Beruflich Dokumente
Kultur Dokumente
Prepared by
Microsoft
Version 1.0.0.0 Baseline
First published
27 September 2007
Prepared by Microsoft
Copyright
This document and/or software (“this Content”) has been created in partnership with the National Health Service (NHS) in England. Intellectual Property
Rights to this Content are jointly owned by Microsoft and the NHS in England, although both Microsoft and the NHS are entitled to independently exercise
their rights of ownership. Microsoft acknowledges the contribution of the NHS in England through their Common User Interface programme to this Content.
Readers are referred to www.cui.nhs.uk for further information on the NHS CUI Programme.
All trademarks are the property of their respective companies. Microsoft and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Disclaimer
At the time of writing this document, Web sites are referenced using active hyperlinks to the correct Web page. Due to the dynamic nature of Web sites, in
time, these links may become invalid. Microsoft is not responsible for the content of external Internet sites.
The example companies, organisations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No
association with any real company, organisation, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
Page ii
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
TABLE OF CONTENTS
1 Executive Summary ....................................................................................................................... 1
2 Introduction .................................................................................................................................... 2
2.1 Value Proposition...................................................................................................................... 2
2.2 Knowledge Prerequisites .......................................................................................................... 2
2.2.1 Skills and Knowledge ........................................................................................................ 2
2.2.2 Training and Assessment .................................................................................................. 3
2.3 Infrastructure Prerequisites ...................................................................................................... 3
2.4 Audience ................................................................................................................................... 3
2.5 Assumptions ............................................................................................................................. 3
4 Envision .......................................................................................................................................... 7
4.1 Goals ........................................................................................................................................ 7
4.2 Healthcare Computer Categories ............................................................................................. 8
5 Plan ................................................................................................................................................. 9
5.1 Organisational Units ............................................................................................................... 10
5.2 Group Policy Objects .............................................................................................................. 14
5.2.1 GPO Design .................................................................................................................... 14
5.3 Default Organisational Units ................................................................................................... 20
5.4 Default Group Policy Objects ................................................................................................. 20
5.4.1 Default Domain Policy ..................................................................................................... 21
5.4.2 Default Domain Controllers Policy................................................................................... 22
5.5 Adding or Amending the Defaults ........................................................................................... 23
5.5.1 Adding to the Default OUs............................................................................................... 24
5.5.2 Adding to the Default GPOs ............................................................................................ 24
5.6 All Available Settings .............................................................................................................. 26
5.6.1 Microsoft Windows Available Settings ............................................................................ 26
5.6.2 Microsoft Office Available Settings .................................................................................. 27
5.7 Application Deployment via Group Policy .............................................................................. 30
5.7.1 Recommended Use and Limitations ............................................................................... 30
5.7.2 Software Distribution Point Servers................................................................................. 31
5.7.3 Limitations ....................................................................................................................... 31
5.7.4 Application Deployment Methods .................................................................................... 34
Page iv
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page v
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
1 EXECUTIVE SUMMARY
Organisations are increasingly looking at ways to reduce the management overhead that comes
with having to support large numbers of users and their computers. Helpdesk and support
personnel often need to be knowledgeable in multiple operating systems as well as numerous
applications and at times rely on the user to be at least partially computer literate to assist them in
solving problems on that user’s particular setup.
Introducing a desktop management infrastructure enables network administrators to provide a set
of standards across the estate to both users and computers. This provides benefits to users and
administrators as well as the organisations themselves.
The users benefit from a desktop estate that is consistent in its look and usability, therefore no
matter which client machine they may use, they are presented with an interface that is familiar and
easy to use. Providing an interface to users which focuses on displaying only those components
which are used as part of their job allows them to locate items quicker and more efficiently.
The network administrators / support personnel are able to take advantage of a desktop
management solution in similar ways to the users. When receiving a support call from a user, the
helpdesk can focus on the issue at hand rather than first trying to understand what type of setup
this particular user has. Also, if an application becomes available and is required by multiple users,
this can be deployed remotely to those users requiring it.
The organisation benefits through the more centralised approach to managing the desktop estate
and as such can pull resources together to work more efficiently and in turn reduce the effort
required to support a greater number of users and therefore reducing the Total Cost of Ownership
(TCO).
This document focuses on the use of Microsoft Group Policy to assist in providing a Desktop
Management infrastructure. It provides guidance on the creation of Organisational Units (OUs) and
Group Policy Objects (GPOs) and how to leverage Group Policy to deploy applications. Also
included are some common scenarios for using group policies with the policy templates attached
which can be imported into a test environment for convenience. The guidance covers the built-in
® ®
policy settings available for Windows XP Service Pack 2, Windows Vista , and those that may be
imported for the management of Microsoft Office 2003 and Microsoft 2007 Office system. It also
covers advanced management through the use of the Advanced Group Policy Management
(AGPM) add-on, available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software
Assurance.
Page 1
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
2 INTRODUCTION
Currently within an environment using the Microsoft Windows® desktop operating systems, local
policies can be implemented to provide an element of control over the desktop estate. With
Windows NT 4.0, System Polices were introduced allowing administrators to configure such items
as the Control Panel applets, the desktop wallpaper and screensaver, and to hide certain drives
within Windows Explorer. Windows XP Professional with Service Pack 2 (SP2) provides thousands
of settings to target almost all areas of the operating system. This can be managed through
Microsoft Group Policy Management Console (GPMC) and the Group Policy Object Editor (GPO
® ®
Editor) or Novell ZENworks .
Managing these settings centrally provides administrators with a powerful way in which to maintain
a desktop management infrastructure. Additional tools available come in the form of patch
management, ensuring the operating system is kept up-to-date with the latest security fixes and
service packs. This can be managed utilising Microsoft Windows Server® Update Services 1
(WSUS), Microsoft Systems Management Server 2 (SMS), LANDesk Patch Manager, or Novell
ZENworks Patch Management to name a few.
Additionally, application deployment further enhances a desktop management infrastructure by
again centrally managing a suite of applications and specifying a target audience of users or
computers. Similarly to patch management, application deployment can be managed through
Microsoft Group Policy, Microsoft SMS, LANDesk® Management Suite, or Novell ZENworks.
1
Healthcare organisation-specific guidance is available – Windows Server Update Services3.0 Design Guide {R1} and
Windows Server Update Services 3.0 Operations Guide {R2}.
2
Healthcare organisation-specific deployment guidance about Microsoft Systems Management Server 2003 {R3, R4} is
available.
Page 2
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
2.4 Audience
The guidance contained in this document is targeted at a variety of roles within the healthcare IT
organisation. Table 1 provides a reading guide for this document, illustrating the roles and the
sections of the document that are likely to be of most interest.
Executive
Summary
Envision
Stabilise
Develop
Operate
Role Document Usage
Plan
IT Architect Review the relevant areas within the document against local 9 9 9 9
architecture strategy and implementation plans
2.5 Assumptions
The guidance provided in this document assumes that healthcare organisations that want to share
services and resources between sites already have suitable IP Addressing schemes in place to
enable successful site to site communication – that is, unique IP Addressing schemes assigned to
each participating healthcare organisation with no overlap. Active Directory, and the underlying
Domain Naming Services (DNS), require the use of unique IP Addressing schemes at adjoining
sites in order for cross site communication to function successfully. The use of NAT (Network
Address Translation) within an Active Directory environment is neither recommended nor supported
by Microsoft.
Page 3
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Table 2 below breaks down the tasks into the sections of this document that should be read and
understood in order to perform an initial ‘quick-start’ deployment of Group Policy for Healthcare
Desktop Management.
Page 4
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Task Section
Design Organisational Units Section 5.1, Organisational Units
Add to the Default Organisational Units and Group Section 5.3, Default Organisational Units
Policy Objects in Test Environment Section 5.4, Default Group Policy Objects
Section 5.5, Adding or Amending the Defaults
Develop Additional Group Policy Objects in Test Section 6.1, Baseline Settings
Environment Section 6.2, Category Settings
Section 6.3, GPO Building Blocks
Migrate using the Group Policy Management Console Section 6.4.1, System Policy Migration
to the Live Environment APPENDIX B, How To Guides, PART VII, Importing a GPO
Table 2: Quick Start Reference
3
MSF Process Model White Paper {R5}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e481cb0b-ac05-42a6-bab8-fc886956790e&DisplayLang=en
4
MOF Executive Overview {R6}: http://www.microsoft.com/technet/itsolutions/cits/mo/mof/mofeo.mspx
Page 5
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 6
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
4 ENVISION
The Envision phase addresses one of the most fundamental requirements for success in any
project - unification of the project team behind a common vision. There must be a clear vision of
what is to be accomplished such that it can be stated in clear terms. Envisioning, by creating a
high-level view of the overall goals and constraints, will serve as an early form of planning; it sets
the stage for the more formal planning process that will take place during the planning phase.
Figure 3 acts as a high-level checklist, illustrating the sequence of events which should be
undertaken when envisioning Group Policy for desktop management within a healthcare
organisation.
Goals
Healthcare
Computer
Categories
4.1 Goals
This guidance provides details on how an OU structure and Group Policy implementation can help
towards a managed desktop environment. It focuses on the following elements:
Current Best Practice approach to OUs
Current Best Practice approach to GPOs
Adding to the Default OUs and GPOs
Providing a set of Baseline and Incremental GPOs
Managing the GPOs efficiently using GPMC
Page 7
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Library Catalogue Ensure consistent desktop configuration for every user (loopback)
Disallow Windows Messenger
No access to Control Panel
Disable Autoplay on CD drives
Remove ability to change password or lock computer
Load Internet Explorer at logon
Hide Internet Explorer Options
Remove access to Windows Update
Table 3: Healthcare Computer Categories
Note
Some Computer Roles have been grouped together purely due to the common characteristics between
them. The Ward / Maternity / Desktop Support all have specific software installed, but this is not
necessarily the same software.
Page 8
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5 PLAN
The Plan phase is where the bulk of the implementation planning is completed. During this phase
the areas for further analysis are identified and a design process commences.
Figure 4 acts as a high-level checklist, illustrating the sequence of events which the IT Manager
and IT Architect need to determine when planning for Group Policy for desktop management within
a healthcare organisation.
Page 9
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 10
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
The figures below show an example OU structure which relates to the text above. Whilst this section
details recommendations around OU structures these figures are purely to form an example structure and
should not be deemed as a recommendation for use as it may not be suitable for your environment.
Figure 5 represents the root level OU structure to support the example environment.
As can be seen above, just two OUs have been created over and above the defaults 5 at the root
level:
OU Purpose
Centralised Centralised account and resource objects
Keeping the root level clean, (minimising the number of containers), allows for easier visibility of the
containers, their purpose, and as such keeps the administrative focus clear.
Each of the OUs created above have the same set of sub-OUs, and their names typically identify
where the different object types reside, as can be seen in Figure 6.
Note
The same sub-OU structure has been created within each root level OU to allow administrators to keep a
sense of uniformity across entities and in doing so, simplify centralised administration. This is especially
important when linking GPOs to these OUs as creating one GPO to target Kiosk workstations can be
linked to sub-OUs in multiple entities.
5
The default containers are detailed further in section 5.3.
Page 11
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
The names of the OUs used in Figure 6 should not be deemed as recommended names, but an example
of what the OUs could be called. If a documented naming convention is in place for your healthcare
organisation that covers OUs, then this should be used.
Each of the OUs created have their specific purpose and as mentioned previously, should be
documented along with the OU owner. The OUs, and their purpose, are:
OU Purpose
Computers Top level OU for delegation of administration and policy - holds only OUs
- - Shared Stations Desktop computer accounts for machines which are used by multiple users
Page 12
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
OU Purpose
- Unmanaged Computers Computer accounts that are unmanaged – possibly machines in the process of being
built, or IT administrative machine
Data Administrators Contains user and group accounts for ‘Data’ administrators of Computer accounts, to
allow them to be managed separately from regular users. Enable auditing for this OU so
that it is possible to track changes to administrative users and groups
Groups Top level OU containing groups of all types, except for administrative groups, which are
managed separately. Level also used for delegation of administration and policy
application
Servers Top level OU for delegation of administration and policy, holds only OUs
- Application Management OU for application servers, SQL server, SharePoint Portal Server (SPS)
- Network Services Management OU for servers running network services, WINS, DHCP, ISA
Service Accounts Top level OU - Some services that require access to network resources run as user
accounts. This OU is created to separate service user accounts from the user accounts
contained under the Centralised or Distributed Healthcare Organisation Users OU. Also,
placing the different types of user accounts in separate OUs enables management of
them according to their specific administrative requirements
Users Top level OU for delegation of administration and policy, holds only OUs
- - Clerical Admin Users Clerical admin user accounts for non-administrative personnel
With the OU structure above, Group Policy can be linked where appropriate to provide a
centralised desktop management infrastructure. An example of the GPOs linked to the above OU
structure is detailed within Figure 7.
Recommendation
Whilst Windows Vista has more configurable options via Group Policy than previous versions of Windows,
it is usual for the business and user requirements to still be valid and, as such, Vista clients should remain
in the same OU as other clients. Windows Vista clients should not be separated from other clients purely
on the basis of the difference in operating system versions.
Also, any GPO settings specific to Windows Vista will be ignored by earlier version of the Windows
operating system.
Page 13
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
OUs are typically created through the Active Directory Users and Computers MMC snap-in.
However, there are several methods for creating OUs as detailed in APPENDIX B. During the
methods shown, the OUs being created are part of the previous diagrams.
Page 14
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Within Figure 7, the OUs are denoted by the icon whereas the GPO links are denoted by the
icon.
Note
The figure above is only provided as an example of where GPOs could be linked to and should not be
deemed as a recommendation to use this exact format.
Recommendation
While not always possible, it is advisable to create the GPOs for managing the operating system and
Microsoft Office suite before using the workstations. This ensures the workstations are managed via
Group Policy as soon as they are added to the Active Directory domain. If a newer version of the Microsoft
Office suite is deployed, the group policies will already be in place for post-deployment management.
By specifying additional permissions onto GPOs, it is possible to filter which objects within a
container will have the settings applied. For example, an OU may contain the users within a
department and a GPO linked to that OU may set a Software Restriction Policy. However you may
wish to allow a couple of these users to run certain software that is being targeted by this policy as
they have received the necessary training to use it. As such, these users could become a member
of a security group that is then added to the permissions, and the Deny Apply Group Policy right is
enabled for this security group.
The net result is although they are an Authenticated User and this has the Apply Software
Restriction Policy permission, they are also a member of the security group that has the Deny
permission enabled and as such a Deny takes precedence over an Allow. In effect, this means
these users are not restricted in running the software.
The use of Security Group Filtering can assist in reducing the number of containers required and as
such the level of OUs that would otherwise be required to provide the same functionality.
Page 16
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendations
Whilst Security Group Filtering is a very useful and powerful element to Group Policy application, if not
documented well regarding the permissions of the policies, it could become confusing to new GPO
Administrators who are required to support it. Used carefully though, it will enhance and ease GPO usage
and maintenance.
When setting the Deny permission to a group, consider also setting the Deny Read permission for this
group. The reason for this is if a user has the rights to read a GPO, then when the GPOs are being
applied, the GPO will still be read and as such processed, even though no configuration changes will
occur because of the Deny permission. By setting the Deny Read permission, the policy will not be read
and as such speed the processing of GPOs for that user or computer resulting in a potentially faster
logon.
Tool Usage
GPMC Group Policy Management Console
This is possibly the most useful tool available to a GPO Administrator and should be used for the creation and
maintenance of all GPOs created. It allows for the linking, delegating, exporting, importing, copying, and backing
up of GPOs. Further details on the use of the GPMC can be found in section 8.1 later in this document.
GPOTool A tool which provides information on the consistency of Group Policy objects and provides information on the
replication of the Group Policy Containers and the Group Policy Templates within Active Directory. It can be
used to provide a high level ‘Policies OK’ to a verbose output detailing issues being experienced. This tool is
provided as part of the Windows Server 2003 Resource Kit.
admX A useful tool that parses an ADM Template file into a readable format for documentation purposes. It can also be
used to show the differences between two similar ADM files. This tool is provided as part of the Windows Server
2003 Resource Kit.
GPMonitor A tool which can be used to perform historical analysis of what has changed between different Group Policy
refresh intervals on clients and servers. This tool is provided as part of the Windows Server 2003 Resource Kit.
Page 17
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Tool Usage
GPInventory A tool that allows the collection of information from clients and servers across the network and saves the results
in a text file. This tool can be downloaded from Microsoft using the following URL:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=1D24563D-CAC9-4017-AF14-
8DD686A96540
Table 6: Group Policy Tools and Utilities
5.2.1.9 Conflicts
Conflicts can occur within GPOs whereby a setting can be made within both the computer and user
configuration settings.
There are a couple of results that can occur when a conflict arises; the result however is completely
dependent upon the setting in question.
One result could be that either the Computer Configuration Setting or User Configuration Setting
takes precedence, therefore effectively ignoring the other configuration option.
For example, within both Computer Configuration Settings and User Configuration Settings, it is
possible to set ‘Prohibit user configuration of Offline Files’. If this is set to ‘Disabled’ within the
Computer Configuration Settings and set to ‘Enabled’ within the User Configuration Settings, and
the authenticating user has the right to apply both policy objects, the Computer Configuration
Settings takes precedence.
Page 18
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Another result could be that the two settings are combined. For example, in both the Computer
Configuration Settings and User Configuration Settings, it is possible to set ‘Administratively
assigned offline files’. If this is configured in both configurations, the settings will be combined
and all specified files will be available for offline use.
This can be advantageous to users, however it could also cause potential problems if all potential
conflicts are not understood. Therefore, careful consideration should be given to all settings that
could be involved in a potential conflict.
Note
Within the GPO Editor, each policy setting is accompanied by help text which describes in detail what the
setting is for. This text also gives details of any conflicts that could occur if the setting is available and
configured in both the Computer Configuration Settings and User Configuration Settings.
When designing a GPO to configure Microsoft Office options, take into consideration that if the
target environment includes more than one version of Microsoft Office, a GPO will be required for
each version of Microsoft Office installed.
This type of scenario is common when a newer version of the application is being deployed in
stages throughout an environment. If two departments share documents and one department has
been upgraded and another has not, centrally managing the way documents are saved enables the
departments to continue sharing without raising any issues.
An administrator also needs to determine when to use Group Policy settings to enforce
configuration of an Office application feature or option and when to set the option with the Office
Customization Tool (OCT) 6 . While Microsoft 2007 Office system configuration options can be
customised using both Group Policy and the OCT, important differences exist between these two
approaches.
Group Policy is used to configure the available Microsoft 2007 Office system policy settings. These
settings have access control list (ACL) restrictions that prevent non-administrative users from
changing them.
The OCT is used to create a setup customisation file (.MSP file). Administrators can use the OCT
to customise features and configure user settings. However, users can modify most of the settings
after the installation.
6
Office Customization Tool in the 2007 Office system {R8}: http://technet.microsoft.com/en-us/library/cc179097.aspx
Page 19
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
If a configuration option needs to be enforced, this should be set via the Group Policy. If a configuration
option is for a preference or default state and users are therefore free to change this option, the OCT
should be used.
Container ForeignSecurityPrincipals Default container for security identifiers (SIDs) associated with objects
from external, trusted domains, (Administrators should not manually
change the contents of this container).
During the creation of a domain, only one OU is created; the DCs OU.
Note
A common mistake is to class both the Computers container and the Users container as OUs however
these are default containers for backward compatibility and should not be used on an on-going basis for
housing new objects within them. As they are not OUs, GPOs cannot be applied to objects within them
except for GPOs linked to the root of the domain and as such through inheritance.
7
Some objects are not visible by default. From within Active Directory Users and Computers, the Advanced Features option
from the View menu can be selected to view all objects.
Page 20
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Computer Configuration > Windows Settings > Account lockout duration: Not Defined
Security Settings > Account Policies > Account Account lockout threshold: 0 invalid logon attempts
Lockout Policy
Reset account lockout counter after: Not Defined
Computer Configuration > Windows Settings > Enforce user logon restrictions: Enabled
Security Settings > Account Policies > Maximum lifetime for service ticket: 600 minutes
Kerberos Policy
Maximum lifetime for user ticket: 10 hours
Maximum lifetime for user ticket renewal: 7 days
Maximum tolerance for computer clock synchronisation: 5 minutes
Computer Configuration > Windows Settings > Network security: Force logoff when logon hours expire: Disabled
Security Settings > Local Policies > Security
Options
Computer Configuration > Windows Settings > Enroll certificates automatically: Enabled
Security Settings > Public Key Policies > Renew expired certificates, update pending certificates, and remove revoked
Autoenrollment Settings certificates: Disabled
Update certificates that use certificate templates: Disabled
Computer Configuration > Windows Settings > Accessible via right-clicking Encrypting File System and selecting Properties
Security Settings > Public Key Policies > Allow users to encrypt files using Encrypting File System (EFS): Enabled
Encrypting File System
Computer Configuration > Windows Settings > Accessible via right-clicking Trusted Root Certification Authorities and selecting
Security Settings > Public Key Policies > Properties
Trusted Root Certification Authorities Allow users to select new root certification authorities (CAs) to trust: Enabled
Client computers can trust the following certificate stores: Third-Party Root
Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet
the following criteria: Registered in Active Directory only
Page 21
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Computer Configuration > Windows Settings > Access this computer from the network: BUILTIN\Pre-Windows 2000 Compatible
Security Settings > Local Policies > User Access, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT
Rights Assignment 8 AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Act as part of the operating system:
Add workstations to domain: NT AUTHORITY\Authenticated Users
Adjust memory quotas for a process: BUILTIN\Administrators, NT
AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Allow log on locally: BUILTIN\Print Operators, BUILTIN\Server Operators,
BUILTIN\Account Operators, BUILTIN\Backup Operators,
BUILTIN\Administrators
Back up files and directories: BUILTIN\Server Operators, BUILTIN\Backup
Operators, BUILTIN\Administrators
Bypass traverse checking: BUILTIN\Pre-Windows 2000 Compatible Access, NT
AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Change the system time: BUILTIN\Server Operators, BUILTIN\Administrators, NT
AUTHORITY\LOCAL SERVICE
Create a pagefile: BUILTIN\Administrators
Create a token object:
Create permanent shared objects:
Debug programs: BUILTIN\Administrators
Deny access to this computer from the network:
ADCONTOSO\SUPPORT_388945a0
Deny log on as a batch job:
Deny log on as a service:
Deny log on locally: ADCONTOSO\SUPPORT_388945a0
Enable computer and user accounts to be trusted for delegation:
BUILTIN\Administrators
Force shutdown from a remote system: BUILTIN\Server Operators,
BUILTIN\Administrators
Generate security audits: NT AUTHORITY\NETWORK SERVICE, NT
8
A number of these User Rights Assignments do not have a user/group associated with it, meaning whilst the policy setting
has been defined, a user or group has not been given this user right. For example, the Act as part of the operating system
policy is defined as not allowing any user/group to do this.
Page 22
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Computer Configuration > Windows Settings > Domain controller: LDAP server signing requirements: None
Security Settings > Local Policies > Security Domain member: Digitally encrypt or sign secure channel data (always) : Enabled
Options
Microsoft network server: Digitally sign communications (always) : Enabled
Microsoft network server: Digitally sign communications (if client agrees) : Enabled
Network security: LAN Manager authentication level: Send NTLM response only
Computer Configuration > Windows No auto-restart for scheduled Automatic Updates installations: Enabled
Components > Windows Update
Table 9: Default Domain Controllers Policy Settings
Note
Table 9 above contains only those User Rights Assignments visible as part of a default installation. Should
other applications such as Internet Information Services (IIS) and Terminal Services be installed, then
various User Rights Assignments will have additional user accounts such as IWAM_servername,
IUSR_servername, and TsInternetUser.
Page 23
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
It is for this reason that additional OUs must be created to house the many objects that become
part of the domain, otherwise an administrator would need to create multiple GPOs and link all of
them to the root of the domain to ensure they are applied to the users and computers. However, to
ensure they only apply to those users and computers which should receive that configuration, a
complicated filter system would need to be created, utilising not just security groups but also
Windows Management Instrumentation (WMI) filters.
The end result would be a highly complicated implementation, becoming increasingly difficult to
administrate and troubleshoot when issues occur.
Recommendation
The DCs OU should remain in its default location (as should the DC computer accounts within this OU)
due to the security-sensitive nature of their function and the DDCP being applied to them, as detailed
further in section 5.5.2.
With the DDP and DDCP safely stored, appropriate amendments can be made to configure the
items that these policies target, commonly the Password policy and Account Lockout policy; these
amendments can now be made within the MDP GPO.
Note
The reason for naming the copy of the DDP as ‘MDP’ is to provide the policy with a more meaningful
name as to its purpose. This policy contains domain-wide security settings and will be enforced; as such
this is a mandatory domain policy.
Domain wide security consists of stipulating a policy to ensure passwords chosen by users conform
to a set standard (such as a minimum number of characters) and as to whether it must contain a
numbers and special characters as well as letters. This is a decision to be made by administrators
Page 24
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
who must always take into account the requirements of users being able to remember their
passwords without them writing it down and also ensuring that the network remains a secure place
for data and so on.
Table 10 provides the recommended settings for both medium- and high-secure environments as
detailed within the Microsoft security hardening guidelines for Windows networks:
Recommendations
Organisations who want to enable users to reuse passwords sooner and keep them for longer should
reduce the number of passwords remembered, (Enforce password history) and increase the maximum
password age. However, it is sensible to refrain from specifying the password age to the number of days
corresponding with days in a month, (or a pattern of), as users will tend to reuse the same password and
append the month number on to the end. The number of passwords remembered should also be kept
greater than 12 so as to not correspond to the number of months in the year.
An additional amendment to be made to the MDP is for an environment where Microsoft Remote
Installation Services (RIS) is not utilised. As detailed in the last row of Table 8, the User
Configuration Settings are applying configuration options to be shown within the RIS welcome
screens. If RIS is not in use, these settings can be changed as follows:
Changing these settings allows the GPO Administrator to disable the User Configuration Settings of
this GPO (as no other settings within this section are configured). By disabling these settings in the
GPO, the speed in which this policy is applied increases and as such helps towards the overall
perceived performance of the startup and logon sequence which users experience.
Page 25
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The DDCP, as stated earlier, focuses on the Domain Controllers and not on the user or client
computers. As such, typical amendments/additions to this policy are made in line with the Microsoft
Windows Server 2003 Security Guide 9 . This document focuses on the additional security measures
that organisations can make to secure their server infrastructure based on the types of servers in
use. By implementing additional security over and above the defaults provided, organisations can
reduce the surface area open to attack by malicious users. This includes disabling services as well
as setting permissions on the various Windows components that are not in use on a specific type of
server.
As search capabilities are not included within the GPMC, finding a specific setting could be time
consuming. For this reason, Microsoft provides settings reference spreadsheets to help
administrators locate those settings that are available as well as providing additional information on
each of these settings. The spreadsheets can be downloaded from the Microsoft Web site from the
URLs given in sections 5.6.1 and 5.6.2.
This spreadsheet lists the Group Policy settings described in the Administrative Template files
(ADMX) and the Security Settings shipped with Windows Vista. This includes all Administrative
Template policy settings supported by the following operating systems:
Windows Vista
Microsoft Windows Server 2003
Windows XP Professional with SP2 or earlier service packs
Windows 2000 with SP4 or earlier service packs
This spreadsheet also includes the following categories of security policy settings:
Microsoft Windows Server 2003
Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy)
Local Policies (Audit Policy, User Rights Assignment, and Security Options)
Event Log
9
Windows Server 2003 Security Guide {R9}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en
10
This figure is derived from the available settings specified in the spreadsheets, as referenced within this document, for
Windows Vista, Windows XP Professional Service Pack 2 with Internet Explorer 7, Microsoft Office 2003 and Microsoft 2007
Office System, plus additionally available Microsoft Office products, such as Microsoft Office OneNote®, Microsoft
Publisher, Microsoft Office Visio®, Microsoft Office Groove™ and so on.
Page 26
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Restricted Groups
System Services
Registry
File System policy settings
Note
This does not include security settings that exist outside of the Security Settings extension (scecli.dll),
such as Wireless Network extension, Public Key Policies, or Software Restriction Policies
11
The template file, OFFICE11.ADM, contains settings that are used across the Microsoft Office 2003 applications.
Page 27
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
While the spreadsheets contain the available settings for the Office products, they do so in a
slightly different way to the spreadsheet available for the default templates included as part of the
operating system. Table 13 provides descriptions of the fields covered in the spreadsheets.
Field Description
Program The name of the application.
Class Either “Local Machine” or “Current User”, referring to the registry trees “HKEY_LOCAL_MACHINE”
and “HKEY_CURRENT_USER” respectively.
Categories The policy settings available are organised into Categories which typically follow the path required to
access the option within the application’s user interface.
Policy The name of the policy setting. This is usually that of the corresponding user interface option.
Part, Sub-Part If the policy consists of multiple configuration options, these are provided here. Usually policies
requiring more than a tick box to either enable or disable.
New? If this setting is new to Office 2003, a “Yes” will be placed here.
SP1? If this setting is new to Office 2003 Service Pack 1, a “Yes” will be placed here.
Policy? If this setting can be modified through Office group policies, a “Yes” will be placed here.
CIW? If this setting can be modified through the Custom Installation Wizard, a “Yes” will be placed here.
Possible Settings Provides the settings that can be used for this policy.
Default Setting The default setting that will be used if not configured. If blank, there is no default setting.
Secure Setting This value is specified for certain security related policies only, with the setting considered to be the
most secure provided.
Associated Registry Key The registry key that relates to the specific policy or part of the policy.
Registry Value Name The name of the registry value that relates to the specific policy or part of the policy.
Registry Values The actual data placed within the registry to configure this policy setting. This could either be the same
as the Possible Setting or a numerical value corresponding to the setting.
Notes If provided, this gives additional information regarding the expected values or action taken by the
policy.
Explanation The text that explains what the setting is for and how it can be used. Many of these will simply state
“Checks/Unchecks the corresponding user interface option” as the policy relates directly to a user
interface option and as such an explanation of the policy can be found within the Office online help.
Table 13: Office 2003 Settings Spreadsheet Field Descriptions
Page 28
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
While the spreadsheet contains the available settings for the Office products, they do so in a
slightly different way to that of the spreadsheet available for the default templates included as part
of the operating system. Table 15 provides descriptions of the fields covered in the spreadsheet.
Field Description
Class Either “Local Machine” or “Current User”, referring to the registry trees “HKEY_LOCAL_MACHINE”
and “HKEY_CURRENT_USER” respectively.
Categories The first category is the application name followed by further categories detailing the policy settings
available and are organised in a way which typically follows the path required to access the option
within the application’s user interface.
Policy The name of the policy setting. This is usually that of the corresponding user interface option.
Part If the policy consists of multiple configuration options, these are provided here. Usually policies
requiring more than a tick box to either enable or disable.
12
The template file, office12.adm, contains settings that are used across the 2007 Microsoft Office system products.
Page 29
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Field Description
Possible Settings Provides the settings that can be used for this policy.
Default Setting The default setting that will be used if not configured. If blank, then there is not default setting.
Associated Registry Key The registry key that relates to the specific policy or part of the policy.
Registry Value Name The name of the registry value that relates to the specific policy or part of the policy.
Registry Values The actual data placed within the registry to configure this policy setting. This could either be the same
as the Possible Setting or a numerical value corresponding to the setting.
Notes If provided, this gives additional information regarding the expected values or action taken by the
policy.
Explanation The text that explains what the setting is for and how it can be used. Many of these will simply state
“Checks/Unchecks the corresponding user interface option” as the policy relates directly to a user
interface option and as such an explanation of the policy can be found within the Office online help.
Table 15: 2007 Office System Settings Spreadsheet Field Descriptions
13
Windows Installer 2.0 Redistributable Windows 2000 and Windows NT 4.0 {R13}:
http://go.microsoft.com/fwlink/?LinkId=7613
Page 30
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.7.2.2 DFS
DFS provides fault tolerance for software distribution points by mapping a specific logical name to
shared folders on multiple file servers. This way, software remains available for installation,
regardless of whether one of the physical servers where the software deployment files reside
becomes unavailable. DFS also improves storage scalability because administrators can deploy
additional or higher-performance file servers and present the storage on the new computers as new
directories in an existing namespace.
When using DFS in combination with Group Policy–based software deployment, organisations
benefit from its load-sharing abilities and location-independence. These features simplify
management and optimise the installation for users. Instead of allowing all users to install software
from a single server, and causing potential performance issues with the server, a DFS namespace
can distribute network traffic across multiple servers.
Recommendation
DFS should be used due to the benefits gained through fault tolerance and scalability.
5.7.3 Limitations
Whilst GPSI allows administrators to use the GPO Editor to centrally manage the installation of
software on client computers within an organisation, there are areas of software installation that
GPSI should not or cannot be used for.
Page 31
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5.7.3.3 Dependencies
Applications cannot be deployed where a dependency lies between them. The reason for this is
because there is no way of specifying any order in which the applications are installed from within
GPSI.
5.7.3.4 Scheduling
When an application is made available through the GPSI, for example assigned to a user, that
application is installed when the user next logs on. It is not possible to schedule the installation of
this application and as such this could potentially result in a large number of requests for the new
application at the same time, (usually when users start work in the morning), causing additional
pressure on the network resources.
This setting can be found under Computer Configuration > Administrative Templates > System
> Group Policy.
Page 32
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Another Group Policy setting can be used if applications should always be installed:
This setting can be found under Computer Configuration > Administrative Templates > System
> Group Policy.
Enabling the Software Installation policy processing option provides a check box to ‘Allow
processing across a slow network connection’ which if checked will process any GPO
containing an assigned application even across a 56Kbps modem connection.
Recommendation
Whilst it is possible to assign applications across a slow network connection, this is not a recommended
practice and should be avoided. Utilising this can cause significant delays for the user involved.
Page 33
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
With the above in mind, applications that are not currently in a MSI format will require a resource to
repackage the application. This can be accomplished using various tools, such as WinINSTALL LE,
which is a free tool although aimed at light usage; others include InstallShield and Wise for
Windows Installer, which whilst not free are aimed at providing a more robust solution. This is
especially useful when, for example, there is potential for DLL conflicts during deployment of a
larger number of applications.
Page 34
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 35
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
6 DEVELOP
During the Develop phase, the solution components are built based on the planning and designs
completed during the earlier phases. Further refinement of these components will continue into the
stabilisation phase.
Figure 10 acts as a high-level checklist, illustrating the sequence of events which the IT Manager
and IT Architect need to determine when planning for Group Policy for desktop management within
a healthcare organisation.
Figure 10: Sequence for Developing Group Policy for Desktop Management
Page 36
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Desktop Cleanup wizard User Configuration > Administrative Templates > Desktop
Remove the Desktop Cleanup Wizard15: Enabled
Desktop Wallpaper User Configuration > Administrative Templates > Desktop > Active Desktop
Active Desktop Wallpaper14: Enabled
Wallpaper Name: <Path> 17 \<FileName>.jpg
Wallpaper Style: Center
Control Panel View style User Configuration > Administrative Templates > Control Panel
Force classic Control Panel Style15: Enabled
System Welcome screen User Configuration > Administrative Templates > System
Don’t display the Getting Started welcome screen at logon 18 : Enabled
Internet Explorer Prevent changing Internet User Configuration > Administrative Templates > Windows Components >
Explorer Homepage Internet Explorer
Disable changing home page settings 19 : Enabled
Disable changing Advanced page settings19: Enabled
Disable changing Temporary Internet files settings19: Enabled
Disable changing connection settings19: Enabled
Internet Explorer Prevent viewing property User Configuration > Administrative Templates > Windows Components >
pages Internet Explorer > Internet Control Panel
Disable the Security page19: ; (Checked)
Disable the Content page19: ; (Checked)
Table 16: Group Policy Common Configuration Base Settings
14
This setting is supported on at least Microsoft Windows 2000
15
This setting is supported on at least Microsoft Windows XP or Windows Server 2003
16
This setting is supported on at least Microsoft Windows 2000 SP3 or Windows XP SP1
17
Where <Path> is either a local path (C:\Windows) or a UNC path (\\Server\Share)
18
This setting is supported on Microsoft Windows 2000 only
19
This setting is supported on at least Microsoft Internet Explorer version 5.0
Page 37
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The settings recommended for Automatic Updates whilst using a patch management solution are
outlined in section 6.3.2. Therefore, Table 17 below identifies the location for specifying either
logon or logoff scripts for users as well as the startup and shutdown scripts for computers.
Scripts Logon User Configuration > Windows Settings > Scripts (Logon/Logoff)
Logon: Script Name / Script Parameters
Scripts Logoff User Configuration > Windows Settings > Scripts (Logon/Logoff)
Logoff: Script Name / Script Parameters
Scripts Shutdown Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)
Shutdown: Script Name / Script Parameters
Table 17: Group Policy Logon / Logoff / Startup / Shutdown Script Settings
Page 38
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
If the user account has already logged on to the machine once before and, as such, a local profile has
been created, the GPO can take multiple reboots and/or logons to take effect.
Security Local Policies Computer Configuration > Windows Settings > Security Settings > Local Policies
> Security Options
Network security: LAN Manager authentication level: ; (Checked); Send
NTLMv2 Response only\refuse LM & NTLM
Windows Logon Computer Configuration > Administrative Templates > System > Logon
Run these programs at user logon 20 : Disabled
Do not process the run once list20: Enabled
Do not process the legacy run list20: Enabled
Windows Logon Computer Configuration > Administrative Templates > Windows Components >
Internet Explorer
Security Zones: Use only machine settings 21 : Enabled
Windows Folder locations User Configuration > Windows Settings > Folder Redirection > Desktop
Desktop Properties – Target tab:
Setting: Basic: Redirect everyone’s folder to the same location
Target folder location: Redirect to the local userprofile location
Desktop Properties – Settings tab:
Grant the user exclusive rights to Desktop: ; (Checked)
Move the contents of Desktop to the new location: ; (Checked)
Policy Removal – Leave the folder in the new location when policy is
removed: ; (Checked)
Windows Folder locations User Configuration > Windows Settings > Folder Redirection > My Documents
My Documents Properties – Target tab:
Setting: Basic: Redirect everyone’s folder to the same location
Target folder location: Redirect to the local userprofile location
My Documents Properties – Settings tab:
Grant the user exclusive rights to Desktop: ; (Checked)
Move the contents of Desktop to the new location: ; (Checked)
Policy Removal – Leave the folder in the new location when policy is
removed: ; (Checked)
20
This setting is supported on at least Microsoft Windows 2000.
21
This setting is supported on at least Microsoft Internet Explorer version 5.0.
Page 39
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Windows Desktop view User Configuration > Administrative Templates > Desktop
Hide and disable all items on the desktop20: Enabled
Remove My Documents icon on the desktop20: Enabled
Windows Control Panel User Configuration > Administrative Templates > Control Panel
Prohibit access to the Control Panel20: Enabled
Windows Control Panel User Configuration > Administrative Templates > Control Panel > Add or
Remove Programs
Hide Add/Remove Windows Components page20: Enabled
Windows Control Panel User Configuration > Administrative Templates > Control Panel > Display
Screen Saver timeout 23 : Disabled
Windows Security User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
Remove Lock Computer20: Enabled
Remove Change Password20: Enabled
Remove Logoff20: Enabled
Windows Explorer User Configuration > Administrative Templates > Windows Components >
Windows Explorer
Do not track Shell shortcuts during roaming20: Enabled
Remove UI to change keyboard navigation indicator setting20: Enabled
Turn off Windows+X hotkeys22: Enabled
Windows Explorer User Configuration > Administrative Templates > Windows Components >
Windows Explorer > Common Open File Dialog
Hide the dropdown list of recent files20: Enabled
Internet Explorer Menus User Configuration > Administrative Templates > Windows Components >
Internet Explorer
Search: Disable Find Files via F3 within the browser21: Enabled
22
This setting is supported on at least Microsoft Windows XP or Windows Server 2003.
23
This setting is supported on at least Microsoft Windows 2000 SP1.
Page 40
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Windows Toolbars User Configuration > Administrative Templates > Windows Components >
Internet Explorer > Toolbars
Disable customising browser toolbar buttons21: Enabled
Disable customising browser toolbars21: Enabled
Configure Toolbar Buttons21: Enabled
Table 18: Group Policy Public / Cybercafe Settings
Additional areas of focus when providing a Kiosk based computer should also be taken into
account and these are detailed within Table 19 below:
Focus Description
Accessibility to Typically not available unless wanting to provide user access to additional applications whereby shortcut icons
Desktop can be placed here. Consider using Active Desktop to provide a Web-page based background which provides
these shortcuts or simply creating a profile that contains these shortcuts
Allow new explorer The out of the box settings for the Kiosk computer is to not allow new windows to be opened. The basis for this is
windows to ensure that large numbers of windows are not left open, which could be confusing to the users. However,
many Web pages provide links which once clicked, spawn a new Internet Explorer window. If opening new
windows is not allowed, a message is displayed to the user stating that this option has been removed by a
policy, and to see the administrator. This is not an intuitive message and one that is not easily understood by
users, therefore consider allowing new windows to be opened
Allow the closing of If using the above setting to allow new windows to be spawned, then the ability to close them should also be
explorer windows provided. If not, the result would be many instances of Internet Explorer open without the option to close them
Mandatory Profile Making the profile of the logged-on user for the Kiosk computer mandatory ensures any changes made, (for
example Internet Explorer taken out of Full Screen mode and resized), would be lost when the user is logged off.
When the user logs back on again, Internet Explorer will open in Full Screen mode providing the Kiosk computer
experience
Roaming Profile Whilst making the profile ‘mandatory’ ensures the consistent state of windows and so on, making the profile
‘roaming’ enables administrators to centrally manage the profile whilst being able to assign this profile to multiple
users should this method be used within their environment
Automatic Logon Providing automatic logon ensures an additional level of security by not having to communicate to users what the
user credentials are. This is typically carried out through various entries within the Windows Registry which
provide the credentials. The issue with this is the password is stored in plain text within the registry. Therefore,
consider using the free downloadable Windows PowerToys from Microsoft 24 , specifically the TweakUI utility
which allows the Autologon credentials to be set without displaying the password in clear text in the registry
Table 19: Kiosk Computer Additional Areas of Focus
24
Microsoft PowerToys for Windows XP {R14}:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Page 41
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
For each example given, the Group Policy settings will be provided, as well as the configuration
settings for the GPO itself, such as:
User or computer configuration settings disabled
Access control lists
Block inheritance where appropriate
Enforce where appropriate
Note
The GPO building blocks contain settings applicable to multiple versions of Microsoft Windows. The
version of Windows that each setting is targeting has been identified as part of the tables within the
building block sections below.
Where a building block contains a setting applicable to Windows Vista as well as Windows XP, the GPO
can be linked to an OU containing Windows XP clients, but the client computer will ignore the setting
which is only supported on Windows Vista. However, if the GPO is applied to a Windows Vista client, all
settings including those for Windows XP will be applied if the Windows Vista client supports it.
Page 42
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 43
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Block Inheritance Unchecked
6.3.2 WSUS
Windows Server Update Services 26 (WSUS), a free tool from Microsoft, provides patch
management for installed operating systems, as well as a number of installed applications
throughout an organisations estate. It provides organisations with a managed way in which to
customise which updates are applied within the environment as well as when they are applied.
Within a Windows OS, the Automatic Updates feature is the client component which provides the
user with a way to stay up-to-date with released security patches to service packs, whether it is
from Microsoft Update or a server running WSUS.
Table 22 illustrates the settings which are configured on client computers (servers and
workstations) to take advantage of a WSUS implementation.
25
All permissions detailed here are Allow permissions unless stated otherwise.
26
Healthcare organisation-specific guidance is available – Windows Server Update Services 3.0 Design Guide {R1} and
Windows Server Update Services Operations Guide {R2}.
Page 44
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
The setting ‘Enabling Windows Update Power Management to automatically wake up the system to
install scheduled updates’ enables healthcare organisations to take advantage of clients’ power
management functionality. For operating systems prior to Windows Vista, client machines would typically
be left on overnight to enable remote management tasks, such as applying updates, to be carried out.
This is no longer required with Windows Vista. Using this setting enables a healthcare organisation to
save energy and therefore reduce the TCO of managing a computer. See section 6.3.12 for a building
block specifically focused on Windows Vista power management.
27
This setting is supported on at least Windows XP SP2.
28
This setting is supported on at least Windows 2000 SP3, Windows XP SP1 and Windows Server 2003.
29
This setting is supported on at least Windows Vista.
Page 45
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Block Inheritance Unchecked
User Configuration > Windows Settings > Internet Explorer Customise Title Bars: ; (Checked)
Maintenance > Browser User Interface > Browser Title Title Bar Text: Contoso
User Configuration > Administrative Templates > Windows Disable changing home page settings 32 : Enabled
Components > Internet Explorer Disable changing Advanced page settings32: Enabled
Disable changing Temporary Internet files settings32: Enabled
Disable changing connection settings32: Enabled
User Configuration > Administrative Templates > Windows Disable the Security page32: ; (Checked)
Components > Internet Explorer > Internet Control Panel Disable the Content page32: ; (Checked)
Table 24: Example Internet Explorer GPO Configuration
30
All permissions detailed here are Allow permissions unless stated otherwise.
31
The example URL provided for the Home page can be replaced with one deemed more appropriate for your healthcare
organisation.
32
This setting is supported on at least Microsoft Internet Explorer version 5.0.
Page 46
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Block Inheritance Unchecked
This GPO setting is not available through the default templates and as such will need to be added
into the GPO created for this task. The ADM template can be downloaded from:
http://go.microsoft.com/fwlink/?linkid=65788. This download is a compressed executable which
contains a number of files, two of which are:
A command file for creating the registry key so Automatic Updates will not install Internet
Explorer 7
An ADM template file for utilising Group Policy to create the registry key
33
All permissions detailed here are Allow permissions unless stated otherwise.
34
This setting is supported on at least Microsoft Windows XP SP2.
Page 47
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Notes
Once this ADM template has been added, the setting will not be visible until the option to ‘Only show
policy settings that can be fully managed’ has been unchecked. This setting is available through the
View > Filtering menu with Administrative Templates highlighted.
In order to allow Automatic Updates to install Internet Explorer 7, this policy setting should be set to
Disabled rather than simply removed, otherwise the registry key that is created will remain and continue
to disallow the installation of Internet Explorer 7.
Property Setting
Block Inheritance Unchecked
35
All permissions detailed here are Allow permissions unless stated otherwise.
36
While the majority of Windows Vista can be made to look like Windows XP, the green Start button is not available on
Windows Vista and as such remains as the Windows Button (the Windows Vista Pearl).
37
This setting is supported on at least Microsoft Windows 2000.
38
This setting is supported on at least Microsoft Windows XP or Windows Server 2003.
39
This setting is supported on at least Microsoft Windows 2000 SP3 or Windows XP SP1.
Page 48
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
User Configuration > Administrative Templates > Desktop Remove the Desktop Cleanup Wizard38: Enabled
User Configuration > Administrative Templates > Desktop Active Desktop Wallpaper37: Enabled
> Active Desktop Wallpaper Name: <Path> 41 \<FileName>.jpg
Wallpaper Style: Center
User Configuration > Administrative Templates > Control Force classic Control Panel Style38: Enabled
Panel
User Configuration > Administrative Templates > System Don’t display the Getting Started welcome screen at logon 42 : Enabled
User Configuration > Administrative Templates > Turn off Windows Sidebar40: Enabled
Windows Components > Windows Sidebar
Table 28: Look and Feel GPO Example
Property Setting
Block Inheritance Unchecked
40
This setting is supported on at least Windows Vista.
41
Where <Path> is either a local path (C:\Windows) or a UNC path (\\Server\Share).
42
This setting is supported on Microsoft Windows 2000 only.
43
All permissions detailed here are Allow permissions unless stated otherwise.
Page 49
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Computer Configuration > Accounts: Limit local account use of blank passwords to console logon only: Enabled
Windows Settings > Security Domain member: Digitally encrypt or sign Secure channel Data (always) : Enabled
Settings > Local Policies >
Domain member: Digitally encrypt Secure channel Data (when possible) : Enabled
Security Options
Domain member: Digitally sign Secure channel Data (when possible) : Enabled
Domain member: require strong (windows 2000 or later) session key: Enabled
Network access: Allow anonymous SID/Name translation: Disabled
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Network access: Let Everyone permissions apply to anonymous users: Disabled
Network access: Remotely Accessible Registry Paths: Enabled
Network access: Shares that can be accessed anonymously: Enabled (COMCFG; DFS$)
Network access: Sharing and Security Model for Local Accounts: Classic
Network security: Do not store LAN manager hash value on next password change: Enabled
Network security: LAN Manager Authentication Level: Send NTLMv2 responses only\refuse LM
Table 30: Security Hardening GPO Example
Warning
The settings in Table 30 should be understood completely prior to their implementation as they can have
serious consequences on the operations of both client computers and applications. For example, the last
setting for configuring the LAN Manager Authentication Level prevents any Windows 95 machines from
communicating with a machine which has this setting configured in this way.
Property Setting
Block Inheritance Unchecked
44
All permissions detailed here are Allow permissions unless stated otherwise.
Page 50
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
This security hardening GPO example highlights just a small number of the key security options available
to be configured through Group Policy within an Active Directory domain environment. These settings
were derived from the Windows XP Security Guide 45 . The Windows Vista Security Guide 46 is also
available.
Warning
When importing a GPO which has a Software Installation package associated to it, ensure that the import
source files do not have the read-only attribute set as this will cause an ‘Access Denied’ error when the
import wizard regenerates the application assignment script (.aas file) associated with the package.
Property Setting
Block Inheritance Unchecked
45
Windows XP Security Guide {R16}: http://go.microsoft.com/fwlink/?linkid=14840
46
Windows Vista Security Guide {R17}: http://go.microsoft.com/?linkid=5639874
47
All permissions detailed here are Allow permissions unless stated otherwise.
Page 51
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Computer Configuration > Windows Settings > New Path Rule (Right-click Additional Rules, select New Path Rule)
Security Settings > Software Restriction Policies Path: *.VBS
> Additional Rules
Security Level: Disallowed
Description: Disallowing all .VBS files
New Path Rule (Right-click Additional Rules, select New Path Rule)
Path: *.VBE
Security Level: Disallowed
Description: Disallowing all .VBE (VBScript Encrypted) files
New Path Rule (Right-click Additional Rules, select New Path Rule)
Path: \\ServerName\LoginScript\*.VBS
Security Level: Unrestricted
Description: Allowing all .VBS files within the LoginScript share
Table 34: Software Restriction GPO Example
Property Setting
Block Inheritance Unchecked
48
This setting is supported on Microsoft Windows XP.
49
All permissions detailed here are Allow permissions unless stated otherwise.
Page 52
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The above example has used just one of four different types of rule to dictate the allowed or
unrestricted policy. The rules available are:
Certificate Rule – Specifies that a software publisher's certificate must exist before a
program is allowed to run
Hash Rule – A digital fingerprint that uniquely identifies a software program or executable
file even if the program or executable file is moved or renamed
Internet Zone Rule – A zone rule can be used to identify software that is downloaded from
any of the defined zones that are in Internet Explorer such as Internet, Intranet, Restricted
Sites, Trusted Sites, and My Computer
Path Rule – Specifies either a folder, a fully qualified path to a program, or a registry path
which will use the path value that is stored in the registry for that application
Note
Software Restriction Policies evaluate the rules defined in a specific order. Rules that more specifically
match a program take precedence over rules that more generally match the same program. The order in
which the rules are processed start with the Hash rule, followed by the Certificate Rule, Path Rule, Zone
Rule, and lastly the Default Rules (as created when a New Software Restriction Policy is created).
User Configuration > Administrative Templates > System > Turn off automatic update of ADM files 51 : Enabled
Group Policy
Table 36: GPO Administration GPO Example
Property Setting
Block Inheritance Unchecked
50
This setting is supported on at least Microsoft Windows Server 2003.
51
This setting is supported on at least Microsoft Windows 2000.
Page 53
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Permissions 52 Authenticated User: Read & Apply Group Policy
Creator Owner: (none explicitly set)
Domain Admins (DomainName\Domain Admins): Read, Write Create All Child Objects, and Delete All
Child Objects
Enterprise ADmins (DomainName\Enterprise Admins): Read, Write Create All Child Objects, and
Delete All Child Objects
System: Read, Write Create All Child Objects, and Delete All Child Objects
Table 37: GPO Administration GPO Properties
Note
The above example utilises configuration settings from both the user and computer configuration and as
such the GPO status is set to Enabled. These settings could be placed within other policies that take
advantage of disabling either the user or computer portions of a policy.
Computer Configuration > Administrative Templates > Excel: Macro Security Level: Enabled
Microsoft Office 2003 > Security Settings Security Level: High
Computer Configuration > Administrative Templates > Outlook: Macro Security Level: Enabled
Microsoft Office 2003 > Security Settings Security Level: High
Computer Configuration > Administrative Templates > PowerPoint: Macro Security Level: Enabled
Microsoft Office 2003 > Security Settings Security Level: High
Computer Configuration > Administrative Templates > Publisher: Macro Security Level: Enabled
Microsoft Office 2003 > Security Settings Security Level: High
Computer Configuration > Administrative Templates > Word: Macro Security Level: Enabled
Microsoft Office 2003 > Security Settings Security Level: High
Table 38: Office 2003 Computer-Based GPO Example
52
All permissions detailed here are Allow permissions unless stated otherwise.
Page 54
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Block Inheritance Unchecked
Note
The default Macro Security Level setting for all the Microsoft Office applications being configured in Table
38 is ‘High’ with the exception of Microsoft Access 2003 which is set to Medium.
While the default configuration for the Macro Security Level of the majority of Microsoft Office 2003
applications is set to High, configuring this setting through Group Policy ensures that the
workstations remain in a secure state. For example, if a user had the permissions to configure the
Macro Security Level to Low, the GPO would ensure the setting would return to its default state of
High the next time the GPO was applied during normal Group Policy refresh.
Recommendation
When configuring the Macro Security level, ensure that you provide users with a secure, yet usable,
system. Setting the level to Very High will only allow macros installed in a trusted location to run; other
signed (or unsigned) macros will be disabled. However, setting the level to Low means all macros,
executables and Microsoft Visual Basic for Applications (VBA) programs can run without the knowledge or
approval of the user. Consider, therefore, setting the Macro Security Level to High, only changing this to
Medium where absolutely necessary due to the documents being opened.
Warning
When setting the Microsoft Access 2003 Macro Security Level to either Medium or High, the latest service
pack for Microsoft Jet 4.0 must be installed if unsafe expressions are also to be blocked without affecting
common functionality. Windows XP Service Pack 2 includes a service pack for Microsoft Jet 4.0. If
Windows XP Service Pack 2 is not installed, then Microsoft Jet 4.0 Service Pack 8 should be installed.
This can be downloaded from the following location: http://support.microsoft.com/kb/239114.
53
All permissions detailed here are Allow permissions unless stated otherwise.
Page 55
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
User Configuration > Administrative Templates > Disable reporting of error messages: Enabled
Microsoft Office 2003 > Improved Error Reporting Check to disable reporting of error messages: Enabled
User Configuration > Administrative Templates > Disable reporting of non-critical errors: Enabled
Microsoft Office 2003 > Improved Error Reporting Check to disable reporting of non-critical errors: Enabled
User Configuration > Administrative Templates > User templates path: Enabled
Microsoft Office 2003 > Shared Paths User templates path: S:\UserTemplates
User Configuration > Administrative Templates > Always show full menus: Enabled
Microsoft Office 2003 > Tools | Customize | Options Check to enforce setting on; uncheck to enforce setting off: Enabled
User Configuration > Administrative Templates > List font names in their font: Enabled
Microsoft Office 2003 > Tools | Customize | Options Check to enforce setting on; uncheck to enforce setting off: Enabled
User Configuration > Administrative Templates > Show Screen Tips on Toolbars: Enabled
Microsoft Office 2003 > Tools | Customize | Options Check to enforce setting on; uncheck to enforce setting off: Enabled
User Configuration > Administrative Templates > Show shortcut keys in Screen Tips: Enabled
Microsoft Office 2003 > Tools | Customize | Options Check to enforce setting on; uncheck to enforce setting off: Enabled
User Configuration > Administrative Templates > Hide Spotlight entry point: Enabled
Microsoft Office 2003 > Tools | Options | General | Check to Hide Spotlight entry point: Enabled
Service Options > Online Content
User Configuration > Administrative Templates > Online content options: Enabled
Microsoft Office 2003 > Tools | Options | General | Online content options: Never show online content or entry points
Service Options > Online Content
User Configuration > Administrative Templates > Recently used file list: Enabled
Microsoft Office Excel 2003 > Tools | Options… > Entries on recently used file list: 8
General
User Configuration > Administrative Templates > Startup Task Pane: Disabled
Microsoft Office Excel 2003 > Tools | Options… > View
User Configuration > Administrative Templates > Empty Deleted Items Folder: Enabled
Microsoft Office Outlook 2003 > Tools | Options… > Empty the Deleted Items folder upon exiting: Enabled
Other
User Configuration > Administrative Templates > Recently used file list: Enabled
Microsoft Office PowerPoint 2003 > Tools | Options… > Enable recently used file list: Enabled
General
Size of recently used file list: 8
User Configuration > Administrative Templates > Startup Task Pane: Disabled
Microsoft Office PowerPoint 2003 > Tools | Options… >
View
Page 56
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
User Configuration > Administrative Templates > Startup Task Pane: Disabled
Microsoft Office Word 2003 > Tools | Options… > View
> Show
Table 40: Office 2003 User Based GPO Example
Property Setting
Block Inheritance Unchecked
The configuration settings specified in Table 40 have been placed within the same GPO.
Depending on the amount of control needed over the GPO, the components focusing on each
Microsoft Office application could be contained in a separate GPO. This would result in a GPO
which contains the shared Office 2003 settings and a separate GPO for each of the Office
applications: Excel, Outlook, PowerPoint and Word.
Separating out the settings into individual GPOs allows an administrator to raise a change request
to amend a GPO focusing on, for example, Word only. If the settings were all contained within the
same GPO, this could incur additional time for testing as the GPO would be targeting a larger
number of settings.
The downside to having five different GPOs in this particular case, could, however, outweigh the
benefits due to the additional number of GPOs to be administered. With the number of settings in
the above building block being relatively low, it would be more beneficial to have a single GPO. If
the number of settings increased greatly, it could be more beneficial to have separate GPOs.
Recommendation
Consider the number of settings that are to be configured within a GPO and weigh up the pros and cons
regarding the number of GPOs to administer against the overhead of maintaining a large number of
settings within a single GPO. Therefore, a GPO with a larger number of settings within it could be
managed more easily if it were split into multiple GPOs.
It is not uncommon to have a GPO which contains just a single configuration option set if it proves easier
to administer than a GPO with many configuration options set across multiple focuses.
Note
It is not possible to configure the look of Microsoft Office 2003 to make it look and feel like previous
versions of Microsoft Office.
54
All permissions detailed here are Allow permissions unless stated otherwise.
Page 57
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
User Configuration > Administrative Templates > Microsoft Office Online: Disabled
Microsoft Office 2007 system > Help
User Configuration > Administrative Templates > Disable reporting of errors messages: Enabled
Microsoft Office 2007 system > Improved Error Disable reporting of non-critical errors: Enabled
Reporting
User Configuration > Administrative Templates > Automatically receive small updates to improve reliability: Disabled
Microsoft Office 2007 system > Privacy > Trust Center Enable Customer Experience Improvement Program: Disabled
User Configuration > Administrative Templates > User templates path: Enabled
Microsoft Office 2007 system > Shared Paths User templates path: S:\UserTemplates
55
For information about migrating from Office 2003 to 2007 Office System, please refer to the 2007 Microsoft Office System
Migration Guide {R19}.
Page 58
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
User Configuration > Administrative Templates > Disable access to updates, add-ins, and patches on the Office Online
Microsoft Office 2007 system > Tools | Options | website: Enabled
General | Web Options… Disable customer-submitted templates downloads from Office Online:
Enabled
Prevents users from uploading document templates to the Office Online
community: Enabled
User Configuration > Administrative Templates > Save Excel files as: Enabled
Microsoft Office Excel 2007 > Excel Options > Save Save Excel files as: Excel 97-2003 Workbook (*.xls)
User Configuration > Administrative Templates > Empty the Deleted Items folder when Outlook closes: Enabled
Microsoft Office Outlook 2007 > Tools | Options… >
Other
User Configuration > Administrative Templates > Save files in this format: Enabled
Microsoft Office PowerPoint 2007 > PowerPoint Options Save files in this format: PowerPoint 97-2003 Presentation (*.ppt)
> Save
User Configuration > Administrative Templates > Block saving of Open XML file types: Enabled
Microsoft Office Word 2007 > Block file formats > Save
User Configuration > Administrative Templates > Compatibility mode on file creation: Enabled
Microsoft Office Word 2007 > Word Options > Save Save files in this format: Enabled
Save files in this format: Word 97 – 2003 Document (*.doc)
User Configuration > Administrative Templates > VBA Macro Warning Settings: Enabled
Microsoft Office Word 2007 > Word Options > Security No Warnings for all macros but disable all macros
> Trust Center
Table 42: 2007 Office System User-Based GPO Example
Property Setting
Block Inheritance Unchecked
56
All permissions detailed here are Allow permissions unless stated otherwise.
Page 59
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
The GPO settings above, pertaining to the ‘Save files in this format’ setting, allow a healthcare
organisation to continue to use a format that is support across an environment which has multiple version
of Microsoft Office. Once all workstations have been upgraded to the 2007 Microsoft Office system, this
configuration option can be set back to ‘Not Configured’. This will then cause the default file type to
revert back to the Open XML (Extensible Markup Language) format now used by the Microsoft Office
applications. This is further controlled through the use of blocking the ability to save as an Open XML file.
Note
It is not possible to configure the 2007 Office system to make it look and feel like previous versions of
Microsoft Office.
While this example GPO includes settings which aid in the migration from one Office version to
another, it is worth mentioning the availability of the Microsoft Office Compatibility Pack. This
Compatibility Pack 57 allows users of Office 2003 to open files saved using the default file format
within the 2007 Office system.
The 2007 Microsoft Office System Migration Guide 58 , which specifically focuses on the migration of
previous Microsoft Office versions to 2007 Office system, is also available to healthcare
organisations.
57
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats {R20}:
http://office.microsoft.com/en-us/products/HA101686761033.aspx
58
2007 Microsoft Office System Migration Guide {R19}:
http://www.microsoft.com/industry/healthcare/technology/hpo/office/2007officesystemmigration.aspx
59
The spreadsheet providing the commands Control IDs, and Policy IDs, can be downloaded from 2007 Office System
Document: Lists of Control IDs {R21}: http://go.microsoft.com/fwlink/?LinkId=80644. This download page provides download
links to two files: 2007OfficeControlIDsExcel2003.exe and 2007OfficeControlIDsExcel2007.exe. These files contain the
Control IDs for the Microsoft Office Suite of products.
Page 60
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
To discover the Policy ID for a Microsoft Office 2003 application command, create a macro in VBA
to provide the information, for example, in a message box. This process can be found in Managing
Users' Configurations by Policy 60 within the Microsoft Office 2003 Resource Kit..
To disable a keyboard shortcut, a policy setting requires the input of both the key and modifier ID.
This can be easily obtained using values which are associated with key strokes.
Table 44 details the values.
CONTROL (CTRL) 8
SHIFT 4
Should multiple modifiers be used, the values should be added together. For example, if CTRL +
ALT are used, the modifier would be 24.
The process given below uses the example of disabling the Insert > Hyperlink option from within
Microsoft Word 2003 which has a Policy ID of 1576, a keyboard shortcut key and modifier ID of
75,8.
1. Open Microsoft Word 2003 and select Insert > Hyperlink.
2. The Insert Hyperlink dialog box appears, allowing the user to select or type the hyperlink
as shown below. This can also be accessed via the shortcut key CTRL+K.
60
Managing Users' Configurations by Policy {R22}: http://office.microsoft.com/en-us/ork2003/HA011402401033.aspx
Page 61
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
User Configuration > Administrative Templates > Microsoft Disable shortcut keys: Enabled
Office Word 2003 > Disable items in user interface > Enter a key and modifier to disable: 75,8
Custom
5. On the client workstation, update the group policies by running the following command
within a Command Prompt:
C:\>gpupdate /force /wait:0
This will re-apply the policies to this workstation immediately.
6. Open Microsoft Word 2003 and select the Insert menu, and, as shown below, the
Hyperlink option is now disabled with a customised message stating: Insert Hyperlink:
Disabled by the IT Dept. Call Ext 12345 for further assistance. (Ctrl+K)
The default message of ‘Disabled by your system administrator’ can be customised, as shown
above, using the following Group Policy setting: User Configuration > Administrative Templates
> Microsoft Office 2003 > Disable items in user interface > Tooltip for disabled toolbar buttons
and menu items.
Page 62
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The available removable storage devices which can be managed by policy settings, by default,
within Windows Vista are:
CD and DVD drives
Floppy Disk drives (including USB Floppy drives)
Removable Disk drives, such as USB keys
Tape drives
WPD drives (Windows Portable Device such as music players, phones and Personal
Digital Assistants (PDAs))
The ability to specify a custom class is also provided for devices that do not fit into the above
categories but need to be controlled.
The policy settings available to a GPO Administrator, to specify whether the removable storage
devices can be read or written to, are controlled using a user or computer based policy. This allows
an administrator to have granular control over which users can use these devices and which
cannot.
However, the policy settings which control the device installation are only available through a
computer based policy. A common scenario would be to disable the installation of devices on
users’ computers, whilst still allowing administrators the ability to install these devices. The policy
settings would then further define whether users could only read from these devices, or write to
them as well.
This GPO building block is split into two components. One component focuses on the device
installation aspect and, as such, is a computer based GPO. The second component focuses on the
device usability from a user and, as such, is a user based GPO. This follows the current best
practice approach of separating the computer based policy settings from the user based policy
settings where possible, as detailed in section 5.5.2.
Page 63
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
A policy setting exists to allow administrators to continue to install devices regardless of the settings
configured in the other configuration options available. This setting is ‘Allow administrators to override
Device Installation Restrictions policies’. While this setting could aid an administrator in still allowing a
device to be installed, it could become confusing to a user.
The reason for this is when this setting is enabled, rather than displaying a warning or a custom message
if one has been specified, it prompts the user for administrative credentials. This could result in a call to
the helpdesk requesting assistance in installing the device or, if the user clicks the available Cancel
button, the installation of the device will stop without providing any further feedback and again result in a
potential helpdesk call.
It is therefore recommended to not enable this setting, but instead have a security group containing users
who should not have these restrictions configured. This security group would then be denied the Apply
Group Policy right in the permissions of the GPO.
Property Setting
Block Inheritance Unchecked
61
This setting is supported by at least Windows Vista.
62
The example text provided for the custom message should be replaced with one deemed appropriate for your healthcare
organisation.
63
All permissions detailed here are Allow permissions unless stated otherwise.
Page 64
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Delete All Child Objects
System: Read, Write Create All Child Objects, and Delete All Child Objects
Table 46: Removable Storage Devices Installation GPO Properties
Note
For this example GPO, the write access is being denied to users where this GPO applies. The Removable
Disks policy setting has been specified here and, when used in conjunction with the settings in Table 45,
other removable devices will not be able to be connected and, as such, a USB key would not be available
to the user.
To allow specific users the ability to write to certain removable devices, the use of a security group should
be used which is denied the Apply Group Policy right within the permissions of the GPO.
Property Setting
Block Inheritance Unchecked
Permissions 65 SG GPO Removable Storage Deny Write: Read & Apply Group Policy
Creator Owner: (none explicitly set)
Domain Admins (DomainName\Domain Admins): Read, Write Create All Child Objects, and Delete All
Child Objects
Enterprise ADmins (DomainName\Enterprise Admins): Read, Write Create All Child Objects, and
Delete All Child Objects
System: Read, Write Create All Child Objects, and Delete All Child Objects
Table 48: Removable Storage Read and Write Access GPO Properties
Recommendation
The above example illustrates a simple introduction of a removable storage device policy should one be
required. If a more granular control is needed such as configuration of custom classes and specifying
compatible IDs, further details and guidance are available in the article Step-By-Step Guide to Controlling
Device Installation and Usage with Group Policy 66 , which should be read in conjunction with this
document.
64
This setting is supported on at least Windows Vista.
65
All permissions detailed here are Allow permissions unless stated otherwise.
66
Step-By-Step Guide to Controlling Device Installation and Usage with Group Policy {R23}:
http://technet2.microsoft.com/WindowsVista/f/?en/library/9fe5bf05-a4a9-44e2-a0c3-b4b4eaaa37f31033.mspx
Page 65
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Computer Configuration > Administrative Templates > Turn Off the Hard Disk (Plugged In)67: Enabled
System > Power Management > Hard Disk Settings Turn Off the Hard Disk (seconds): 1200
Turn Off the Hard Disk (On Battery)67: Enabled
Turn Off the Hard Disk (seconds): 600
Computer Configuration > Administrative Templates > Turn on Applications to Prevent Sleep Transitions (Plugged In)67: Enabled
System > Power Management > Sleep Settings Require a Password When a Computer Wakes (Plugged In)67: Enabled
Turn on Applications to Prevent Sleep Transitions (On Battery)67: Enabled
Require a Password When a Computer Wakes (On Battery)67: Enabled
Computer Configuration > Administrative Templates > Turn Off Adaptive Display Timeout (Plugged In)67: Enabled
67
This setting is supported on at least Microsoft Windows Vista.
Page 66
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Property Setting
Block Inheritance Unchecked
68
All permissions detailed here are Allow permissions unless stated otherwise.
Page 67
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
To be able to backup the TPM owner information and BitLocker recover information to Active Directory,
appropriate schema extensions must be made, and access control settings configured, on the domain.
For more information, see the article Configuring Active Directory to Back up Windows BitLocker Drive
Encryption and Trusted Platform Module Recovery Information 69 .
Computer Configuration > Administrative Templates > Turn on BitLocker backup to Active Directory Domain Services70: Enabled
Windows Components > BitLocker Drive Encryption Require BitLocker backup to AD DS: ; (Checked)
Select BitLocker recovery information to store: Recovery passwords
and key packages
Control Panel Setup: Enable advanced startup options70: Enabled
Allow BitLocker without a compatible TPM: ; (Checked)
Settings for computers with a TPM:
Configure TPM startup key option: Require startup key with TPM
Configure TPM startup PIN option: Disallow startup PIN with TPM
Control Panel Setup: Configure recovery options70: Enabled
Configure 48-digit recovery password option: Disallow recovery
password
Configure 256-bit recovery key option: Disallow recovery key
Table 51: BitLocker and Trusted Platform Module GPO Example
Property Setting
Block Inheritance Unchecked
69
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
Information {R24}:
http://technet2.microsoft.com/WindowsVista/en/library/3dbad515-5a32-4330-ad6f-d1fb6dfcdd411033.mspx?mfr=true
70
This setting is supported on at least Microsoft Windows Vista.
71
All permissions detailed here are Allow permissions unless stated otherwise.
Page 68
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
6.4 Migration
There are three aspects to migration that a GPO Administrator will need to be aware of:
Migration of system policies to group policies
Migration of a GPO created within a test environment to be imported into a live
environment
Migrating ADM templates and ADMX files
A Microsoft Knowledge Base article titled How to use the Group Policy Migration utility to migrate
Windows NT System Policy settings to Windows 2000 or Windows Server 2003 72 exists that details
the usage of this utility, and most importantly, the troubleshooting points which details some
common scenarios of issues that are experienced.
72
How to use the Group Policy Migration utility to migrate Windows NT System Policy settings to Windows 2000 or Windows
Server 2003 {R25}: http://support.microsoft.com/kb/317367
Page 69
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The migration table is created using the Migration Table Editor (MTE), provided as part of the
GPMC. A migration table consists of one or more mapping entries. Each mapping entry consists of
a type, source reference, and destination reference. If you specify a migration table when
performing an import or copy, each reference to the source entry will be replaced with the
destination entry when writing the settings into the destination GPO.
The migration table will apply to any references in the settings within a GPO, whether you are
performing an import or copy operation. In addition, during a copy operation, if you choose the
option to preserve the discretionary access control list (DACL) on the GPO, the migration table will
also apply to both the DACL on the GPO and the DACLs on any software installation settings in the
GPO.
Migration tables are specified when performing import and copy operations. There are three
options for using migration tables with import and copy:
Do not use a migration table – This option copies the GPO exactly as it is. All references
to security principals and UNC paths are copied identically.
Use a migration table – This option maps any references in the GPO that are in the
migration table. References that are not contained in the migration table are copied as is.
Use a migration table exclusively – This option requires that all references to security
principals and UNC paths that are referenced in the source GPO be specified in the
migration table. If a security principal or UNC path is referenced in the source GPO and is
not included in the migration table, the import or copy operation fails.
In addition, cross-domain copy operations will apply the migration table to the DACL on the GPO
(and any software installation settings) if you choose the option to ‘Preserve or migrate the
existing permissions’.
When performing a copy or import, the wizard scans the source GPO to determine if there are any
references to security principals or UNC paths in the GPO. If there are, you have the opportunity to
specify a migration table. During across-domain copy operation, if the option to ‘Preserve or
migrate the permissions on the GPO’ is specified, the wizard will always present the opportunity
to specify a migration table because a DACL, by definition, contains security principals.
73
The whitepaper Migrating GPOs Across Domains with GPMC is available from Microsoft to
download which details extensively the operation of migrating GPOs from one domain to another.
The ADMX Migrator allows multiple ADM templates to be converted at a time. The ADMX Migrator
creates a unique namespace which can be renamed and will display a warning if a collision is
detected due to duplicate names. Also, any items that cannot be validated against the ADMX
schema are preserved in an Unsupported section. ADMX Migrator is also available through a
Command Window and is recommended that this is used for multiple ADM Template conversions.
73
Migrating GPOs Across Domains with GPMC {R26}: http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
Page 70
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
Any annotations that exist in ADM templates are removed during the conversion process.
The ADMX Migrator can be downloaded 74 and can be installed on a Windows Server or Windows
Client machine. For installation on:
A server – a minimum of Windows Server 2003 Service Pack 1 is required with MMC
version 3.0 75 installed
A client – a minimum of Windows XP Service Pack 2 is required with MMC version 3.0 76
installed
Note
Windows Vista includes MMC version 3.0 and, as such, already meets the minimum installation
requirements.
1. Open ADMX Migrator, (click Start or the Windows Button , point to All Programs, point
to FullArmor, point to FullArmor ADMX Migrator, and then click ADMX Migrator).
74
ADMX Migrator {R27}: http://go.microsoft.com/fwlink/?LinkId=77409
75
Microsoft Management Console 3.0 for Windows Server 2003 (KB907265) {R28}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=4c84f80b-908d-4b5d-8aa8-27b962566d9f&DisplayLang=en
76
Microsoft Management Console 3.0 for Windows XP (KB907265) {R29}:
http://www.microsoft.com/downloads/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-cf20902ffae0&DisplayLang=en
Page 71
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
2. Within the ADMX Migrator MMC snap-in, click Generate ADMX from ADM… from the
right hand Actions pane (as circled in the figure below).
3. In the Open dialog box, navigate to the folder containing the ADM Template, click the file
and click Open.
Page 72
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Once the ADM Template has been migrated, the following dialog box displays:
4. Click Yes to load the ADMX Template into the ADMX Editor.
Additionally, the ADMX Migrator provides an ADMX Editor with a graphical user interface for
creating and editing Administrative Templates. This allows the selection of settings from menus
rather than entering them manually in a text file, speeding up the template creation process and
reducing the chance for error.
Figure 12 below shows the imported ADM Template in the ADMX Migrator in editing mode. The
imported CADWarning AMDX file contents have been expanded in the left hand pane and shows
the settings contained within it. Below the settings pane are a number of tabs to select from. These
options assist a GPO Administrator in ensuring the ADMX file is being created in the correct format.
Page 73
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
7 STABILISE
The Stabilise phase involves testing the solution components whose features are complete,
resolving and prioritising any issues that are found. Testing during this phase emphasises usage
and operation of the solution components under realistic environmental conditions.
This involves testing and acceptance of the OU structure as well as the GPOs that are created both
as part of this document and subsequent policies.
Figure 13 acts as a high-level checklist, illustrating the critical components which an IT professional
responsible for stabilising the design of Group Policy for desktop management needs to determine.
Figure 13: Sequence for Stabilising Group Policy for Desktop Management
Page 74
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
8 OPERATE
During the Operate phase, the deployed solution components are proactively managed to ensure
they provide the required levels of solution reliability, availability, supportability, and manageability.
Figure 14 acts as a high-level checklist, illustrating the critical components for which an IT
professional is responsible for in a managed and operational Group Policy environment.
Figure 14: Sequence for Operating Group Policy for Desktop Management
Page 75
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The most commonly used functions available through the GPMC are:
Creating, Deleting and Renaming GPOs and WMI filters
Linking GPOs and WMI filters
Delegation – Including permissions on GPOs and WMI filters, policy related permissions on
sites, domains and OUs, and creation rights for GPOs and WMI filters
Backup – Also called the export operation, this transfers the contents of a GPO from Active
Directory to the file system
Restore – Returns a GPO to the state it was in when last backed-up
Import – Transfers the policy settings from a backed-up GPO in the file system to a GPO in
the Active Directory
Copy – Transfers the policy settings from an existing GPO in the Active Directory to a new
GPO in the Active Directory
Reporting – Including reporting on GPO settings and RSoP data
Note
Whilst the import and copy operations appear similar they differ in that the source for the import must be
from the file system, and the destination must be an existing GPO whereas the source for the copy must
be within Active Directory and the destination must be a new GPO.
As with the other administration tools, the GPMC is a snap-in to the MMC and, as such, can be run
directly (via GPMC.msc) or within a custom MMC through the Add/Remove Snap-in option.
GPMC version 1.0 with Service Pack 1 (SP1) is the latest version available for download 77 from
Microsoft. However, GPMC version 2.0 is built into Windows Vista.
Recommendation
It is recommended that GPMC version 2, as provided with Windows Vista, is used for GPO administration.
Note
The download version of GPMC, version 1.0 with SP1, cannot manage Windows Vista. Also, this version
cannot be installed on Windows Vista as it is not compatible.
77
Group Policy Management Console with Service Pack 1 {R30}: http://go.microsoft.com/fwlink/?LinkID=46570
Page 76
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
INETRES.ADM 18th February 2005 Provides settings relating to the configuration of Internet Explorer
SYSTEM.ADM 18th February 2005 Provides settings relating to the configuration of the operating system
WMPLAYER.ADM 18th July 2005 Provides settings relating to the configuration of Windows Media Player
WUAU.ADM 18th July 2005 Provides settings relating to the configuration of Windows Update
Table 53: Default .adm Files
These standard files are the default files that are loaded by GPO Editor. As newer operating
systems or service packs are released, an updated set of ADM files accompany them. These ADM
files include all the policy settings that are specific to each operating system, and service pack
level.
For example, the ADM files that are provided with Windows Server 2003 include all policy settings
for all operating systems, including those that are only relevant to Windows 2000 or Windows XP
Professional. This means that only viewing a GPO from a computer with the new release of an
operating system or service pack effectively upgrades the ADM files. As later releases are typically
a superset of previous ADM files, this will not typically create problems, assuming that the ADM
files that are being used have not been edited.
Note
Situations can arise from a service pack containing a subset of ADM files that were provided with an
earlier release of operating system or service pack. In this instance, if these ADM files are deemed more
up-to-date, these ADM files will update the current set. The resulting set of ADM files may, at this point,
not contain all the settings that have previously been configured with a seemingly earlier version of ADM
files. Whilst these settings will still be in effect, they will not be visible within the GPO Editor.
To determine whether the ADM files used within the SYSVOL folder require updating, a timestamp
comparison takes place between those in the SYSVOL folder and those stored on the machine
being used to either view or edit the GPO.
Recommendations
All GPO administrators utilise the GPMC for the viewing and editing of GPOs.
All GPO administrators use a common operating system / service pack platform and ensure that the ADM
files used are the same across all administrative machines.
Ensure that the most up-to-date Group Policy ADM files are used; these are available to download 78 from
Microsoft.
78
Group Policy ADM files {R31}: http://go.microsoft.com/fwlink/?linkid=31057
Page 77
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Use of a Group Policy, applied to all GPO administrators, which utilises the ‘Turn off automatic update
of ADM files’ setting to ensure that the ADM files are not overwritten within the GPT by any GPO Editor
session.
If using Windows Server 2003:
Use a Group Policy, applied to all Microsoft Windows Server 2003 servers, which utilises the ‘Always use
local ADM files for Group Policy Object Editor’ setting.
Use Windows Server 2003 to view and edit GPOs.
Notes
By default the GPMC uses local ADM files, regardless of their timestamp, and never copies the ADM files
to the SYSVOL folder.
The use of the new setting above for Windows Server 2003 can be useful when considering the removal
of ADM files from the SYSVOL folder due to the size that a large utilisation of GPOs can cause; this is
discussed in more detail in section 8.1.6.
The recommendation above for all GPO Administrators to use a common operating system and
service pack level may not always be possible depending upon the environment in which the GPOs
are being deployed. For example, in some situations, one GPO Administrator workstation may use
a Windows XP Professional SP1 workstation whereas another may use a Windows XP
Professional SP2 workstation.
In this case errors could occur for the administrator using the XP SP1 workstation if a GPO has
been viewed by the administrator using the XP SP2 workstation. This is a known issue and a Hotifx
is available for the following operating systems:
Windows Server 2003
Windows XP with SP1
Windows 2000
Errors occur due to a change in some templates which use the LISTBOX ADDITIVE syntax. Using
an earlier version of the GPO Editor, namely that supplied with the operating systems listed above,
an error is displayed stating, ‘The following entry in the [strings] section is too long and has been
truncated’.
79
There is a Knowledge Base article which details this issue further and provides links to download
the relevant Hotfix associated with the operating system requiring an update.
The GPO Editor will look in SYSVOL, however can look elsewhere if specified within a GPO.
79
“The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to
view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000 {R32}:
http://support.microsoft.com/kb/842933
Page 78
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Another difference in the ADMX files is the number of files provided. The default set of ADM
templates for earlier versions of Windows consists of five default templates, whereas the settings
available through the ADMX files are distributed amongst 132 files. This is due to the ADMX files
now focusing on specific Windows components such as Windows Explorer, Control Panel, Sidebar,
Windows Defender and so on.
As with the ADM templates, the ADMX files also include the settings to manage other Windows
operating systems which support the use of Group Policy.
Recommendation
To prepare for the deployment of Windows Vista within the environment, it is advisable to introduce the
use of the ADMX files as early as possible to ensure that new Windows Vista clients joining the domain
are managed immediately.
To create the Central Store through a onetime manual process per domain:
1. Open Windows Explorer on a Windows Vista client.
2. Navigate to the SYSVOL\domain\policies folder on a Domain Controller within the
domain, (while any DC can be used, it is recommended that the PDC-emulator is used as
Group Policy changes are usually focused on this DC).
3. Create a new Folder called PolicyDefinitions within the policies folder.
4. Create a subfolder within the PolicyDefinitions folder for each language required by the
GPO Administrators. Names should use the appropriate ISO-style Language/Culture Name
80
which can be found in Valid Locale Identifiers . For example, to create a subfolder for
United Kingdom English, create a subfolder of EN-GB.
5. To populate the new folder structure, copy all ADMX files and the language subfolder from
%WINDIR%\PolicyDefinitions to the new SYSVOL\domain\policies\PolicyDefinitions
folder, where domain is the actual name of your domain.
As the Central Store is part of the SYSVOL share, this is replicated around to all DCs in the normal
manner. The large difference between the GPOs using AMDX files is that now there is only a single
instance of the ADMX files as opposed to a copy of the ADM templates for each and every GPO
created prior to the use of Windows Vista to administer Group Policy.
80
Valid Locale Identifiers {R33}: http://msdn.microsoft.com/en-us/library/ms693062.aspx
Page 79
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
It is recommended that healthcare organisations implement the use of the Central Store to not only ensure
all GPO Administrators use the same version of ADMX files, but to reduce overhead of the SYSVOL
replication.
Use of the policy setting ‘Always use local ADM files for Group Policy Object Editor’ can be
used in conjunction with the removal of ADM files from the SYSVOL folder to minimise the size of
the SYSVOL and assist in reducing the amount of replication traffic. As mentioned above, this can
only be applied to a Windows Server 2003 client, and although the setting can be deployed to a
Windows XP client, it has no effect.
Note
Windows XP does not support editing GPOs when there are no ADM files in the SYSVOL folder. As such
only Windows Server 2003 clients can be used to view/edit GPOs in this scenario.
Should replication performance become an issue, and the above settings can be taken advantage
of, the steps below can be used to remove the ADM files from the SYSVOL folder.
Page 80
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
All Office (built-in ADM templates removed) 412 (Office 2003) / 2846 (2007 Office)
Office, Word, Excel (built-in ADM templates removed) 192 (Office 2003) / 1064 (2007 Office)
Table 54 GPO Template Sizes
As can be seen in Table 54, reducing the templates imported into a GPO can considerably reduce
the size of the GPO and help reduce replication traffic. Should replication of these templates cause
issues, consider the steps shown in section 8.1.6.
81
See Windows Desktop Management and Deployment {R34}for more information on the Microsoft Desktop Optimization
Pack: http://www.microsoft.com/windows/products/windowsvista/enterprise/mdopoverview.mspx.
Page 81
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Role-based delegation
Integrates with the GPMC
Implementing AGPM will provide a healthcare organisation with a more secure and better managed
environment in which to provide desktop management through Group Policy, and therefore help to
reduce the TCO of the Windows Desktop estate.
8.2.1 Planning
Prior to using the AGPM, it is important to understand how its implementation can aid a healthcare
organisation in better managing the deployment of Group Policy.
As listed in section 9.2, AGPM provides the ability to implement change control on all GPOs, as
well as editing the GPOs in an offline state.
AGPM also allows changes to be tracked on a controlled GPO through a check out/check in
process, and a GPO can be rolled back to any point.
With a controlled GPO, a GPO Administrator would need to first check out a copy of the GPO from
an archive created as part of the installation process. This ensures that while this Administrator is
editing the GPO, another Administrator is not able to modify it until it has been checked back in.
This prevents multiple GPO Administrators from making conflicting changes to a GPO at the same
time. Should the other GPO Administrator subsequently check out the GPO and amend the
changes made, a full audit trail of the change would be available to view.
With the above changes being made on a controlled GPO, this does not affect a live user or
computer until the GPO is deployed into the production environment. This is because editing of a
controlled GPO takes place on an offline copy of the GPO and only becomes live when explicitly
selected through the GPMC.
This method of managing GPOs provides management with visibility of who has made which
amendment and when. It also provides an assurance that the correct configuration will be applied
to users or computers when reviewing the GPO for approval.
Recommendation
Even if a healthcare organisation has only one person who is responsible for the administration of GPOs,
it is highly recommended that the AGPM is installed to take advantage of the change control and offline
editing components of AGPM, allowing for a historical view of changes made and immediate roll-back if
required.
AGPM also comes with the ability to introduce role-based delegation to the GPO Administrators
within a healthcare organisation. This allows multiple GPO Administrators to have their
responsibilities defined regarding what activities they undertake on GPOs.
There are four specifically designed roles provided by the AGPM. They are:
AGPM Administrator (Full control)
Approver
Editor
Reviewer
The AGPM Administrator role includes the permissions for all other roles.
This role-based delegation introduces an optional workflow process. This ensures any creation or
amendment of a GPO is not deployed to the production environment without first being approved
by a GPO Administrator, whose responsibility it is to verify the GPO is correct.
Recommendation
If there are multiple GPO Administrators within the healthcare organisation, it is recommended that the
AGPM roles are used.
Page 82
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
For example, a healthcare organisation may have a primary central administration location, but allow local
administrators the ability to create and modify GPOs relevant to the region they are responsible for.
Implementing roles enables an element of control over what is created, ensuring the purpose of the GPO
has been defined and naming conventions adhered to, but still allowing the local administrators the ability
to maintain GPOs that affect users and computers they are administering.
Warning
If a user is a member of the Domain Admins security group, and this user has access to the GPMC or
GPO Editor through Active Directory Users and Computers, this user could circumvent the AGPM.
Consider creating a security group which includes those administrators whose job function includes
administering GPOs. Then, create a GPO which controls the running of certain administrative tools
through the Restricted/Permitted MMC snap-ins option. Within this GPO, the GPMC, GPO Editor and the
Group Policy tab in the properties of the domain and OUs within Active Directory Users and Computers
can be disabled. Once this GPO has been created, the permissions of the GPO can be set, such that, the
security group containing GPO administrators is denied the right to apply the GPO.
This will result in all users, who are not a member of the security group, denied the ability to open and
potentially edit GPOs even if the user is a member of the Domain Admins security group.
The AGPM is made up of the AGPM Server and the AGPM Client; both of which need to be
installed and configured for AGPM to operate.
The server component creates an archive which is responsible for storing all GPOs including all
historical data relating to this AGPM Server. The installation also configures an AGPM service that
acts as a security proxy which manages client access to GPOs in the archive and production
environment.
The client component is required by all GPO Administrators who create, edit, deploy, review or
delete GPOs. The installation provides additional functionality to the GPMC.
The following sections provide details on how AGPM should be installed and configured to take
advantage of these features as well as further details of the features themselves.
The AGPM Client can be installed on the same computer on which AGPM Server has been
installed.
Recommendation
In a test environment, the AGPM Server and Client can be installed on the same computer however it is
recommended that in a production environment, these two components are installed on different
computers.
Consider installing the APGM Server on a domain member server which has capacity to store the archive
of the GPOs. Once the AGPM Server is installed, it is possible to modify the path at a later date should it
become necessary to do so.
All GPO Administrators should have the AGPM Client installed ensuring that all access to GPOs is
maintained through the change control process.
Page 83
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The installation and configuration of AGPM is a relatively simple process but one that requires a
number of steps. The following list can be used as a checklist to ensure all of these steps have
been completed:
1. Install the AGPM Server.
2. Install the AGPM Client.
3. Configure an AGPM Server Connection.
4. Configure e-mail notification.
5. Delegate Access
Note
It is not possible to migrate an archive from an AGPM Server running on Windows Server 2003 to an
AGPM Server running on Windows Vista.
If installing AGPM Server onto Windows Server 2003 which already has GPOVault Server installed, allow
the installation of AGPM Server to uninstall GPOVault Server, as this will automatically transfer any
existing GPOVault archive data to an AGPM archive.
By default, the Link GPOs permission is assigned to only members of the Domain Administrators and
Enterprise Administrators security groups. To assign the Link GPOs permission to additional users or
groups, you should use the Delegation tab within GPMC.
Page 84
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The Microsoft Advanced Group Policy Management – Server Setup Wizard launches and
the Welcome page displays:
4. Read and accept the terms by selecting the I accept the license terms check box.
Page 85
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
6. Type the location for installing the AGPM Server will be installed, or click Change… to
browse to the destination folder.
7. Click Next. The Archive Path page displays:
Page 86
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
8. Type the path for where the archive will be located, or click Change… to browse to the
destination folder.
9. Click Next. The AGPM Service Account page displays:
Page 87
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
12. Enter the name of the User Account 82 that will act as the initial owner and therefore have
full permissions over all GPOs.
Note
The User Account used as the initial Archive Owner can be a temporary assignment. The purpose
of this account is to allow the specified user to add further users, or groups of users, and assign
appropriate AGPM permissions to them. These permissions can follow the standard set available
using the AGPM Admin, Approver, Editor and Reviewer roles, or customised further if appropriate.
13. Click Next. The Ready to install Microsoft Advanced Group Policy Management – Server
page displays:
82
It is recommended that a user group is specified as the membership of the group can change whilst the group remains the
overall archive owner.
Page 88
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 89
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
4. Read and accept the terms by selecting the I accept the license terms check box.
5. Click Next. The Application Path page displays:
6. Type the location for installing the AGPM Client, or click Browse… to browse to the
destination folder.
Page 90
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
8. Specify the fully qualified DNS Name of the AGPM Server and the Port on which to
connect. By default, the port number is 4600.
9. Click Next. An information dialog box may be presented informing the user that the chosen
port is required for client/server communication.
10. Click Yes to add the port to the Windows Firewall exceptions list.
Page 91
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
11. Click Next on the AGPM Server page again to proceed to the Ready to install Microsoft
Advanced Group Policy Management – Client page.
12. Click Install. The Completed the Microsoft Advanced Group Policy Management – Client
Setup Wizard page displays:
Page 92
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Recommendation
Within the GPO edited in the steps above, the setting AGPM Server (all domains) was configured. It is
recommended that as a minimum this setting is configured and applied to all GPO Administrators. Should
certain GPO Administrators use a different AGPM Server, then utilise the AGPM Server setting and apply
this to those GPO Administrators. The AGPM Server GPO setting overrides the AGPM Server (all
domains) setting.
For example, create a baseline GPO that configures the AGPM Server (all domains) setting and have this
apply to all GPO Administrators. Then create an incremental GPO that configures the AGPM Server
setting and have this applied to only those GPO Administrators which use a different AGPM Server to the
default.
Page 93
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
To delegate access:
1. Using an AGPM Administrator account, open the Group Policy Management Console,
(click Start or the Windows Button , point to Administrative Tools and click Group
Policy Management.
2. Click Change Control in the domain in which the GPOs are to be managed.
3. In the right-hand details pane, click the Domain Delegation tab.
4. Click the Advanced button.
Page 94
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5. In the Permissions dialog box, select the check box for each role to be assigned to a GPO
Administrator.
6. Click the Advanced button.
7. In the Advanced Security Settings dialog box, select a GPO Administrator, and click
Edit.
8. For Apply onto, select This object and nested objects, click OK in the Permission
Entry dialog box.
9. In the Advanced Security Settings dialog box, click OK.
10. In the Permissions dialog box, click OK.
Once access has been delegated appropriately to the GPO Administrators, the workflow process of
managing GPOs can be followed. See section 8.2.5, Figure 15 for further details.
With the GPOs residing in the Controlled tab, any amendment made to them is tracked through
the Change Control process and accessible within the archive.
The history of each GPO can be viewed by double-clicking on the GPO itself within the Controlled
tab. From within the History window, any version of the GPO can be analysed against any other
version of the GPO, and older versions can be deployed (rolled back) to the production
environment.
feature does not require installation or configuration, but is a standard part of the AGPM and used
whenever a GPO Administrator edits a controlled GPO.
With AGPM, should the amendment of the GPO be approved and deployed to the live environment,
but then found to cause an issue, the GPO can be rolled back to a known good state using the
AGPM Client.
In summary, offline editing of GPOs enables GPO Administrators to configure and test changes to
GPOs without impacting the live environment.
AGPM
Permission Approver Editor Reviewer
Administrator
List Contents 9 9 9 9
Read Settings 9 9 9 9
Edit Settings 9 9
Create GPO 9 9
Deploy GPO 9 9
Delete GPO 9 9
Modify Options 9
Modify Security 9
Create Templates 9 9
Table 55 AGPM Default Permissions Summary
The default permissions listed above provides a healthcare organisation with a generic set of users
that can be used as is. If deemed appropriate, these permissions can be configured further to
ensure the GPO Administrators have the right set of permissions to carry out their activity.
Note
The Modify Options and Modify Security permissions are unique to the role of the AGPM Administrator
and can therefore not be assigned to any of the other roles.
Delegating these roles can ensure that the healthcare organisation has an appropriate workflow
process in place to be able to deploy a GPO to a live environment.
Recommendation
It is recommended that the default permissions configured for the AGPM roles are suitable for use within
the healthcare organisation without further configuration. Should a role be required that is not catered for
within the default roles, then the creation of a new role should be documented and added as appropriate.
Page 96
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
A flow diagram showing the typical steps that would be carried out when a GPO is created is given
in the Figure 15 below:
Policy
Approver reviews
and, if appropriate,
approves creation
Editor checks the Editor makes Editor checks the Editor requests
GPO out of the amendments to amended GPO deployment of the
archive the GPO offline back in GPO
Policy
Policy Policy
Approver
Reject reviews the
GPO
Approve
GPO
Administrators
Approver deploys
the GPO to the
Editor Approver live environment
Policy
Domain
As part of the process identified in Figure 15, the first task for an Editor to carry out is to request the
creation of a new GPO, or if the GPO already exists but is currently uncontrolled, to request that
the GPO be controlled. This request is generated by the Editor from within the GPMC and an email
is sent to the AGPM administrators and Approvers. The email addresses are configured through
the Domain Delegation tab within GPMC, as part of the installation and configuration of AGPM.
Important
GPO Administrators, editing a GPO which is using GPSI, must have Read permission on the deployed
copy of the GPO to make full use of GPSI. This is because AGPM preserves the integrity of GPSI
packages. While GPOs are edited offline, the link between offline GPOs and packages is preserved.
Page 97
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The Change Control option provides GPO Administrators with a new set of tabs in which to
manage the GPOs. The right hand details pane displays the following tabs:
Contents
Controlled
Uncontrolled
Pending
Templates
Recycle Bin
Domain Delegation
AGPM Server
Note
Upon starting the GPMC and selecting the Change Control option, the AGPM Client contacts the AGPM
Server through the connection specified during installation. Should an error display whilst loading the
archive of controlled GPOs, informing that the connection was actively refused, restart the AGPM Service
on the AGPM Server and once the service has been started, refresh the AGPM Client screen to reload the
archive.
Page 98
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Option Description
New Controlled GPO This option is only available when right clicking a blank area in the GPO frame. It enables a GPO
Administrator to create a Controlled GPO, allowing the name and a comment to be specified, and
whether the GPO is created directly in Live or in an Offline state. It also allows the option to create the
GPO based upon a pre-existing template.
History This opens a new window displaying historical information about the GPO. The window contains three
tabs to filter the view so as to show all versions of the GPO, show only checked-in versions of the GPO,
or only GPOs that have labels associated with them.
Settings This option enables the creation of either an HTML or XML report, showing the settings contained within
the GPO. It also provides the option to display where the GPO is linked to.
Differences This option enables the creation of an HTML report, an XML report or a GPO template, containing the
differences between two GPOs. To generate the reports, the GPOs for comparison need to be selected
when clicking this option.
Edit This option opens the Group Policy Object Editor to allow editing of the selected GPO. This option is
only available when the GPO has been checked out.
Check Out or Check In This option allows a GPO Administrator to check out a GPO to make it available for editing. If the GPO
is already checked out, the check in option is displayed.
Undo Check Out This option only appears once a GPO has been checked out. Selecting Undo Check Out discards any
changes made to the GPO.
Import from Production This option allows the importing of settings from a controlled GPO.
Delete This option deletes the selected GPO but only to the Recycle Bin. If necessary, the GPO can be
restored.
Deploy This option makes the GPO available to the production environment and starts affecting live users
and/or computers
Label This option provides the ability to comment, or label, the GPO for record keeping.
Rename This option provides the ability to rename the selected GPO.
Save as Template This option enables a GPO Administrator to save the selected GPO as a template for creating
standardised GPOs from in the future.
The Uncontrolled tab contains all GPOs which are not managed by the AGPM. It provides the
ability to select a GPO and take control of it. This then creates a copy of the GPO in the archive
and moves the GPO listing to the Controlled tab.
Page 99
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
As with the options available in the Controlled tab, when right clicking a GPO within the
Uncontrolled tab, a GPO Administrator has the option to run reports showing the settings
contained within the GPO and also to show the differences between two selected GPOs. The GPO
can also be saved as a template for use when creating a new managed GPO.
Figure 17 below shows the Uncontrolled tab with a context menu, showing the menu given upon
right-clicking of an unmanaged GPO.
The Pending tab lists the GPOs that require action from a GPO Administrator. Unique options
available within this tab allow a GPO Administrator to withdraw a request for action prior to the
request being completed. It also enables the assigned AGPM Administrator to either Approve or
Reject the request.
The Templates tab provides a location for template GPOs. These templates can then be used as a
basis to create new managed GPOs. A template is distinctly different to any other managed GPO,
in that they cannot be edited and, as such, there is no history associated with them. Should a
template need to be amended, a new controlled GPO should be created by basing it upon the old
template, this can then be edited as required, and then saved as a template.
Similar to the way in which the Windows operating system recycle bin works, the AGPM Recycle
Bin provides a location to place GPOs that have been deleted. This provides a level of protection
against accidental deletion of GPOs. Unique options available within this tab are to either Destroy
or Restore deleted GPOs. As the name suggests, Destroy permanently deletes a GPO, whereas
Restore moves a GPO back to the Controlled tab.
Note
It is not possible to delete an uncontrolled GPO from within AGPM.
Page 100
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Within this dialog box, it is possible to amend the AGPM role for each of the GPO Administrators.
The e-mail notification can also be configured from within the Domain Delegation tab, enabling
further use of the role based delegation functionality; see section 8.2.2.4 on how to configure the e-
mail notification.
Page 101
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Windows Vista, with the introduction of the ADMX and ADML files, and the new version of GPMC,
Windows Vista Group Policy settings can only be managed by Windows Vista.
The following points highlight the reasons why a healthcare organisation deploying Windows Vista,
should manage Group Policy from a Windows Vista client:
The new Windows Vista based policy settings can only be managed from a Windows Vista
based computer running GPMC version 2.0
Windows Vista policy settings are defined only in ADMX files and, as such, are not
readable to tools available on previous versions of Windows
The Windows Vista version of GPMC can be used to manage all operating systems that
support Group Policy (Windows Vista, Windows Server 2003, Windows XP, and Windows
2000)
All administrative policy settings that currently exist in ADM Templates can be managed by
Windows Vista
The Windows Vista version of GPMC can use the Central Store for better template
management
The Windows Vista version of GPMC does not create duplicate files of the ADMX files in
the way that previous versions do
In summary, while Windows XP and Windows Vista clients can coexist within the same domain
without issue, management of Group Policy should be completed from a Windows Vista based
administrative computer.
8.4 Troubleshooting
Troubleshooting GPOs can be a tricky business however a number of very useful tools exist to aid
a GPO Administrator in ascertaining what is happening should issues arise.
Page 102
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Should this not lead to a fix for the issue being experienced, view the Group Policy Operational Log
for further information about the activities that have taken place with the Group Policy Service. The
Group Policy Operational Log can be seen in Figure 19 below.
For detailed information on how to use and analyse the events listed, see the article
Troubleshooting Group Policy Using Event Logs 83 .
83
Troubleshooting Group Policy Using Event Logs {R35}: http://go.microsoft.com/fwlink/?linkid=74139
Page 103
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Note
Windows Vista does not provide the ability to view the Group Policy settings applied through the Help and
Support application. Instead, a GPO Administrator can run the Resultant Set of Policy (RSoP) MMC snap-
in on the client machine to view the settings being applied. This RSoP data is the same as would be seen
through the GPMC.
Page 104
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 105
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Enforce settings by using Group Policy in the 2007 Office system http://technet.microsoft.com/en-us/library/cc179081.aspx
Page 106
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
GPMC Prerequisites
The following prerequisites are required to install and operate the GPMC successfully:
Windows XP Professional with SP1 or Windows Server 2003
Microsoft .NET Framework 2.0 (for Windows XP Professional computers)
QFE Q326469 installed (if not installed, GPMC will prompt to install)
GPMC with SP1 will remove currently installed versions of GPMC except any pre-release
versions; as such pre-release versions require removal prior to installing GPMC with SP1.
Domain Controllers must be running Windows 2000 with SP2 or later as a minimum;
Windows 2000 SP3 is recommended.
GPMC Installation
The GPMC with SP1 can be installed using a couple of methods
Unattended
Manually
Unattended
To carry out an unattended installation of the GPMC with SP1, the following command can be
used:
C:> MSIExec.exe /i <PATH>\gpmc.msi /qr
Where <PATH> is the full path where the GPMC.MSI file resides; should the path contain spaces
then it should be enclosed using double-quotes (“), for example, “C:\Downloaded Files\gpmc.msi”.
Page 107
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Manually
The following screenshots show the installation steps involved in a manual setup of GPMC with
SP1:
1. Browse to the folder where the GPMC with SP1 is located and double-click the GPMC.MSI
file.
2. The Setup Wizard Welcome screen will be displayed; click Next to continue the
installation.
3. The Setup Wizard License Agreement displays; select I Agree and click Next.
4. The Setup Wizard will now install GPMC with SP1 into the “%Program Files%\GPMC”
folder.
Page 108
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5. Once the copy process is complete, a success screen will be displayed. Click Finish.
Page 109
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
3. The New Object – Organizational Unit dialog box displays. Type the name of the new
OU the Name text box.
4. Click OK.
Note
The context menu shown when an object is right-clicked depends upon the selected object. In the
example above, the Domain Name (adcontoso.contoso.com) was used and as such provided the options
shown. Right-clicking the Domain Controllers OU would provide a different menu.
The option to create a new OU is not available for certain objects. For example, you cannot create an OU
within an object type of Container; however you can create an OU within another OU.
Page 110
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
2. Within GPMC, right-click the object you wish to create an OU under, select New
Organizational Unit.
3. The New Organizational Unit dialog box displays. Type the name of the new OU in the
Name text box.
4. Click OK.
DSGET Displaying objects properties Computer, Contact, Subnet, Group, OU, Server, Site, User, Quota and Partition
DSMOD Modifying objects Computer, Contact, Group, OU, Server, User, Quota and Partition
DSMOVE Move or rename objects All objects that can be renamed, (excludes built in objects)
DSQUERY Search objects matching a criteria Computer, Contact, Subnet, Group, OU, Server, Site, User, Quota and Partition
DSRM Deleting objects All objects that can be deleted, (excludes built in objects)
Table 60: Directory Service Command Line Tools
Using the DSADD tool, an OU named ‘Healthcare Organisation’, (shown in the example domain
used in the above two methods), can be created using the following command:
C:\>DSADD OU "OU=Healthcare Organisation,DC=adcontoso,DC=contoso,DC=com"
If a number of OUs are to be created, then a command file could be used to create them.
Page 111
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Table 61 below provides the Distinguished Name of the OUs within the structure shown in Figure 6
on page 12.
Page 112
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 113
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
3. Enter the name of the GPO in the Name text box within the New GPO dialog box.
Recommendation
The name specified should be descriptive and one that is easily recognisable as to the
configuration the GPO provides. The names for GPOs are just as important as names for users
and computers and therefore should be part of any naming conventions documentation.
4. Click OK.
Page 114
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
If, when choosing the MSI package, a network location was not used, the following warning
will be displayed:
Page 115
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
When assigning a package to a computer, most options are not configurable apart from
‘Uninstall this application when it falls out of the scope of management’. This option,
when used, ensures the application is removed once the GPO no longer applies.
Page 116
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Password Reset:
1. Open Active Directory Users and Computers, located by default on a Windows Server
2003 server in Start > All Programs > Administrative Tools.
2. Right-click the OU that you want to delegate administration to; this can be any OU in the
hierarchy, and click Delegate Control. The Delegation of Control Wizard Welcome page
displays:
3. Click Next.
4. In the Users or Groups page, click Add.
Page 117
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5. Type the name of the group (to whom delegated control will be assigned to) within the
Enter the object names to select: field and click OK. Alternatively, clicking the Advanced
button will provide a search facility to find the object required.
Note
In the example used here a security group named sgDAResetPasswordsAllUsers has been used.
This follows a simple naming convention of sg for ‘Security Group’, DA for ‘Delegation of
Administration’ followed by a descriptive name.
6. Click Next after all groups you want to delegate control to have been added.
Page 118
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
7. Select the Reset user passwords and force password change at next logon task within
the Delegate the following common tasks field, then click Next.
8. Click Finish after reviewing the options that have been chosen, to complete the Delegation
of Control Wizard.
Page 119
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
3. Click Next.
4. Add the appropriate group within the Users or Groups page and click Next. (See steps 4
and 5 of PART V for further information on how to do this.)
Page 120
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
5. Select the Create a custom task to delegate option and click Next.
6. Accept the default option of This folder, existing objects in this folder, and creation of
new objects in this folder and click Next.
Page 121
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
8. Click Finish after reviewing the options that have been chosen, to complete the Delegation
of Control Wizard.
Page 122
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 123
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
4. Select Active Directory Users and Computers from the Available Standalone Snap-ins
list box, click Add and click Close.
Page 124
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
7. A new child window will be displayed within the Console1 window with the selected OU
from the last step located as the top level OU.
10. Still within the Options dialog box, select User mode – limited access, single window
from the Console mode: drop down list and ensure Do not save changes to this console
is selected and Allow the user to customize views is cleared. Click OK.
Page 125
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
11. From within the newly named Active Directory Computer Management window, click File >
Save As and type a suitable name for the MMC console, in this case type Active
Directory Computer Management.msc and click Save.
This Active Directory Computer Management.msc file can now be distributed to those users who
require access to this OU.
Important
Any user that will use this custom MMC snap-in requires the Windows Server 2003 Administration Pack to
be installed first, otherwise this snap-in will fail.
If you close the newly created custom MMC snap-in whilst the original Console1 window is also still
open, the following dialog box will be displayed. Click Yes to confirm that you want to display a
single window interface when this console is next opened.
Page 126
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
1. Open the GPMC, located by default on a Windows Server 2003 server in Start > All
Programs > Administrative Tools.
2. Right-click the Group Policy Objects container and select Create New Group Policy
Object.
3. Enter the name of the GPO in the Name text box within the New GPO dialog box.
4. Right-click the newly created GPO and click Import Settings
5. Click Next on the Import Settings Wizard Welcome page.
6. Click Next on the Backup GPO page. (It is not necessary to backup this GPO first as it
contains no settings).
Page 127
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
7. Type the name of the Backup folder which contains the GPO you want to import settings
from and click Next.
8. Within the Backed up GPOs list box, select the GPO you want to import settings from and
click Next.
Page 128
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
9. The Import Settings Wizard will scan the backup of the GPO selected for any references to
security principals or UNC paths. Click Next.
10. If any references to security principals or UNC paths were found then the wizard will ask
what you would like to do with them. Select the appropriate option and click Next. It may
be that a Migration Table is required to translate any references found; this can be created
or selected at this stage.
11. Review the summary that the wizard will complete and click Finish to import the settings.
Page 129
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
12. Click OK on the Import dialog box providing the completed status report.
5. The GPO is now linked to the OU selected. The objects within the OU will start to receive
the settings upon the next Group Policy refresh.
Page 130
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
The installation of the ADMX Migrator can be completed using the following steps. The steps have
been carried out on a Windows Vista client. If installing on Windows Server 2003 or Windows XP,
the steps will remain the same, but the screenshots may appear slightly different.
Page 131
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Page 132
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
8. If required, click the Browse button and select an alternate installation folder.
9. Click Next. The Ready to Install the Application page displays:
10. If required, select the check box to register once installation completes.
Page 133
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
11. Click Next. ADMX Migrator will now install. Once successfully completed, the FullArmor
Migrator has been successfully installed page displays:
Page 134
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
CA Certificate Authority
CAD CTRL+ALT+DELETE
CD Compact Disc
DC Domain Controller
ID Identifier
IP Internet Protocol
IT Information Technology
Page 135
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
Abbreviation Definition
MDP Mandatory Domain Policy
OU Organisational Unit
SG Security Group
UI User Interface
Page 136
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
PART II References
Reference Document Version
R1. Windows Server Update Services3.0 Design Guide: 1.0.0.0
http://www.microsoft.com/industry/healthcare/technology/hpo/security/wsus.aspx
R8. Microsoft TechNet: Office System Suites and Programs TechCenter: Office Customization Tool in the
2007 Office system:
http://technet.microsoft.com/en-us/library/cc179097.aspx
R10. Microsoft Download Center: Group Policy Settings Reference Windows Vista:
http://go.microsoft.com/fwlink/?linkid=54020
R11. Microsoft Office Online: Microsoft Office 2003 Resource Kit Downloads:
http://www.microsoft.com/office/orkarchive/2003ddl.htm
R12. Microsoft Download Center: 2007 Office system Administrative Template files (ADM, ADMX, ADML)
and Office Customization Tool version 2.0:
http://go.microsoft.com/fwlink/?LinkId=78161
R13. Microsoft Download Center: Windows Installer 2.0 Redistributable Windows 2000 and Windows NT 4.0:
http://go.microsoft.com/fwlink/?LinkId=7613
R15. Microsoft Download Center: Toolkit to Disable Automatic Delivery of Internet Explorer 7:
http://go.microsoft.com/fwlink/?linkid=65788
R18. Microsoft Help and Support: How to obtain the latest service pack for the Microsoft Jet 4.0 Database
Engine:
http://support.microsoft.com/kb/239114
Page 137
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline
Prepared by Microsoft
R21. Microsoft Download Center: 2007 Office System Document: Lists of Control IDs:
http://go.microsoft.com/fwlink/?LinkId=80644
R23. Microsoft TechNet: Windows Vista TechCenter: Step-By-Step Guide to Controlling Device Installation
and Usage with Group Policy
http://technet2.microsoft.com/WindowsVista/f/?en/library/9fe5bf05-a4a9-44e2-a0c3-
b4b4eaaa37f31033.mspx
R24. Microsoft TechNet: Windows Vista TechCenter: Configuring Active Directory to Back up Windows
BitLocker Drive Encryption and Trusted Platform Module Recovery Information:
http://technet2.microsoft.com/WindowsVista/en/library/3dbad515-5a32-4330-ad6f-
d1fb6dfcdd411033.mspx?mfr=true
R25. Microsoft Help and Support: How to use the Group Policy Migration utility to migrate Windows NT 6.0
System Policy settings to Windows 2000 or Windows Server 2003:
http://support.microsoft.com/kb/317367
R26. Microsoft: Windows Server 2003 R2: Migrating GPOs Across Domains with GPMC:
http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx
R28. Microsoft Download Center: Microsoft Management Console 3.0 for Windows Server 2003 (KB907265):
http://www.microsoft.com/downloads/details.aspx?FamilyID=4c84f80b-908d-4b5d-8aa8-
27b962566d9f&DisplayLang=en
R29. Microsoft Download Center: Microsoft Management Console 3.0 for Windows XP (KB907265):
http://www.microsoft.com/downloads/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-
cf20902ffae0&DisplayLang=en
R30. Microsoft Download Center: Group Policy Management Console with Service Pack 1:
http://go.microsoft.com/fwlink/?LinkID=46570
R32. Microsoft Help and Support: "The following entry in the [strings] section is too long and has been 7.4
truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows
XP Professional, or Windows 2000:
http://support.microsoft.com/kb/842933
R35. Microsoft TechNet: Windows Vista TechCenter: Troubleshooting Group Policy Using Event Logs:
http://go.microsoft.com/fwlink/?linkid=74139
Page 138
Group Policy for Healthcare Desktop Management
Version 1.0.0.0 Baseline