Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In the last part of this series, I’ll discuss things that I’ve learned in implementing Folder Redirection and things you’ll need to consider before you implement.

After implementing this in several organizations, I’ve discovered several issues that may be of interest if you’re planning on implementing Folder Redirection.

Test, test, test

If you’ve read other Group Policy articles I’ve read, I harp on testing. Sorry, but way too many people make a change in a production environment before trying it out on test systems first.

Communicate to end users

If Folder Redirection is new for your users, make sure they know the change is coming. Most users will never notice until they accidentally delete a file or have a machine die and you become their hero. (more…)

Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 4 of this series, I’ll discuss configuring Folder Redirection and the available configuration options in Group Policy.

Now that we have a server with a share configured, we’re ready to set up the Folder Redirection in Group Policy. Folder Redirection is User configuration. Because of that, you’ll need to either create a new Group Policy Object (GPO) or edit an existing GPO that is linked to an OU for your users. Go to User Configuration > Policies > Windows Settings > Folder Redirection.

GPMC in Windows 7 Showing Folder Redirection

(more…)

Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 3 of this series, I’ll discuss the folder permissions we set on the file server along with justifications for those settings and alternatives.

At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.

First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.

(more…)

Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 2 of this series, I’ll discuss setting up the shared folder and permissions you’ll need on your file server.

Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.

The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.

(more…)

Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 1 of this series, I’ll introduce Folder Redirection and show where to find it in the Group Policy Management Console

If you’re like me, you’ve probably gotten a frantic call from a customer because they have a computer that won’t boot and they have irreplaceable files on their local hard drive. Try adding clicking or grinding sounds coming from that computer along with no recent backup to the mixture. Sound familiar? That combination can add up to a very upset customer and possibly a very expensive bill if you have to get data restored from that failed hard drive.

The good news is that there is something you can start doing today to start combatting that problem: Folder Redirection in Group Policy. To get started with Folder Redirection, you’ll need to be running Active Directory (any functional level), have an available file server, and a management station running the Group Policy Management Console. As with most Group Policy, the latest version of the GPMC is preferred, but most of these settings are available in older versions.

(more…)

This article, the fourth of seven in a series covering the Microsoft Desktop Optimization Pack (MDOP), will provide an explanation of Advanced Group Policy Management and a basic overview of configuration.

In terms of desktop management, Group Policy is the cornerstone of a Windows administrator’s arsenal. With Group Policy, you can deploy software, printers and drive mappings. You can configure default settings and manage client behavior. But how do you manage Group Policy? The built-in mechanics for managing Group Policy are simply inadequate for most organizations. Windows administrators either have complete access or no access by their addition and removal from the Group Policy Creator Owners Security Group. Further, Group Policy Object (GPO) management lacks in terms of change control, automated backups, and role based delegation. Microsoft’s Advanced Group Policy Management (AGPM) addresses all of these issues.

AGPM is comprised of a server side component and a client. The component will add a Change Control Node to the Group Policy Management Console (GPMC) on the AGPM server.

The Change Control node within the GPMC

(more…)

In the last implementation of this tutorial I will give you some tips on how to deploy AppLocker.

Now that you’ve established your rules, tested them in Audit mode, and also tested them in Enforce mode, you’re ready to start deploying AppLocker to all of your computers. In your GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and find the Application Identity Service. Double-click it, click the checkbox next to Define this policy setting, and set the startup mode to Automatic. This will change the Application Identity Service so that it starts automatically and will start the service at the next policy refresh.

AppLocker – Enable Application Identity Service in GPMC

(more…)

At this point, you should have a list of AppLocker rules that you’re ready to test. Part 3 of this AppLocker guide shows you how.

Go back into your GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Right-click on AppLocker and choose Properties. Check the box next to Configured for each area of AppLocker that you’ll be testing and change the pull-down to Audit only. This will log all of the rule results to the Event Log without actually blocking any applications.

AppLocker – Properties Audit

(more…)

In part 2 of this tutorial I discuss a few best practices that you should take into account when you prepare the final set of your AppLocker rules.

By now, you should have a pretty long list of rules that have been generated by the GPMC. I would consider these rules as a starting point and not something you should use in production. If you’ve looked through the list, you’ll notice that there is a lot of redundancy. If you scanned the entire C:\ drive, you may also notice some things that you actually want to block with AppLocker. Here are some things I did to clean up my rules:

Use the default rules

If you’re going to use the default rules, you should be able to pare down some of the rules that were automatically generated. You don’t need 100+ rules for executables in the Windows or Program Files folder if you’re already allowing everything in those folders to execute.

Use publisher digital signatures

Most of the reputable software companies like Microsoft, Adobe, Citrix, Cisco, VMware, etc. do a relatively good job at digitally signing their executables. Several of these companies tend to have their installers end up in temporary folders inside of AppData that will be blocked if you don’t include a Publisher rule. Instead of allowing Adobe Reader, Acrobat, Illustrator, Photoshop, InDesign, etc. individually, you can use a publisher rule that allows anything digitally signed by Adobe.

(more…)

In this guide I will share the lessons I have learned during an AppLocker implementation. The tutorial covers the following topics: planning, best practices, testing and deployment.

Like any good systems administrator, I always try to do my research before implementing a new technology. While researching AppLocker, I came across quite a bit of documentation from Microsoft, questions various people posted to message boards, but nothing that really gave me an idea of what I could actually expect during my implementation. Here are the things I’ve learned after a couple of AppLocker deployments that I hope will help you.

AppLocker – Group Policy Management Editor

(more…)

In troubleshooting Group Policy issues over the years, I tend to see the same problems over and over. In the last part of this series I will share some of those experiences.

DNS

Your DCs should be pointing to each other for DNS and your clients should be pointing to the DCs. If your clients are using other DNS servers, you’re going to have problems at some point. If you are, for some reason, required to use third-party DNS for external lookups, put those DNS servers in as Root Hints servers instead of pointing clients or DCs at them.

Just Say NO to top level policies

The Default Domain Policy should be your only top level GPO unless you have a really good reason to add more. In addition, the Default Domain Policy should be edited very sparingly. Why? Anything you link at the top level applies to EVERYTHING in your Domain. Do you really want all of your servers and Admin accounts locked down with the same policies you give to everyday workstations and standard user accounts? Decide on an organizational structure for your OUs where you can link your GPOs instead of linking them at the top level.

(more…)

Of course, Group Policy relies on Active Directory. Part 5 in your Group Policy troubleshooting series covers typical Active Directory problems that prevent Group Policy from working properly.

DNS

If you’ve gotten to the point where it looks like Active Directory (AD) is the problem, you’re most likely looking at some kind of replication issue. By far, the most common cause of AD replication problems (short of failed DCs) is DNS. Are you using AD integrated DNS? Are your DCs pointing to each other for DNS? Are the firewalls between each DC open on the correct ports?

Event Log

So the obvious place to look first is the Event Log. If you’re having replication problems, you’ll have errors in the Event Log, most likely a lot of them. Take a look here first for anything actionable.

GPOTool

GPOTool.exe is a handy utility that Microsoft puts into the Microsoft Product Support Reports suite of utilities. It is buried a bit, but after extracting the executable before installing the tools, GPOTool.exe can be found in your computer’s temp.

Running GPOTool.exe from one of your DCs without any switches will run through all of your GPOs and verify that your Group Policy Templates and Containers are synced and consistent across all of the DCs. You can also use the /gpo option if you just want to check one specific GPO.

(more…)

Client issues are often cause for Group Policy problems. In part 4 of this series, I will discuss tools such as gpupdate and gpresult which helo you to tacke these problems.

When all else fails, reboot!

There are a few changes in Group Policy that require a reboot for the computer or a logoff/logon for the user. If you have clients that go long periods without rebooting or users that just lock their computers at the end of the day, this could be why some policies aren’t updating. If you’re deploying software to computers, using Folder Redirection, or have startup/shutdown scripts, you’ll need your computers to restart occasionally. The same goes for logon/logoff scripts, if you’re relying on scripts in your policy for changes, users will need to actually log out on occasion to get changes. If you can, time your policy changes that require a reboot with Patch Tuesday since the computers will, most likely, reboot to apply patches.

Wait… or run gpupdate

Group Policy refreshes every 90 minutes with a randomized offset of 30 minutes. If you change a policy right now, it could be as much as 2 hours before all of your clients get the policy. (Depending on how long Sysvol replication takes in your AD (or if you have a DC on the other side of a slow connection), it could possibly be longer.) If you made the change an hour ago and clients aren’t getting the setting, that’s completely normal. On the client, you can run gpupdate.exe to update changes that have been made to Group Policy. Running a gpupdate.exe /force will ignore any processing optimizations and reapply all of the Group Policy. Or, you can just keep on waiting until all of your computers complete their regular refresh.

(more…)

Group Policy settings are not applied? In this third part of our Group Policy troubleshooting series you will learn how to identify the source of the problem.

So you’ve got computers or users with Group Policy problems. Where do you start? Troubleshooting any problem is usually a process of elimination. A lot of people want to run directly to the Event Log of the computer having the problem. Before jumping on the first computer where Group Policy is not applied, I suggest asking a few questions first so you can eliminate possible causes. A little detective work up front can make tracking down the actual problem much easier and may save you some time digging through logs.

Is this a local system or a remote (probably VPN-connected) system?

Some policies behave differently depending on whether a user/computer is connected directly to a LAN or remotely over a slower connection. For a remote user, the computer may have identified the connection as a slow link and may not be enforcing all settings properly. Additionally, some settings like Folder Redirection and scripts only run during a reboot and may require pre-logon VPN access to network resources like file servers or they won’t run. If the user is connected remotely, you may need to recommend that they connect to the VPN prior to logging into AD so their policy can process.

(more…)

You test your Group Policy changes before you push them out, right? This second part of six shows you how you can test Group Policy settings before you deploy them.

I can’t stress enough how important it is to test out your new Group Policy settings before you start pushing them out to end users. How do you know they will work correctly in the real world if you haven’t tested them in a controlled lab setting first?

Creating a Group Policy test environment

In larger environments, IT departments may have a Test Active Directory Forest just for testing things like Group Policy. Unless you’re applying Group Policy to thousands or tens of thousands of computers, that may be overkill for your organization. Here’s what I typically do to test:

In my Active Directory (AD) organization, I like to keep a “Test” Organizational Unit (OU) that mimics a typical OU for a department. In that OU, I keep the same sub-OU layout, a few test user accounts, and test computers (usually virtual machines) where I can put any of my test Group Policy before I make it available to end users.

(more…)