
be within Active Directory and the destination must be a new GPO.
As with the other administration tools, the GPMC is a snap-in to the MMC and, as such, can be run
directly (via GPMC.msc) or within a custom MMC through the Add/Remove Snap-in option.
GPMC version 1.0 with Service Pack 1 (SP1) is the latest version available for download 77 from
Microsoft. However, GPMC version 2.0 is built into Windows Vista.
Recommendation
It is recommended that GPMC version 2, as provided with Windows Vista, is used for GPO administration.
Note
The download version of GPMC, version 1.0 with SP1, cannot manage Windows Vista. Also, this version
cannot be installed on Windows Vista as it is not compatible.
8.1.1 Management Using GPMC

A Group Policy implementation will evolve over time, often as organisations (or their needs)
change. Establishing control procedures for creating, linking, editing, importing settings, backing
up, and restoring GPOs can minimise help desk and support calls that could arise from Group
Policy deployments.
To assist with troubleshooting GPOs, the Group Policy Results Wizard can be used to identify
possible Group Policy deployment errors. The wizard can also be used to evaluate the
consequences of new Group Policy settings prior to deploying them to a production environment.
Recommendation
Modifying Group Policy settings can have significant consequences and, as such, when making changes
to Group Policy, it should always be in a staging environment prior to deployment. Consider using the
AGPM component of the MDOP for Software Assurance, see section 8.2 for further details.
77
Group Policy Management Console with Service Pack 1 {R30}: http://go.microsoft.com/fwlink/?LinkID=46570
Page 76
8.1.2 ADM Templates

Group Policy administrative template (.adm) files are used to describe where registry-based policy
settings are stored in the registry and describe the user interface that is seen within the GPO Editor
MMC snap-in.
Each GPO maintains a folder within the SYSVOL folder; this folder is known as the Group Policy
Template (GPT). The GPT stores all the ADM files that were used when viewing/editing the GPOs.
Each operating system includes a standard set of ADM files. The default set of templates provided
with Windows Server 2003 SP1 are detailed here:
.adm File Timestamp Date of

Purpose
Name Release
CONF.ADM 22nd February 2003 Provides settings relating to the configuration of NetMeeting
INETRES.ADM 18th February 2005 Provides settings relating to the configuration of Internet Explorer
SYSTEM.ADM 18th February 2005 Provides settings relating to the configuration of the operating system
WMPLAYER.ADM 18th July 2005 Provides settings relating to the configuration of Windows Media Player
WUAU.ADM 18th July 2005 Provides settings relating to the configuration of Windows Update
Table 53: Default .adm Files
These standard files are the default files that are loaded by GPO Editor. As newer operating
systems or service packs are released, an updated set of ADM files accompany them. These ADM
files include all the policy settings that are specific to each operating system, and service pack
level.
For example, the ADM files that are provided with Windows Server 2003 include all policy settings
for all operating systems, including those that are only relevant to Windows 2000 or Windows XP
Professional. This means that only viewing a GPO from a computer with the new release of an
operating system or service pack effectively upgrades the ADM files. As later releases are typically
a superset of previous ADM files, this will not typically create problems, assuming that the ADM
files that are being used have not been edited.
Note
Situations can arise from a service pack containing a subset of ADM files that were provided with an
earlier release of operating system or service pack. In this instance, if these ADM files are deemed more
up-to-date, these ADM files will update the current set. The resulting set of ADM files may, at this point,
not contain all the settings that have previously been configured with a seemingly earlier version of ADM
files. Whilst these settings will still be in effect, they will not be visible within the GPO Editor.
To determine whether the ADM files used within the SYSVOL folder require updating, a timestamp
comparison takes place between those in the SYSVOL folder and those stored on the machine
being used to either view or edit the GPO.
Recommendations
All GPO administrators utilise the GPMC for the viewing and editing of GPOs.
All GPO administrators use a common operating system / service pack platform and ensure that the ADM
files used are the same across all administrative machines.
Ensure that the most up-to-date Group Policy ADM files are used; these are available to download 78 from
Microsoft.
78
Group Policy ADM files {R31}: http://go.microsoft.com/fwlink/?linkid=31057
Page 77
Use of a Group Policy, applied to all GPO administrators, which utilises the ‘Turn off automatic update
of ADM files’ setting to ensure that the ADM files are not overwritten within the GPT by any GPO Editor
session.
If using Windows Server 2003:
Use a Group Policy, applied to all Microsoft Windows Server 2003 servers, which utilises the ‘Always use
local ADM files for Group Policy Object Editor’ setting.
Use Windows Server 2003 to view and edit GPOs.
Notes
By default the GPMC uses local ADM files, regardless of their timestamp, and never copies the ADM files
to the SYSVOL folder.
The use of the new setting above for Windows Server 2003 can be useful when considering the removal
of ADM files from the SYSVOL folder due to the size that a large utilisation of GPOs can cause; this is
discussed in more detail in section 8.1.6.
The recommendation above for all GPO Administrators to use a common operating system and
service pack level may not always be possible depending upon the environment in which the GPOs
are being deployed. For example, in some situations, one GPO Administrator workstation may use
a Windows XP Professional SP1 workstation whereas another may use a Windows XP
Professional SP2 workstation.
In this case errors could occur for the administrator using the XP SP1 workstation if a GPO has
been viewed by the administrator using the XP SP2 workstation. This is a known issue and a Hotifx
is available for the following operating systems:
Windows Server 2003
Windows XP with SP1
Windows 2000
Errors occur due to a change in some templates which use the LISTBOX ADDITIVE syntax. Using
an earlier version of the GPO Editor, namely that supplied with the operating systems listed above,
an error is displayed stating, ‘The following entry in the [strings] section is too long and has been
truncated’.
79
There is a Knowledge Base article which details this issue further and provides links to download
the relevant Hotfix associated with the operating system requiring an update.
The GPO Editor will look in SYSVOL, however can look elsewhere if specified within a GPO.
8.1.3 ADMX Templates

In Windows Vista, the Group Policy administrative templates are referred to as ADMX files. The
ADMX files included with Windows Vista are in the XML standard and provide a language neutral
format for describing registry policy settings. The language-specific information providing the
strings section, (explanation text for the policy settings), are provided through an ADML file, an
administrative language file. The language displayed to the GPO Administrator is dependent upon
the language of Windows used by the administrator.
Unlike the ADM templates, the ADMX files are not stored within the folder where the GPO resides
within the SYSVOL folder. Instead, when using the GPMC, the ADMX and ADML files are loaded
from either the local folder, (%WINDIR%\PolicyDefinitions), or the optional Central Store. For more
information on the Central Store, see section 8.1.4.
79
“The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to
view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000 {R32}:
http://support.microsoft.com/kb/842933
Page 78
Another difference in the ADMX files is the number of files provided. The default set of ADM
templates for earlier versions of Windows consists of five default templates, whereas the settings
available through the ADMX files are distributed amongst 132 files. This is due to the ADMX files
now focusing on specific Windows components such as Windows Explorer, Control Panel, Sidebar,
Windows Defender and so on.
As with the ADM templates, the ADMX files also include the settings to manage other Windows
operating systems which support the use of Group Policy.
Recommendation
To prepare for the deployment of Windows Vista within the environment, it is advisable to introduce the
use of the ADMX files as early as possible to ensure that new Windows Vista clients joining the domain
are managed immediately.
8.1.4 The Central Store

When using Windows Vista to manage Group Policy, the ADMX files can reside in two locations.
By default, the ADMX files are installed in the PolicyDefinitions folder within the Windows folder. In
a managed environment, these ADMX files should be located in a central location to ensure that all
GPO Administrators use the same, most up-to-date ADMX files.
Windows Vista introduced an improved method of maintaining the files required when viewing and
editing a domain GPO, called the Central Store. This is simply a folder stored within the SYSVOL
share which is a replica of the default installed PolicyDefinitions folder created on a Windows Vista
client. When the Central Store has been created, all GPO Administrators using GPMC on their
Windows Vista client will look to the Central Store for the ADMX and ADML files.
The Central Store is created through a onetime manual process per domain. This is completed by
carrying out the steps below.
To create the Central Store through a onetime manual process per domain:
1. Open Windows Explorer on a Windows Vista client.
2. Navigate to the SYSVOL\domain\policies folder on a Domain Controller within the
domain, (while any DC can be used, it is recommended that the PDC-emulator is used as
Group Policy changes are usually focused on this DC).
3. Create a new Folder called PolicyDefinitions within the policies folder.
4. Create a subfolder within the PolicyDefinitions folder for each language required by the
GPO Administrators. Names should use the appropriate ISO-style Language/Culture Name
80
which can be found in Valid Locale Identifiers . For example, to create a subfolder for
United Kingdom English, create a subfolder of EN-GB.
5. To populate the new folder structure, copy all ADMX files and the language subfolder from
%WINDIR%\PolicyDefinitions to the new SYSVOL\domain\policies\PolicyDefinitions
folder, where domain is the actual name of your domain.
As the Central Store is part of the SYSVOL share, this is replicated around to all DCs in the normal
manner. The large difference between the GPOs using AMDX files is that now there is only a single
instance of the ADMX files as opposed to a copy of the ADM templates for each and every GPO
created prior to the use of Windows Vista to administer Group Policy.
80
Valid Locale Identifiers {R33}: http://msdn.microsoft.com/en-us/library/ms693062.aspx
Page 79
Recommendation
It is recommended that healthcare organisations implement the use of the Central Store to not only ensure
all GPO Administrators use the same version of ADMX files, but to reduce overhead of the SYSVOL
replication.
8.1.5 Importing and Exporting Templates

The GPMC provides the ability to easily import and export templates; these functions were not
easily available before the release of GPMC.
The exporting feature is in actual fact the backup option, in essence creating a copy of the GPO
that is then available for either restore purposes or for importing into Active Directory via the GPMC
console.
When exporting a GPO, the following items are included:
The GPO GUID and domain
GPO Settings
The DACL on the GPO
WMI filter links
It should be noted that the export of a GPO contains only those items that are part of the GPO
within Active Directory and associated elements within the SYSVOL folder. As such any
components such as the WMI filters themselves, or IP Security policies, are not exported (backed
up).
This is because a WMI Filter or IP Security policy can be associated with more than one GPO, but
as these components have their own set of permissions, they may not be accessible by that
particular GPOs owner. Whilst the WMI Filter link is exported (as this is an attribute of the GPO),
the WMI Filter and IP Security policy require exporting through the WMI Filter Node and IP Security
Policy Management snap-in respectively.
8.1.6 GPO Replication

The GPTs for GPOs are replicated throughout the domain using the File Replication Service (FRS).
As each GPO stores multiple ADM files, some of which can become quite large, this can cause an
impact on replication traffic. The frequency of updates to the GPOs can also have an effect on this
traffic.
Note
This replication impact does not take place when using ADMX files and Windows Vista for GPO
administration. This is due to the way in which the ADMX files are used, either from a local source or the
central store, and the fact that the ADMX files are not duplicated for each GPO created. Therefore, this
section relates to the use of the ADM templates only.
Use of the policy setting ‘Always use local ADM files for Group Policy Object Editor’ can be
used in conjunction with the removal of ADM files from the SYSVOL folder to minimise the size of
the SYSVOL and assist in reducing the amount of replication traffic. As mentioned above, this can
only be applied to a Windows Server 2003 client, and although the setting can be deployed to a
Windows XP client, it has no effect.
Note
Windows XP does not support editing GPOs when there are no ADM files in the SYSVOL folder. As such
only Windows Server 2003 clients can be used to view/edit GPOs in this scenario.
Should replication performance become an issue, and the above settings can be taken advantage
of, the steps below can be used to remove the ADM files from the SYSVOL folder.
Page 80
To remove the ADM files from the SYSVOL folder:

1. Enable the Turn off automatic update of ADM files setting for GPO administrators and
ensure the policy has been applied.
2. Copy any custom ADM templates that may be in use to the %WINDIR%\Inf folder of the
administrative workstation.
3. Edit all existing GPOs and remove all ADM files from the GPT.
a. Whilst in GPO Editor, right-click Administrative Templates and click Add/Remove
Template.
b. In the Add/Remove Templates dialog box, select each policy template and click
Remove.
c. Click Close once all templates have been removed.
4. Enable the Always use local ADM files for Group Policy Object Editor setting for the
Windows Server 2003 clients to be used for the GPO administration.
8.1.7 Microsoft Office ADM Templates

The templates available for the Microsoft Office versions are detailed in section 5.6.2. With each
ADM template imported into a GPO, the size of the GPO increases in size and also increases the
number of folders within the GPO to view.
Recommendation
It is advisable to only import the ADM templates that contain the settings which will be configured. For
example, if some common Microsoft Office elements require configuring along with the file types that both
Word and Excel can save in, then only import the three ADM templates that focus on these configuration
options and consider removing the default templates that are not required.
Table 54 gives the sizes of the GPOs.
GPO Templates Imported Size in KB

Built-in templates only (default created GPO) 4208
All Office (built-in ADM templates removed) 412 (Office 2003) / 2846 (2007 Office)
Office, Word, Excel (built-in ADM templates removed) 192 (Office 2003) / 1064 (2007 Office)
Table 54 GPO Template Sizes
As can be seen in Table 54, reducing the templates imported into a GPO can considerably reduce
the size of the GPO and help reduce replication traffic. Should replication of these templates cause
issues, consider the steps shown in section 8.1.6.
8.2 Advanced Group Policy Management

AGPM is one of five components that make up the MDOP 81 for Software Assurance. AGPM
provides GPO Administrators with an increased level of management capabilities over and above
that provided through the standard GPMC.
The AGPM provides the following additional benefits:
Change control
Offline editing of GPOs
81
See Windows Desktop Management and Deployment {R34}for more information on the Microsoft Desktop Optimization
Pack: http://www.microsoft.com/windows/products/windowsvista/enterprise/mdopoverview.mspx.
Page 81
Role-based delegation
Integrates with the GPMC
Implementing AGPM will provide a healthcare organisation with a more secure and better managed
environment in which to provide desktop management through Group Policy, and therefore help to
reduce the TCO of the Windows Desktop estate.
8.2.1 Planning
Prior to using the AGPM, it is important to understand how its implementation can aid a healthcare
organisation in better managing the deployment of Group Policy.
As listed in section 9.2, AGPM provides the ability to implement change control on all GPOs, as
well as editing the GPOs in an offline state.
AGPM also allows changes to be tracked on a controlled GPO through a check out/check in
process, and a GPO can be rolled back to any point.
With a controlled GPO, a GPO Administrator would need to first check out a copy of the GPO from
an archive created as part of the installation process. This ensures that while this Administrator is
editing the GPO, another Administrator is not able to modify it until it has been checked back in.
This prevents multiple GPO Administrators from making conflicting changes to a GPO at the same
time. Should the other GPO Administrator subsequently check out the GPO and amend the
changes made, a full audit trail of the change would be available to view.
With the above changes being made on a controlled GPO, this does not affect a live user or
computer until the GPO is deployed into the production environment. This is because editing of a
controlled GPO takes place on an offline copy of the GPO and only becomes live when explicitly
selected through the GPMC.
This method of managing GPOs provides management with visibility of who has made which
amendment and when. It also provides an assurance that the correct configuration will be applied
to users or computers when reviewing the GPO for approval.
Recommendation
Even if a healthcare organisation has only one person who is responsible for the administration of GPOs,
it is highly recommended that the AGPM is installed to take advantage of the change control and offline
editing components of AGPM, allowing for a historical view of changes made and immediate roll-back if
required.
AGPM also comes with the ability to introduce role-based delegation to the GPO Administrators
within a healthcare organisation. This allows multiple GPO Administrators to have their
responsibilities defined regarding what activities they undertake on GPOs.
There are four specifically designed roles provided by the AGPM. They are:
AGPM Administrator (Full control)
Approver
Editor
Reviewer
The AGPM Administrator role includes the permissions for all other roles.
This role-based delegation introduces an optional workflow process. This ensures any creation or
amendment of a GPO is not deployed to the production environment without first being approved
by a GPO Administrator, whose responsibility it is to verify the GPO is correct.
Recommendation
If there are multiple GPO Administrators within the healthcare organisation, it is recommended that the
AGPM roles are used.
Page 82
For example, a healthcare organisation may have a primary central administration location, but allow local
administrators the ability to create and modify GPOs relevant to the region they are responsible for.
Implementing roles enables an element of control over what is created, ensuring the purpose of the GPO
has been defined and naming conventions adhered to, but still allowing the local administrators the ability
to maintain GPOs that affect users and computers they are administering.
Warning
If a user is a member of the Domain Admins security group, and this user has access to the GPMC or
GPO Editor through Active Directory Users and Computers, this user could circumvent the AGPM.
Consider creating a security group which includes those administrators whose job function includes
administering GPOs. Then, create a GPO which controls the running of certain administrative tools
through the Restricted/Permitted MMC snap-ins option. Within this GPO, the GPMC, GPO Editor and the
Group Policy tab in the properties of the domain and OUs within Active Directory Users and Computers
can be disabled. Once this GPO has been created, the permissions of the GPO can be set, such that, the
security group containing GPO administrators is denied the right to apply the GPO.
This will result in all users, who are not a member of the security group, denied the ability to open and
potentially edit GPOs even if the user is a member of the Domain Admins security group.
The AGPM is made up of the AGPM Server and the AGPM Client; both of which need to be
installed and configured for AGPM to operate.
The server component creates an archive which is responsible for storing all GPOs including all
historical data relating to this AGPM Server. The installation also configures an AGPM service that
acts as a security proxy which manages client access to GPOs in the archive and production
environment.
The client component is required by all GPO Administrators who create, edit, deploy, review or
delete GPOs. The installation provides additional functionality to the GPMC.
The following sections provide details on how AGPM should be installed and configured to take
advantage of these features as well as further details of the features themselves.
8.2.2 Installation and Configuration

The installation prerequisites for the two AGPM components are that both the AGPM Server and
the AGPM Client can be installed on Windows Vista (32-bit version) or Windows Server 2003 (32-
bit version). The GPMC must also be installed on the chosen server and client. The user account
used to install the AGPM Server needs to be a member of the Domain Admins group.
Note
Installation of both the Server and Client component is required. Installing just one component will not
allow a healthcare organisation to take advantage of the benefits and advanced features of AGPM.
Installation of the AGPM on 64-bit versions of Windows is not currently supported.
The AGPM Client can be installed on the same computer on which AGPM Server has been
installed.
Recommendation
In a test environment, the AGPM Server and Client can be installed on the same computer however it is
recommended that in a production environment, these two components are installed on different
computers.
Consider installing the APGM Server on a domain member server which has capacity to store the archive
of the GPOs. Once the AGPM Server is installed, it is possible to modify the path at a later date should it
become necessary to do so.
All GPO Administrators should have the AGPM Client installed ensuring that all access to GPOs is
maintained through the change control process.
Page 83
The installation and configuration of AGPM is a relatively simple process but one that requires a
number of steps. The following list can be used as a checklist to ensure all of these steps have
been completed:
1. Install the AGPM Server.
2. Install the AGPM Client.
3. Configure an AGPM Server Connection.
4. Configure e-mail notification.
5. Delegate Access
Note
It is not possible to migrate an archive from an AGPM Server running on Windows Server 2003 to an
AGPM Server running on Windows Vista.
If installing AGPM Server onto Windows Server 2003 which already has GPOVault Server installed, allow
the installation of AGPM Server to uninstall GPOVault Server, as this will automatically transfer any
existing GPOVault archive data to an AGPM archive.
By default, the Link GPOs permission is assigned to only members of the Domain Administrators and
Enterprise Administrators security groups. To assign the Link GPOs permission to additional users or
groups, you should use the Delegation tab within GPMC.
8.2.2.1 Install the AGPM Server

The computer on which AGPM Server is installed will host the AGPM Service and manage the
archive.
To install the AGPM Server:

1. Log on to the computer which will act as the AGPM Server using an account that is a
member of the Domain Admins group.
2. Perform one of the following to start the Microsoft Advanced Group Policy Management –
Server Setup Wizard:
Insert the Microsoft Desktop Optimization Pack CD and select Advanced Group
Policy Management – Server
In Windows Explorer, locate and double-click the AGPMServer.msi file
Page 84
The Microsoft Advanced Group Policy Management – Server Setup Wizard launches and
the Welcome page displays:
3. Click Next. The Microsoft Software License Terms page displays:
4. Read and accept the terms by selecting the I accept the license terms check box.
Page 85
5. Click Next. The Application Path page displays:
6. Type the location for installing the AGPM Server will be installed, or click Change… to
browse to the destination folder.
7. Click Next. The Archive Path page displays:
Page 86
8. Type the path for where the archive will be located, or click Change… to browse to the
destination folder.
9. Click Next. The AGPM Service Account page displays:
10. Enter the credentials of the account to be used.

11. Click Next. The Archive Owner page displays:
Page 87
12. Enter the name of the User Account 82 that will act as the initial owner and therefore have
full permissions over all GPOs.
Note
The User Account used as the initial Archive Owner can be a temporary assignment. The purpose
of this account is to allow the specified user to add further users, or groups of users, and assign
appropriate AGPM permissions to them. These permissions can follow the standard set available
using the AGPM Admin, Approver, Editor and Reviewer roles, or customised further if appropriate.
13. Click Next. The Ready to install Microsoft Advanced Group Policy Management – Server
page displays:
14. Click Install.

15. Once installation of the Microsoft Advanced Group Policy Management – Server is
complete, click Finish.
Note
As part of this installation, step 9 provides the AGPM Service Account page. This page may appear
differently depending upon the computer on which the AGPM Server component is being installed on. If
the installation is carried out on a DC or Member Server, an additional field would be available to select to
use the Local System account.
Only choose to use the Local System account if installing within a single domain and on a DC. If installing
on a Member Server or other domain client, specify a different account to use as only the Domain Local
System account will have access to the Domain GPOs.
If specifying a different account, ensure that it has full access to all GPOs that the AGPM will manage.
This is done by adding the service account user with the permissions of ‘Edit settings, delete, modify
security’ in the Delegation tab of each GPO.
82
It is recommended that a user group is specified as the membership of the group can change whilst the group remains the
overall archive owner.
Page 88
8.2.2.2 Install the AGPM Client

Each GPO Administrator requires the AGPM Client installed.
To install the AGPM Client:

1. Perform one of the following to start the Microsoft Advanced Group Policy Management –
Client Setup Wizard:
Insert the Microsoft Desktop Optimization Pack CD and select Advanced Group
Policy Management – Client
In Windows Explorer, locate and double-click the AGPMClient.msi file
2. The Microsoft Advanced Group Policy Management – Client Setup Wizard is launches and
the Welcome page displays:
Page 89
3. Click Next. The Microsoft Software License Terms page displays:
4. Read and accept the terms by selecting the I accept the license terms check box.
5. Click Next. The Application Path page displays:
6. Type the location for installing the AGPM Client, or click Browse… to browse to the
destination folder.
Page 90
7. Click Next. The AGPM Server page displays:
8. Specify the fully qualified DNS Name of the AGPM Server and the Port on which to
connect. By default, the port number is 4600.
9. Click Next. An information dialog box may be presented informing the user that the chosen
port is required for client/server communication.
10. Click Yes to add the port to the Windows Firewall exceptions list.
Page 91
11. Click Next on the AGPM Server page again to proceed to the Ready to install Microsoft
Advanced Group Policy Management – Client page.
12. Click Install. The Completed the Microsoft Advanced Group Policy Management – Client
Setup Wizard page displays:
13. Click Finish to close the wizard.
Page 92
8.2.2.3 Configure an AGPM Server Connection

It is important to ensure that all GPO Administrators connect to the same AGPM Server. The
following steps use a GPO to configure this connection; this can be either a new GPO or an
existing GPO that has been applied to all GPO Administrators:
To configure the connection using GPO:

1. Open the Group Policy Management Console, (Start > Administrative Tools > Group
Policy Management).
2. In the GPMC, edit or create a GPO that is applied to all GPO Administrators.
3. In the Group Policy Object Editor, expand User Configuration > Administrative
Templates > Windows Components.
4. If AGPM is not listed under Windows Components:
a. Right-click Administrative Templates and select Add/Remove Templates.
b. Click Add and select either AGPM.ADMX or AGPM.ADM.
c. Click Open followed by Close.
d. The Group Policy Object Editor window may need to be refreshed by clicking on the
Refresh button, to view the AGPM component under Windows Component.
5. Under Windows Components, click AGPM.
6. In the right-hand details pane, double-click AGPM Server (all domains).
7. In the AGPM Server (all domains) Properties window, click Enabled.
8. Type the fully qualified computer name and the port number, in the following format:
servername.domainname.com:portnumber
9. Click OK.
10. Close the Group Policy Object Editor.
Once this GPO is deployed to the GPO Administrators, the installation of the GPO Client will be
preconfigured with the server name and port number.
Note
For large healthcare organisations, it is possible to have multiple AGPM Servers should the environment
require it. In this instance, refer to the Advanced Group Policy Management help file topic: AGPM Server
Connection Settings. This help file is installed to the Application Path as specified during the installation of
either the AGPM Server or AGPM Client.
Recommendation
Within the GPO edited in the steps above, the setting AGPM Server (all domains) was configured. It is
recommended that as a minimum this setting is configured and applied to all GPO Administrators. Should
certain GPO Administrators use a different AGPM Server, then utilise the AGPM Server setting and apply
this to those GPO Administrators. The AGPM Server GPO setting overrides the AGPM Server (all
domains) setting.
For example, create a baseline GPO that configures the AGPM Server (all domains) setting and have this
apply to all GPO Administrators. Then create an incremental GPO that configures the AGPM Server
setting and have this applied to only those GPO Administrators which use a different AGPM Server to the
default.
Page 93
8.2.2.4 Configure E-mail Notification

The configuration of the e-mail notifications provides the ability to specify an e-mail address or
addresses of where a request of an action is to be sent. The action could come from an Editor or
Reviewer who is requesting the creation, deployment or deletion of a GPO. See section 8.2.5 for
further details on roles and actions.
To configure e-mail notification:

1. Open the Group Policy Management Console, (using an AGPM Administrator account,
click Start or the Windows Button , point to Administrative Tools and then click Group
Policy Management.
2. Click Change Control in the domain in which the GPOs are to be managed.
3. In the right hand details pane, click the Domain Delegation tab.
4. In the From field, type the e-mail alias for AGPM from which notifications should be sent.
5. In the To field, type a list of e-mail addresses of Approvers who should receive the
requests. The e-mail address should be separated by commas.
6. In the SMTP Server field, type the name of an SMTP mail server to use to send the
requests.
7. In the User name and Password fields, type the credentials of a user with access to the
SMTP service.
8. Click Apply to configure e-mail notification.
Note
E-mail notification for AGPM is a domain-level setting. Different Approver e-mail addresses or AGPM
e-mail aliases can be provided on each domain's Domain Delegation tab, or the same e-mail addresses
can be used throughout the environment.
8.2.2.5 Delegate Access

Once the installation and configuration of AGPM has been completed, access to the GPOs needs
to be delegated appropriately before it can be used by the GPO Administrators. This involves the
assigning of an AGPM role to each of the GPO Administrators. See section 8.2.5 for details of the
roles and their default permissions.
Important
Membership in the Group Policy Creator Owners group should be restricted so that it is not used to
circumvent AGPM management of access to GPOs. This is completed through the Group Policy
Management Console, by clicking Group Policy Objects in the forest and domain in which GPOs are to
be managed, clicking Delegation, and then configuring the settings to ensure permissions are set
appropriately.
To delegate access:
1. Using an AGPM Administrator account, open the Group Policy Management Console,
(click Start or the Windows Button , point to Administrative Tools and click Group
Policy Management.
2. Click Change Control in the domain in which the GPOs are to be managed.
3. In the right-hand details pane, click the Domain Delegation tab.
4. Click the Advanced button.
Page 94
5. In the Permissions dialog box, select the check box for each role to be assigned to a GPO
Administrator.
6. Click the Advanced button.
7. In the Advanced Security Settings dialog box, select a GPO Administrator, and click
Edit.
8. For Apply onto, select This object and nested objects, click OK in the Permission
Entry dialog box.
9. In the Advanced Security Settings dialog box, click OK.
10. In the Permissions dialog box, click OK.
Once access has been delegated appropriately to the GPO Administrators, the workflow process of
managing GPOs can be followed. See section 8.2.5, Figure 15 for further details.
8.2.3 Change Control

As stated within section 8.2.1 above, the AGPM provides a Change Control element. When the
AGPM is installed, any existing GPOs within the domain are placed into an Uncontrolled tab within
the GPMC and, as such, change is not controlled on these GPOs. To manage these GPOs
properly through AGPM, the GPOs should be flagged as controlled. This is completed using the
steps below.
To move a GPO from the Uncontrolled tab to the Controlled tab:

1. Open the Group Policy Management Console and click Change Control from within the
domain in which the GPOs are to be controlled.
2. On the Contents tab in the Details pane, click the Uncontrolled tab to display the
uncontrolled GPOs.
3. Right-click the GPO to be controlled by AGPM and select Control from the menu
displayed.
4. Click Close once the Progress window shows the operation as complete.
Note
The process of moving a GPO from an uncontrolled state to a controlled state can only be performed by
an AGPM Administrator or Approver role.
With the GPOs residing in the Controlled tab, any amendment made to them is tracked through
the Change Control process and accessible within the archive.
The history of each GPO can be viewed by double-clicking on the GPO itself within the Controlled
tab. From within the History window, any version of the GPO can be analysed against any other
version of the GPO, and older versions can be deployed (rolled back) to the production
environment.
8.2.4 Offline Editing

Without AGPM installed, a GPO Administrator needing to amend a GPO would have to edit the live
GPO. Even if there is a test environment in place, if live GPOs are edited, there is no quick and
easy way of rolling back any changes should issues occur. This poses a high risk and may affect a
large numbers of users and/or computers, depending upon the change being made, as the GPO
becomes live at the point when the GPO Editor is closed.
With AGPM installed, when the same GPO Administrator needs to amend a controlled GPO, this is
carried out within an offline copy of the GPO. This offline copy of the GPO is made available
through the archive created of all controlled GPOs in the domain. The use of the offline editing
Page 95
feature does not require installation or configuration, but is a standard part of the AGPM and used
whenever a GPO Administrator edits a controlled GPO.
With AGPM, should the amendment of the GPO be approved and deployed to the live environment,
but then found to cause an issue, the GPO can be rolled back to a known good state using the
AGPM Client.
In summary, offline editing of GPOs enables GPO Administrators to configure and test changes to
GPOs without impacting the live environment.
8.2.5 Role-Based Delegation

The role-based element of the AGPM introduces an optional workflow process, including specific
roles for GPO Administrators.
The AGPM roles, as listed in section 8.2.1, each have a number of permissions assigned to them.
Table 55 details the default permissions of these roles.
AGPM
Permission Approver Editor Reviewer
Administrator
List Contents 9 9 9 9
Read Settings 9 9 9 9
Edit Settings 9 9
Create GPO 9 9
Deploy GPO 9 9
Delete GPO 9 9
Modify Options 9
Modify Security 9
Create Templates 9 9
Table 55 AGPM Default Permissions Summary
The default permissions listed above provides a healthcare organisation with a generic set of users
that can be used as is. If deemed appropriate, these permissions can be configured further to
ensure the GPO Administrators have the right set of permissions to carry out their activity.
Note
The Modify Options and Modify Security permissions are unique to the role of the AGPM Administrator
and can therefore not be assigned to any of the other roles.
Delegating these roles can ensure that the healthcare organisation has an appropriate workflow
process in place to be able to deploy a GPO to a live environment.
Recommendation
It is recommended that the default permissions configured for the AGPM roles are suitable for use within
the healthcare organisation without further configuration. Should a role be required that is not catered for
within the default roles, then the creation of a new role should be documented and added as appropriate.
Page 96
A flow diagram showing the typical steps that would be carried out when a GPO is created is given
in the Figure 15 below:
Editor requests Approver creates

creation of new OR a new controlled
controlled GPO GPO
Policy
Approver reviews
and, if appropriate,
approves creation
Editor checks the Editor makes Editor checks the Editor requests
GPO out of the amendments to amended GPO deployment of the
archive the GPO offline back in GPO
Policy
Policy Policy
Approver
Reject reviews the
GPO
Approve
GPO
Administrators
Approver deploys
the GPO to the
Editor Approver live environment
Policy
Domain
Figure 15: AGPM Typical Workflow Process to Create a Controlled GPO
As part of the process identified in Figure 15, the first task for an Editor to carry out is to request the
creation of a new GPO, or if the GPO already exists but is currently uncontrolled, to request that
the GPO be controlled. This request is generated by the Editor from within the GPMC and an email
is sent to the AGPM administrators and Approvers. The email addresses are configured through
the Domain Delegation tab within GPMC, as part of the installation and configuration of AGPM.
Important
GPO Administrators, editing a GPO which is using GPSI, must have Read permission on the deployed
copy of the GPO to make full use of GPSI. This is because AGPM preserves the integrity of GPSI
packages. While GPOs are edited offline, the link between offline GPOs and packages is preserved.
Page 97
8.2.6 GPMC Integration

AGPM seamlessly integrates with both GPMC version 1.0 (SP1) for Windows XP/Windows Server
2003 and GPMC version 2.0 for Windows Vista.
Once the AGPM Client has been installed, the GPMC includes one extra option to choose from in
the left hand pane, Change Control, as circled in Figure 16 below. The figure shows the GPMC
before and after the AGPM Client has been installed.
Figure 16: GPMC Before and After AGPM Client Installation
The Change Control option provides GPO Administrators with a new set of tabs in which to
manage the GPOs. The right hand details pane displays the following tabs:
Contents
Controlled
Uncontrolled
Pending
Templates
Recycle Bin
Domain Delegation
AGPM Server
Note
Upon starting the GPMC and selecting the Change Control option, the AGPM Client contacts the AGPM
Server through the connection specified during installation. Should an error display whilst loading the
archive of controlled GPOs, informing that the connection was actively refused, restart the AGPM Service
on the AGPM Server and once the service has been started, refresh the AGPM Client screen to reload the
archive.
Page 98
8.2.6.1 GPMC Change Control Contents Tab

The Contents tab is where the majority of a GPO Administrator’s focus will be. It provides further
tabs which list all of the Domain GPOs that are available. These additional tabs categorise the
GPOs and, as such, dictate what tasks can be carried out with the GPO.
The Controlled tab lists all the GPOs which have been created using AGPM Client within the
GPMC and the GPOs that have been moved from the Uncontrolled tab to enable AGPM to
manage them.
Tasks available to a GPO Administrator are accessed by right clicking the GPO or a blank area
beneath the GPOs; options are provided via a context menu.
Table 56 details the options.
Option Description
New Controlled GPO This option is only available when right clicking a blank area in the GPO frame. It enables a GPO
Administrator to create a Controlled GPO, allowing the name and a comment to be specified, and
whether the GPO is created directly in Live or in an Offline state. It also allows the option to create the
GPO based upon a pre-existing template.
History This opens a new window displaying historical information about the GPO. The window contains three
tabs to filter the view so as to show all versions of the GPO, show only checked-in versions of the GPO,
or only GPOs that have labels associated with them.
Settings This option enables the creation of either an HTML or XML report, showing the settings contained within
the GPO. It also provides the option to display where the GPO is linked to.
Differences This option enables the creation of an HTML report, an XML report or a GPO template, containing the
differences between two GPOs. To generate the reports, the GPOs for comparison need to be selected
when clicking this option.
Edit This option opens the Group Policy Object Editor to allow editing of the selected GPO. This option is
only available when the GPO has been checked out.
Check Out or Check In This option allows a GPO Administrator to check out a GPO to make it available for editing. If the GPO
is already checked out, the check in option is displayed.
Undo Check Out This option only appears once a GPO has been checked out. Selecting Undo Check Out discards any
changes made to the GPO.
Import from Production This option allows the importing of settings from a controlled GPO.
Delete This option deletes the selected GPO but only to the Recycle Bin. If necessary, the GPO can be
restored.
Deploy This option makes the GPO available to the production environment and starts affecting live users
and/or computers
Label This option provides the ability to comment, or label, the GPO for record keeping.
Rename This option provides the ability to rename the selected GPO.
Save as Template This option enables a GPO Administrator to save the selected GPO as a template for creating
standardised GPOs from in the future.
Refresh This option refreshes the current screen.
Help This option displays the help file.

Table 56: AGPM Controlled GPO Right Click Options
The Uncontrolled tab contains all GPOs which are not managed by the AGPM. It provides the
ability to select a GPO and take control of it. This then creates a copy of the GPO in the archive
and moves the GPO listing to the Controlled tab.
Page 99
As with the options available in the Controlled tab, when right clicking a GPO within the
Uncontrolled tab, a GPO Administrator has the option to run reports showing the settings
contained within the GPO and also to show the differences between two selected GPOs. The GPO
can also be saved as a template for use when creating a new managed GPO.
Figure 17 below shows the Uncontrolled tab with a context menu, showing the menu given upon
right-clicking of an unmanaged GPO.
Figure 17: GPMC AGPM Uncontrolled Tab
The Pending tab lists the GPOs that require action from a GPO Administrator. Unique options
available within this tab allow a GPO Administrator to withdraw a request for action prior to the
request being completed. It also enables the assigned AGPM Administrator to either Approve or
Reject the request.
The Templates tab provides a location for template GPOs. These templates can then be used as a
basis to create new managed GPOs. A template is distinctly different to any other managed GPO,
in that they cannot be edited and, as such, there is no history associated with them. Should a
template need to be amended, a new controlled GPO should be created by basing it upon the old
template, this can then be edited as required, and then saved as a template.
Similar to the way in which the Windows operating system recycle bin works, the AGPM Recycle
Bin provides a location to place GPOs that have been deleted. This provides a level of protection
against accidental deletion of GPOs. Unique options available within this tab are to either Destroy
or Restore deleted GPOs. As the name suggests, Destroy permanently deletes a GPO, whereas
Restore moves a GPO back to the Controlled tab.
Note
It is not possible to delete an uncontrolled GPO from within AGPM.
Page 100
8.2.6.2 GPMC Change Control Domain Delegation Tab

The Domain Delegation tab provides a list of GPO Administrators who have domain-level access
to the archive and it indicates the AGPM role of each GPO Administrator.
This tab also provides the AGPM Administrator with the ability to configure the permissions for the
AGPM roles. See section 8.2.5 for more details on AGPM roles. Figure 18 below shows the
Advanced Permissions for a user within the contoso.com domain.
Figure 18: AGPM Advanced Permissions Dialog Box
Within this dialog box, it is possible to amend the AGPM role for each of the GPO Administrators.
The e-mail notification can also be configured from within the Domain Delegation tab, enabling
further use of the role based delegation functionality; see section 8.2.2.4 on how to configure the e-
mail notification.
8.2.6.3 GPMC Change Control AGPM Server Tab

As part of the installation of the AGPM Client, the AGPM Server Host name and port number are
specified (see section 8.2.2.2 for installation details). The AGPM Server tab displays these details,
and both the host name and port number can be changed from here.
Recommendation
The ability to specify the AGPM Server host name and port number can be managed through a GPO. It is
recommended that healthcare organisations use this method (see section 8.2.2.3 for further information
on how to do this). If managed through a GPO, the fields on the AGPM Server tab are unavailable.
8.3 Windows XP and Windows Vista Coexistence

As part of the decision for a healthcare organisation to deploy Windows Vista clients into the
environment, planning needs to have taken place for the management of the new operating
system. With Windows Vista containing hundreds of new settings, it is advisable to take advantage
of some of these before the first Windows Vista clients are deployed.
It is therefore important to understand how both Windows XP and Windows Vista can be managed
through Group Policy. Due to the major change in the way Group Policy has been designed in
Page 101
Windows Vista, with the introduction of the ADMX and ADML files, and the new version of GPMC,
Windows Vista Group Policy settings can only be managed by Windows Vista.
The following points highlight the reasons why a healthcare organisation deploying Windows Vista,
should manage Group Policy from a Windows Vista client:
The new Windows Vista based policy settings can only be managed from a Windows Vista
based computer running GPMC version 2.0
Windows Vista policy settings are defined only in ADMX files and, as such, are not
readable to tools available on previous versions of Windows
The Windows Vista version of GPMC can be used to manage all operating systems that
support Group Policy (Windows Vista, Windows Server 2003, Windows XP, and Windows
2000)
All administrative policy settings that currently exist in ADM Templates can be managed by
Windows Vista
The Windows Vista version of GPMC can use the Central Store for better template
management
The Windows Vista version of GPMC does not create duplicate files of the ADMX files in
the way that previous versions do
In summary, while Windows XP and Windows Vista clients can coexist within the same domain
without issue, management of Group Policy should be completed from a Windows Vista based
administrative computer.
8.4 Troubleshooting
Troubleshooting GPOs can be a tricky business however a number of very useful tools exist to aid
a GPO Administrator in ascertaining what is happening should issues arise.
8.4.1 Group Policy Operational Log

A new feature available with Windows Vista is the Group Policy Operational Log. This log replaces
the USERENV log file that is used in previous version of Windows. This log can be viewed using
the Event Viewer.
If problems are encountered with Group Policy on a Windows Vista client, it is recommended that
troubleshooting should be started with the Event Viewer. The status of the Group Policy service is
indicated by the following events:
Informational – The Group Policy Service is functioning correctly
Warning – The Group Policy Service is functioning correctly, however dependencies may
have failed
Error – The Group Policy Service has failed
The event description in Windows Vista has been improved greatly and, in most cases, will provide
enough information as to what has caused the event to occur and what steps to take to attempt to
rectify the issue.
Page 102
Should this not lead to a fix for the issue being experienced, view the Group Policy Operational Log
for further information about the activities that have taken place with the Group Policy Service. The
Group Policy Operational Log can be seen in Figure 19 below.
Figure 19: Group Policy Operations Log
For detailed information on how to use and analyse the events listed, see the article
Troubleshooting Group Policy Using Event Logs 83 .
8.4.2 Help and Support

At times, the simplest and quickest way to view the Group Policies being applied to a specific user
is to utilise the built-in Help and Support.
To view the Group Policies applied to a user:
1. Open Help and Support.
2. Click Use Tools to view your computer information and diagnose problems under the
Pick a task heading.
3. In the resulting Tools pane, select Advanced System Information and click View Group
Policy settings applied. After a moment of collecting the information, a report is displayed
showing the Group Policy result for both the current computer and the currently logged on
user.
This report shows all group policies being applied with their friendly name as well as the GUID for
that GPO along with all the settings being applied.
83
Troubleshooting Group Policy Using Event Logs {R35}: http://go.microsoft.com/fwlink/?linkid=74139
Page 103
Note
Windows Vista does not provide the ability to view the Group Policy settings applied through the Help and
Support application. Instead, a GPO Administrator can run the Resultant Set of Policy (RSoP) MMC snap-
in on the client machine to view the settings being applied. This RSoP data is the same as would be seen
through the GPMC.
8.4.3 GPO Tool

The GPO Tool is an invaluable tool to establish whether the replication and consistency of the
GPOs is functioning correctly. It is a command line tool which can be pointed at specific DCs and
the GPOs replicated to them, and provides administrators with a clear picture of the state of the
replication activities.
8.4.4 Recovery Tools

As recommended within this document, the DDP and the DDCP should be backed up and not
amended from their default settings with the exception of the Password Policy and Account Lockout
Policy.
For Windows 2000 Server, the RecreateDefPol.exe utility is available as a download and for
Windows Server 2003, the Dcgpofix.exe utility can be used; each tool must only be used on the
operating system it is designed for.
Note
If the DDP or the DDCP have either been damaged or deleted, they should be restored in the first
instance using a recent backup. If a backup is not available then the recovery tools available can assist in
the restoration of these default policies, (and only these policies, not other GPOs that may have been
created), but should only be used as a last resort.
Page 104
APPENDIX A SKILLS AND TRAINING RESOURCES

The tables in this appendix list the suggested training and skill assessment resources available.
This list is not exhaustive; there are many third-party providers of such skills. The resources listed
are those provided by Microsoft.
PART I Microsoft Active Directory

For further information on Microsoft Active Directory see
http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
Skill or Technology Area Resource Location Description

Planning, Implementing, and Training Course 2279: Plan, implement, and troubleshoot a
Maintaining a Microsoft Windows http://www.microsoft.com/learning/syllabi/en- Microsoft Windows Server 2003 Active
Server 2003 Active Directory us/2279Bfinal.mspx Directory directory service infrastructure.
Infrastructure
Microsoft Press Book: Active http://www.microsoft.com/mspress/books/5867.asp Provides detailed information on the

Directory for Microsoft Windows underlying concepts, architectural
Server 2003 Technical Reference components, and real-world functionality of
Active Directory directory service.
Table 57: Microsoft Active Directory 2003
PART II GPO Editor and GPMC

For further information on GPO Editor and GPMC, see
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
Skill or Technology Area Resource Location Description

Administering Group Policy with http://www.microsoft.com/windowsserver2003/gpmc/g A Microsoft white paper providing an
the GPMC pmcwp.mspx overview of GPMC and outlines essential
functionality necessary to administer Group
Policy with the GPMC.
Advanced Group Policy http://www.microsoft.com/windows/products/windowsvi Provides an overview of AGPM, including

Management sta/enterprise/agpm.mspx data sheets and a video presentation of its
use.
Migrating GPOs Across http://www.microsoft.com/windowsserver2003/gpmc/m A technical article explaining how to move

Domains with GPMC igrgpo.mspx GPOs from one domain to another using
GPMC. A typical example is from a test
domain to a production domain.
Understanding Group Policies http://technet.microsoft.com/en-us/bb531151.aspx A series of Windows Media presentations

on Windows Server 2003 including demonstrations on the following
topics:
Using Software Restriction Policies
Using WMI Filters with Group Policy
Using the GPMC
Group Policy Modelling
Scripting Group Policy Management
Table 58: Microsoft Group Policy Object Editor and Group Policy Management Console
Page 105
PART III Supplemental Training Resources

Title Link
Step-by-Step Guide to Using the Group Policy Management http://www.microsoft.com/technet/prodtechnol/windowsserver2003/t
Console echnologies/directory/activedirectory/stepbystep/gpmcinad.mspx
Group Policy Script Center http://www.microsoft.com/technet/scriptcenter/hubs/gp.mspx
14-Part Webcast Series on Group Policy: Explore Fundamentals http://www.microsoft.com/events/series/grouppolicy.mspx

and Advanced Concepts
Microsoft Solutions for Security and Compliance – Windows XP http://go.microsoft.com/fwlink/?linkid=14840

Security Guide
Enforce settings by using Group Policy in the 2007 Office system http://technet.microsoft.com/en-us/library/cc179081.aspx
Planning for Group Policy http://technet.microsoft.com/en-us/library/cc179077.aspx
Managing Users’ Configurations by Policy – Office 2003 http://office.microsoft.com/en-us/ork2003/HA011402401033.aspx

Resource Kit
Table 59: Supplemental Training Resources
Page 106
APPENDIX B HOW TO GUIDES
PART I Installing GPMC

The manual installation of the GPMC is a simple process consisting of just four setup screens as
shown below; prerequisites for the installation are provided and should be followed to ensure
successful operation of GPMC within the healthcare environment.
Note
Windows Vista ships with GPMC version 2.0 pre-installed and, as such, these instructions are meant for
the operating system versions listed in the GPMC Prerequisites below.
GPMC Prerequisites
The following prerequisites are required to install and operate the GPMC successfully:
Windows XP Professional with SP1 or Windows Server 2003
Microsoft .NET Framework 2.0 (for Windows XP Professional computers)
QFE Q326469 installed (if not installed, GPMC will prompt to install)
GPMC with SP1 will remove currently installed versions of GPMC except any pre-release
versions; as such pre-release versions require removal prior to installing GPMC with SP1.
Domain Controllers must be running Windows 2000 with SP2 or later as a minimum;
Windows 2000 SP3 is recommended.
GPMC Installation
The GPMC with SP1 can be installed using a couple of methods
Unattended
Manually
Unattended
To carry out an unattended installation of the GPMC with SP1, the following command can be
used:
C:> MSIExec.exe /i <PATH>\gpmc.msi /qr
Where <PATH> is the full path where the GPMC.MSI file resides; should the path contain spaces
then it should be enclosed using double-quotes (“), for example, “C:\Downloaded Files\gpmc.msi”.
Page 107
Manually
The following screenshots show the installation steps involved in a manual setup of GPMC with
SP1:
1. Browse to the folder where the GPMC with SP1 is located and double-click the GPMC.MSI
file.
2. The Setup Wizard Welcome screen will be displayed; click Next to continue the
installation.
3. The Setup Wizard License Agreement displays; select I Agree and click Next.
4. The Setup Wizard will now install GPMC with SP1 into the “%Program Files%\GPMC”
folder.
Page 108
5. Once the copy process is complete, a success screen will be displayed. Click Finish.
PART II Create an Organisational Unit

Active Directory Users and Computers
1. Open Active Directory Users and Computers, located, by default on a Windows Server
2003 server, in Start > All Programs > Administrative Tools.
2. Within Active Directory Users and Computers, right-click the object you wish to create an
OU under, select New > Organizational Unit.
Page 109
3. The New Object – Organizational Unit dialog box displays. Type the name of the new
OU the Name text box.
4. Click OK.
Note
The context menu shown when an object is right-clicked depends upon the selected object. In the
example above, the Domain Name (adcontoso.contoso.com) was used and as such provided the options
shown. Right-clicking the Domain Controllers OU would provide a different menu.
The option to create a new OU is not available for certain objects. For example, you cannot create an OU
within an object type of Container; however you can create an OU within another OU.
Group Policy Management Console

Using the GPMC to create OUs is very similar to that of the Active Directory Users and Computers
method.
1. Open the GPMC located, by default on a Windows Server 2003 server, in Start > All
Programs > Administrative Tools.
Page 110
2. Within GPMC, right-click the object you wish to create an OU under, select New
Organizational Unit.
3. The New Organizational Unit dialog box displays. Type the name of the new OU in the
Name text box.
4. Click OK.
Directory Service Command Line Tools

Directory Services comes with a set of command line tools able to manage objects within Active
Directory and as such can be included within batch/command files.
Table 60 lists the commands available:
Tool Purpose Objects Related To

DSADD Adding objects Computer, Contact, Group, OU, User and Quota
DSGET Displaying objects properties Computer, Contact, Subnet, Group, OU, Server, Site, User, Quota and Partition
DSMOD Modifying objects Computer, Contact, Group, OU, Server, User, Quota and Partition
DSMOVE Move or rename objects All objects that can be renamed, (excludes built in objects)
DSQUERY Search objects matching a criteria Computer, Contact, Subnet, Group, OU, Server, Site, User, Quota and Partition
DSRM Deleting objects All objects that can be deleted, (excludes built in objects)
Table 60: Directory Service Command Line Tools
Using the DSADD tool, an OU named ‘Healthcare Organisation’, (shown in the example domain
used in the above two methods), can be created using the following command:
C:\>DSADD OU "OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
If a number of OUs are to be created, then a command file could be used to create them.
Page 111
Table 61 below provides the Distinguished Name of the OUs within the structure shown in Figure 6
on page 12.
Organisational Unit Distinguished Name

Healthcare Organisation "OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Computers "OU=Computers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Activity Based Computers "OU=Activity Based Computers,OU=Computers,OU=Healthcare

Organisation,DC=adcontoso,DC=contoso,DC=com"
Clerical Admin Stations "OU=Clerical Admin Stations,OU=Activity Based Computers,OU=Computers,OU=Healthcare

(Computers) Organisation,DC=adcontoso,DC=contoso,DC=com"
Kiosk Stations (Computers) "OU=Kiosk Stations,OU=Activity Based Computers,OU=Computers,OU=Healthcare

Nurse Stations (Computers) "OU=Nurse Stations,OU=Activity Based Computers,OU=Computers,OU=Healthcare

Shared Stations "OU=Shared Stations,OU=Activity Based Computers,OU=Computers,OU=Healthcare

(Computers) Organisation,DC=adcontoso,DC=contoso,DC=com"
Knowledge Based "OU=Knowledge Based Computers,OU=Computers,OU=Healthcare

Computers Organisation,DC=adcontoso,DC=contoso,DC=com"
Laptops (Computers) "OU=Laptops,OU=Knowledge Based Computers,OU=Computers,OU=Healthcare

Tablet PCs (Computers) "OU=Tablet PCs,OU=Knowledge Based Computers,OU=Computers,OU=Healthcare

Unmanaged Computers "OU=Unmanaged Computers,OU=Computers,OU=Healthcare

Data Administrators "OU=Data Administrators,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Groups "OU=Groups,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Servers "OU=Servers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Application (Servers) "OU=Application,OU=Servers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
File and Print (Servers) "OU=File and Print,OU=Servers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Mail (Servers) "OU=Mail,OU=Servers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Management (Servers) "OU=Management,OU=Servers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Network Services (Servers) "OU=Network Services,OU=Servers,OU=Healthcare

Web (Servers) "OU=Web,OU=Servers,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Service Accounts "OU=Service Accounts,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Users "OU=Users,OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
Activity Based Users "OU=Activity Based Users,OU=Users,OU=Healthcare

Clerical Admin Stations "OU=Clerical Admin Stations,OU=Activity Based Users,OU=Users,OU=Healthcare

(Users) Organisation,DC=adcontoso,DC=contoso,DC=com"
Kiosk Stations (Users) "OU=Kiosk Stations,OU=Activity Based Users,OU=Users,OU=Healthcare

Nurse Stations (Users) "OU=Nurse Stations,OU=Activity Based Users,OU=Users,OU=Healthcare

Page 112
Organisational Unit Distinguished Name

Shared Stations (Users) "OU=Shared Stations,OU=Activity Based Users,OU=Users,OU=Healthcare
Knowledge Based Users "OU=Knowledge Based Users,OU=Users,OU=Healthcare

Laptops (Users) "OU=Laptops,OU=Knowledge Based Users,OU=Users,OU=Healthcare

Tablet PCs (Users) "OU=Tablet PCs,OU=Knowledge Based Users,OU=Users,OU=Healthcare

Unmanaged Users "OU=Unmanaged Users,OU=Users,OU=Healthcare

Table 61: Generic Account and Resource OU Distinguished Names
Visual Basic Scripting

An alternative method of creating OUs via a scripting approach is to use Visual Basic Scripting
(VBScript) which is especially useful when a large quantity of OUs need to be created. Using
VBScript, the OU names could be provided within a spreadsheet or a comma separated value
(.csv) file and a script used to read the file line by line to create the appropriate OUs.
The Microsoft Technet Script Center provides a host of sample scripts that can be used to aid
administrators in automating administration tasks. One of these is a very simple script to create an
OU and can be viewed here:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb07.mspx.
PART III Creating a GPO

As with an OU, the creation of a new GPO is a very simple process and uses the GPMC.
1. Open the GPMC located, by default on a Windows Server 2003 server, in Start > All
2. Right-click the Group Policy Objects container and select Create New Group Policy
Object.
Page 113
3. Enter the name of the GPO in the Name text box within the New GPO dialog box.
Recommendation
The name specified should be descriptive and one that is easily recognisable as to the
configuration the GPO provides. The names for GPOs are just as important as names for users
and computers and therefore should be part of any naming conventions documentation.
4. Click OK.
PART IV Assigning an Application Through a GPO

To assign an application to a computer, the following steps can be used (for this example, the
Windows Server 2003 SP1 Administration Tools Pack has been used):
1. Open the GPMC, (located by default on a Windows Server 2003 server), in Start > All
2. Right-click the Group Policy Object to be edited and select Edit.
3. From within the GPO Editor expand Computer Configuration > Software Settings >
Software installation.
4. Right-click Software installation, select New > Package.
5. Browse to the share containing the MSI package, click the MSI file and click Open.
As this is an application being targeted at computers, (determined by choosing either the

Computer Configuration or User Configuration container), the Published option is
unavailable.
Page 114
6. Select Assigned and click OK.
The package will now be displayed in the GPO Editor.
If, when choosing the MSI package, a network location was not used, the following warning
will be displayed:
It is important to ensure a source path using the format \\<ServerName\<ShareName> is

used otherwise a GPO being applied on a client computer will look to its own local file
system for the drive letter and path specified.
When choosing the deployment method, further configuration can be obtained by clicking
the Advanced button. This will display the properties window for this application package.
Page 115
When assigning a package to a computer, most options are not configurable apart from
‘Uninstall this application when it falls out of the scope of management’. This option,
when used, ensures the application is removed once the GPO no longer applies.
PART V Example Delegation of Administration

One of the main reasons for creating an OU is to provide the ability to delegate administration to
users, providing them with the permissions to carry out administrative tasks normally undertaken by
the support personnel.
This section provides two examples:
Allowing a user to reset passwords – Typically delegated to a manager of a department
where the actual user requiring a password reset is known to the manager
Allowing users to add computer accounts to the domain – Typically delegated to desktop
build engineers that use their credentials to build workstations
Page 116
Password Reset:
1. Open Active Directory Users and Computers, located by default on a Windows Server
2003 server in Start > All Programs > Administrative Tools.
2. Right-click the OU that you want to delegate administration to; this can be any OU in the
hierarchy, and click Delegate Control. The Delegation of Control Wizard Welcome page
displays:
3. Click Next.
4. In the Users or Groups page, click Add.
Page 117
5. Type the name of the group (to whom delegated control will be assigned to) within the
Enter the object names to select: field and click OK. Alternatively, clicking the Advanced
button will provide a search facility to find the object required.
Note
In the example used here a security group named sgDAResetPasswordsAllUsers has been used.
This follows a simple naming convention of sg for ‘Security Group’, DA for ‘Delegation of
Administration’ followed by a descriptive name.
6. Click Next after all groups you want to delegate control to have been added.
Page 118
7. Select the Reset user passwords and force password change at next logon task within
the Delegate the following common tasks field, then click Next.
8. Click Finish after reviewing the options that have been chosen, to complete the Delegation
of Control Wizard.
Page 119
Add/Remove Computer Accounts:

1. Open Active Directory Users and Computers, located by default on a Windows Server
2003 server in Start > All Programs > Administrative Tools.
2. Right-click the OU that you want to delegate administration to; this can be any OU in the
hierarchy, and click Delegate Control. The Delegation of Control Wizard Welcome page
displays:
3. Click Next.
4. Add the appropriate group within the Users or Groups page and click Next. (See steps 4
and 5 of PART V for further information on how to do this.)
Page 120
5. Select the Create a custom task to delegate option and click Next.
6. Accept the default option of This folder, existing objects in this folder, and creation of
new objects in this folder and click Next.
Page 121
7. Within the Permissions page:

a. Select the Creation/deletion of specific child objects check box.
b. Scroll through the Permissions list box, locate and click the Create Computer objects
and Delete Computer objects check boxes.
c. Click Next.
8. Click Finish after reviewing the options that have been chosen, to complete the Delegation
of Control Wizard.
Page 122
PART VI Creating a Custom MMC Snap-In

When providing certain administrators with delegated permissions, it is also useful to provide those
administrators with a MMC snap-in that focuses purely on the objects that they need access to, and
hide the objects they do not need visibility of. The following example creates a custom MMC snap-
in for the visibility of the Computers OU.
1. Open the Microsoft Management Console by clicking Start > Run. Type MMC and click
OK.
2. Within the Console1 window, select File > Add/Remove Snap-in.
3. Click Add within the Add/Remove Snap-in window.
Page 123
4. Select Active Directory Users and Computers from the Available Standalone Snap-ins
list box, click Add and click Close.
5. Click OK on the Add/Remove Snap-in window.

6. Expand the Organisational Unit structure to locate the OU that you want to create a custom
MMC snap-in for. Right-click the OU and select New Window from Here.
Page 124
7. A new child window will be displayed within the Console1 window with the selected OU
from the last step located as the top level OU.
8. Select File > Options to open the Options dialog box.

9. Type a name for the custom MMC console that relates to the activities that will be carried
out within it; in this case type Active Directory Computer Management.
10. Still within the Options dialog box, select User mode – limited access, single window
from the Console mode: drop down list and ensure Do not save changes to this console
is selected and Allow the user to customize views is cleared. Click OK.
Page 125
11. From within the newly named Active Directory Computer Management window, click File >
Save As and type a suitable name for the MMC console, in this case type Active
Directory Computer Management.msc and click Save.
This Active Directory Computer Management.msc file can now be distributed to those users who
require access to this OU.
Important
Any user that will use this custom MMC snap-in requires the Windows Server 2003 Administration Pack to
be installed first, otherwise this snap-in will fail.
If you close the newly created custom MMC snap-in whilst the original Console1 window is also still
open, the following dialog box will be displayed. Click Yes to confirm that you want to display a
single window interface when this console is next opened.
PART VII Importing a GPO

The import of a GPO is carried out using the Import Settings Wizard and uses a backup of a
previously created GPO. This must be accessible from where the import operation is being carried
out. It is only possible to import a GPO into an already existing GPO.
Warning
Importing a GPO permanently deletes the settings of the GPO which is being used to run the Import
Settings wizard. As such, always create a new GPO first or create a copy of a current GPO that has
certain attributes set which you would like to keep, and import into this.
The attributes of a GPO such as security filtering, delegation, links and WMI filter links are not modified.
Page 126
1. Open the GPMC, located by default on a Windows Server 2003 server in Start > All
2. Right-click the Group Policy Objects container and select Create New Group Policy
Object.
3. Enter the name of the GPO in the Name text box within the New GPO dialog box.
4. Right-click the newly created GPO and click Import Settings
5. Click Next on the Import Settings Wizard Welcome page.
6. Click Next on the Backup GPO page. (It is not necessary to backup this GPO first as it
contains no settings).
Page 127
7. Type the name of the Backup folder which contains the GPO you want to import settings
from and click Next.
8. Within the Backed up GPOs list box, select the GPO you want to import settings from and
click Next.
Page 128
9. The Import Settings Wizard will scan the backup of the GPO selected for any references to
security principals or UNC paths. Click Next.
10. If any references to security principals or UNC paths were found then the wizard will ask
what you would like to do with them. Select the appropriate option and click Next. It may
be that a Migration Table is required to translate any references found; this can be created
or selected at this stage.
11. Review the summary that the wizard will complete and click Finish to import the settings.
Page 129
12. Click OK on the Import dialog box providing the completed status report.
PART VIII Linking an Existing GPO

The linking of a GPO allows for the implementation of the settings contained within it, to the users
or computers to which the policy is linked.
1. Open the GPMC, (located by default on a Windows Server 2003 server), in Start > All
2. Right-click the Organisational Unit to which you would like to link a GPO to, and click Link
an Existing GPO….
3. Ensure the correct domain is selected within the Look in this domain: drop-down field.
4. Select the appropriate GPO from the Group Policy objects: list box, and click OK.
5. The GPO is now linked to the OU selected. The objects within the OU will start to receive
the settings upon the next Group Policy refresh.
Page 130
PART IX Installing the ADMX Migrator

The ADMX Migrator is available to download {R27}. For installation on:
A server – a minimum of Windows Server 2003 Service Pack 1 is required with MMC
version 3.0 installed {R28}
A client – a minimum of Windows XP Service Pack 2 is required with MMC version 3.0
installed {R29}.
Note
Windows Vista includes MMC version 3.0 and, as such, already meets the minimum installation
requirements.
The installation of the ADMX Migrator can be completed using the following steps. The steps have
been carried out on a Windows Vista client. If installing on Windows Server 2003 or Windows XP,
the steps will remain the same, but the screenshots may appear slightly different.
To install the ADMX Migrator:

1. Locate the downloaded ADMXMigrator.MSI file using Windows Explorer and double-
click the MSI file. The FullArmor ADMX Migrator Setup Installation Wizard displays:
Page 131
2. Click Next. The License Agreement page displays:
3. Click the I accept the license agreement option.

4. Click Next. The User Information page displays:
5. Enter the Name and Organisation in the fields provided.

6. Select whether to install for the current user or all users of the computer.
Page 132
7. Click Next. The Destination Folder page displays:
8. If required, click the Browse button and select an alternate installation folder.
9. Click Next. The Ready to Install the Application page displays:
10. If required, select the check box to register once installation completes.
Page 133
11. Click Next. ADMX Migrator will now install. Once successfully completed, the FullArmor
Migrator has been successfully installed page displays:
12. Click Finish to exit the installation.
Page 134
APPENDIX C DOCUMENT INFORMATION
PART I Terms and Abbreviations

Abbreviation Definition
ACL Access Control List
ADM Administrative Template Files
ADMX XML Based Administrative Template Files
AGPM Advanced Group Policy Management
CA Certificate Authority
CAD CTRL+ALT+DELETE
CD Compact Disc
CIW Custom Installation Wizard
DACL Discretionary Access Control List
DC Domain Controller
DDCP Default Domain Controllers Policy
DDP Default Domain Policy
DFS Distributed File System
DHCP Dynamic Host Control Protocol
DNS Domain Naming Services
DS Directory Services (Domain Services in Windows Vista)
DVD Digital Versatile Disc
EFS Encrypting File System
EN-GB English – Great Britain
FRS File Replication Service
GPMC Group Policy Management Console
GPO Group Policy Object
GPSI Group Policy Software Installation
GPT Group Policy Template
GUID Global Unique Identifier
HTML Hypertext Markup Language
ID Identifier
IIS Internet Information Server
IP Internet Protocol
ISA Internet Services Authority
ISO International Organization for Standardization
IT Information Technology
MDOP Microsoft Desktop Optimization Pack
Page 135
Abbreviation Definition
MDP Mandatory Domain Policy
MMC Microsoft Management Console
MOF Microsoft Operations Framework
MSF Microsoft Solutions Framework
MSI Microsoft Installer
MTE Migration Table Editor
NAT Network Address Translation
OCT Office Customization Tool
OU Organisational Unit
PDA Personal Digital Assistant
PIN Personal Identification Number
RIS Remote Installation Services
RSoP Resultant Set of Policy
SG Security Group
SID Security Identifiers
SMS Systems Management Server
SMTP Simple Mail Transfer Protocol
SPS SharePoint Portal Server
SYSVOL System Volume
TCO Total Cost of Ownership
TPM Trusted Platform Module
UI User Interface
UNC Universal Naming Convention
URL Universal Resource Locator
USB Universal Serial Bus
VBA Visual Basic for Applications
WINS Windows Internet Naming Service
WMI Windows Management Instrumentation
WPD Windows Portable Device
WSUS Windows Server Update Services
XML Extensible Markup Language
ZAP Zero Administration Package

Table 62: Terms and Abbreviations
Page 136
PART II References
Reference Document Version
R1. Windows Server Update Services3.0 Design Guide: 1.0.0.0
http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx
R2. Windows Server Update Services3.0 Operations Guide: 1.0.0.0

http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx
R3. SMS 2003 Deployment Guide – Initial Site Deployment: 1.0.0.0

http://www.microsoft.com/industry/healthcare/technology/hpo/serverbuild/sms.aspx
R4. SMS 2003 Deployment Guide – Extending to Other Locations: 1.0.0.0

http://www.microsoft.com/industry/healthcare/technology/hpo/serverbuild/sms.aspx
R5. MSF Process Model White Paper 3.1

http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-
fc886956790e&DisplayLang=en
R6. MOF Executive Overview 3.0

http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
R7. Microsoft Download Center: Group Policy Inventory (GPInventory.exe):

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=1D24563D-CAC9-4017-
AF14-8DD686A96540
R8. Microsoft TechNet: Office System Suites and Programs TechCenter: Office Customization Tool in the
2007 Office system:
http://technet.microsoft.com/en-us/library/cc179097.aspx
R9. Microsoft Download Center: Windows Server 2003 Security Guide:

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-
521ea6c7b4db&DisplayLang=en
R10. Microsoft Download Center: Group Policy Settings Reference Windows Vista:
http://go.microsoft.com/fwlink/?linkid=54020
R11. Microsoft Office Online: Microsoft Office 2003 Resource Kit Downloads:
http://www.microsoft.com/office/orkarchive/2003ddl.htm
R12. Microsoft Download Center: 2007 Office system Administrative Template files (ADM, ADMX, ADML)
and Office Customization Tool version 2.0:
R13. Microsoft Download Center: Windows Installer 2.0 Redistributable Windows 2000 and Windows NT 4.0:
R14. Microsoft PowerToys for Windows XP:

http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
R15. Microsoft Download Center: Toolkit to Disable Automatic Delivery of Internet Explorer 7:
R16. Microsoft Download Center: Windows XP Security Guide:

R17. Microsoft Download Center: Windows Vista Security Guide:

http://go.microsoft.com/?linkid=5639874
R18. Microsoft Help and Support: How to obtain the latest service pack for the Microsoft Jet 4.0 Database
Engine:
R19. 2007 Microsoft Office System Migration Guide: 1.0.0.0

http://www.microsoft.com/industry/healthcare/technology/hpo/office/2007officesystemmigration.aspx
Page 137
Reference Document Version

R20. Microsoft Office Online: Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file
formats:
http://office.microsoft.com/en-us/products/HA101686761033.aspx
R21. Microsoft Download Center: 2007 Office System Document: Lists of Control IDs:
R22. Microsoft Office Online: Managing Users' Configurations by Policy:

http://office.microsoft.com/en-us/ork2003/HA011402401033.aspx
R23. Microsoft TechNet: Windows Vista TechCenter: Step-By-Step Guide to Controlling Device Installation
and Usage with Group Policy
http://technet2.microsoft.com/WindowsVista/f/?en/library/9fe5bf05-a4a9-44e2-a0c3-
b4b4eaaa37f31033.mspx
R24. Microsoft TechNet: Windows Vista TechCenter: Configuring Active Directory to Back up Windows
BitLocker Drive Encryption and Trusted Platform Module Recovery Information:
http://technet2.microsoft.com/WindowsVista/en/library/3dbad515-5a32-4330-ad6f-
d1fb6dfcdd411033.mspx?mfr=true
R25. Microsoft Help and Support: How to use the Group Policy Migration utility to migrate Windows NT 6.0
System Policy settings to Windows 2000 or Windows Server 2003:
R26. Microsoft: Windows Server 2003 R2: Migrating GPOs Across Domains with GPMC:
http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
R27. Microsoft Download Center: ADMX Migrator:

R28. Microsoft Download Center: Microsoft Management Console 3.0 for Windows Server 2003 (KB907265):
http://www.microsoft.com/downloads/details.aspx?FamilyID=4c84f80b-908d-4b5d-8aa8-
27b962566d9f&DisplayLang=en
R29. Microsoft Download Center: Microsoft Management Console 3.0 for Windows XP (KB907265):
http://www.microsoft.com/downloads/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-
cf20902ffae0&DisplayLang=en
R30. Microsoft Download Center: Group Policy Management Console with Service Pack 1:
http://go.microsoft.com/fwlink/?LinkID=46570
R31. Microsoft Download Center: Group Policy ADM Files:

R32. Microsoft Help and Support: "The following entry in the [strings] section is too long and has been 7.4
truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows
XP Professional, or Windows 2000:
R33. MSDN: Valid Locale Identifiers:

http://msdn.microsoft.com/en-us/library/ms693062.aspx
R34. Windows Desktop Management and Deployment:

http://www.microsoft.com/windows/products/windowsvista/enterprise/mdopoverview.mspx
R35. Microsoft TechNet: Windows Vista TechCenter: Troubleshooting Group Policy Using Event Logs:
R36. Microsoft TechNet: Create an OU:

http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb07.mspx
Table 63: References
Page 138

Group Policy For Healthcare Desktop Management

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Group Policy For Healthcare Desktop Management

Hochgeladen von

Copyright:

Verfügbare Formate

Group Policy for

Healthcare Desktop Management

© Microsoft Corporation and Crown Copyright 2007

3 Using This Document .................................................................................................................... 4

6 Develop ......................................................................................................................................... 36

6.2.1 General Office / Administrative / Clinical ......................................................................... 38

7 Stabilise ........................................................................................................................................ 74

8 Operate ......................................................................................................................................... 75

8.4.2 Help and Support .......................................................................................................... 103

APPENDIX A Skills and Training Resources............................................................................... 105

APPENDIX B How To Guides ........................................................................................................ 107

APPENDIX C Document Information ............................................................................................ 135

2.1 Value Proposition

2.2 Knowledge Prerequisites

2.2.1 Skills and Knowledge

GPO Editor and GPMC

2.2.2 Training and Assessment

2.3 Infrastructure Prerequisites

IT Manager Review the relevant areas within the document to understand 9 9

IT Professional/ Detailed review and implementation of the guidance to meet 9 9 9 9 9 9

3 USING THIS DOCUMENT

Figure 1: Quick Start Flowchart

Design Group Policy Objects Section 5.2, Group Policy Objects

Deploy in Test Environment Section 7.1, Testing Environment

3.1 Document Structure

Figure 2: MSF Process Model Phases and Document Structure

Figure 3: Sequence for Envisioning Group Policy for Desktop Management

4.2 Healthcare Computer Categories

Computer Role Characteristics

Ward / Maternity / Desktop Support / Finance Specific Software installs

Public / Cybercafe Locked down:

Theatre Screensaver timeout set

Figure 4: Sequence for Planning Group Policy for Desktop Management

5.1 Organisational Units

The design of an OU structure should be documented in terms of an OU hierarchy diagram and a

Figure 5: Root Level OU Structure

Healthcare Organisation Distributed accounts and resource objects

Figure 6: Generic Low Level Account and Resource OUs

- Activity Based Computers Management OU for highly managed workstations

- - Clerical Admin Stations Clerical Administrative desktop computer accounts

- - Kiosk Stations Kiosk or public access computer accounts

- - Nurse Stations Nurses station computer accounts

- Knowledge Based Computers Management OU for lightly managed workstations

- - Laptops Laptop based computer accounts

- - Tablet PCs Tablet PC based computer accounts

- File and Print Management OU for file and print servers

- Mail Management OU for messaging servers, Contact

- Management Management OU for management servers, SMS, RIS, WSUS, MOM

- Web Management OU for Web servers, Internet Information Server (IIS)

- Activity Based Users Management OU for highly managed user accounts

- - Kiosk Users User accounts for Kiosk use

- - Nurse Station Users User accounts for Nurses

- - Shared Station Users User accounts for shared computer use

- Knowledge Based Users Management OU for lightly managed user accounts

- - Laptop Users User accounts for laptop users

- - Tablet PC Users User accounts for Tablet PC users

- Unmanaged Users New User accounts awaiting relocation to managed OUs

5.2 Group Policy Objects

5.2.1 GPO Design

Figure 7: Example GPO Links

5.2.1.1 Group Policy Linking

5.2.1.2 Block Inheritance

5.2.1.3 Enforce Policy