After implementing this in several organizations, I’ve discovered several issues that may be of interest if you’re planning on implementing Folder Redirection.

Test, test, test

If you’ve read other Group Policy articles I’ve read, I harp on testing. Sorry, but way too many people make a change in a production environment before trying it out on test systems first.

Communicate to end users

If Folder Redirection is new for your users, make sure they know the change is coming. Most users will never notice until they accidentally delete a file or have a machine die and you become their hero.

Slow logons after implementation

One of the things you’ll need to communicate with users if you have pre-Windows 7 computers is that they may see slow logons the first time they log into their computers after Folder Redirection is implemented. Not only are everyone’s files being copied to the file server, but the server’s NIC and the network will probably be saturated with file transfer traffic. (Microsoft improved this in Windows 7 with Fast First Logon.

Broken shortcuts and Recent Documents

If users have created shortcuts to documents or folders inside of folders that you’re redirecting, they may end up with broken shortcuts. The same is true for the Recent Documents feature in applications like Word and Excel.

Which folders to redirect

Decide beforehand what you want to redirect vs. what you really need to redirect. Is it really important to redirect Downloads? How about Saved Games? Everything you redirect is going to have an impact on how much storage you need.

Planning storage

For your shared folder, you’ll want to make sure that the share is on a volume that is large enough to handle the amount of data that your users will be storing. There are a few ways to accomplish this, but most of them depend on your server environment. If your file server is a virtual machine, you can always expand your virtual disk and then expand the volume in Windows if you start to run low on disk space later. In the event you’re using a physical server connected to some kind of Fiber Channel or iSCSI SAN, you can do pretty much do the same thing: Expand the volume on the SAN and then expand the volume in Windows.

The amount of storage you’ll need can vary widely depending on the types of users you’re supporting. I’ve seen administrative users (accountants, HR, etc.) users use as little as a few hundred megabytes and engineers use hundreds of gigs. Plan accordingly!

File server configuration

File server configuration can have an impact on Folder Redirection. Just be aware that things like antivirus or an IDS application can impact your users. Also be aware of whether or not File Screening is being used to block files on your file server since this will impact Folder Redirection also.

Consider using DFS

If you’re already using DFS, seriously consider using DFS for your folder redirections. In the event you need to change servers or create a more redundant file server, everything you need is already built in to DFS.

Stopping Folder Redirection for labs and kiosks

If you have training facilities, kiosks, or other computers where you don’t want user folders being redirected, you’ll need to use loopback processing. In most cases, using Replace will be the easiest since it will just ignore all of the User Configuration. In the event you do decide to use Merge, make sure you set a User policy that redirects all of the folders to the local user profile.

Offline Files

In most circumstances, the default settings for Offline files will probably be adequate. In the event you need to change those settings, Offline Files can be configured for the entire computer in the GPMC at Computer Configuration > Policies > Administrative Templates > Network > Offline Files. On the user side, it is located in User Configuration > Policies > Administrative Templates > Network > Offline Files. By default, Redirected Folders will be made available offline. On both sides, you can disable Offline Files by setting “Prevent use of Offline Files” to Enabled.

Folder Redirection – Prevent use of Offline Files

Disabled Offline Files and server availability

In the event you need to disable Offline Files for security reason, you’ll want to make sure that your file server is as highly available as possible. In the event your file server does need to be offline or reboot, just be aware that any logged in users will immediately lose access to their files until the file server becomes available again.

Folder Redirection – Offline Files disabled and file server unavailable

• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Now that we have a server with a share configured, we’re ready to set up the Folder Redirection in Group Policy. Folder Redirection is User configuration. Because of that, you’ll need to either create a new Group Policy Object (GPO) or edit an existing GPO that is linked to an OU for your users. Go to User Configuration > Policies > Windows Settings > Folder Redirection.

GPMC in Windows 7 Showing Folder Redirection

Right-click on one of the folder names and click Properties. In my example, I’ll be using Documents. The first thing you’ll want to set in the Target tab is how you want to redirect folders: Basic or Advanced. If you’re planning on directing every user to your new User share, then Basic will probably do for you. If you have multiple shares for Folder Redirection (possibly for departments or geographical locations), you can choose Advanced and assign specific folders for groups.

Folder Redirection Properties

Next, you’ll need to determine where you want to redirect the user folders. In most circumstances, you’ll probably want to use “Create a folder for each user under the root path.” However, you can also use a user’s home directory (if you have that attribute configured in AD), a specific path (for labs or common area computers where every user should share certain folders), and the local user profile (useful if you don’t want users reconfiguring folder locations).

Target folder location

Type in the name of your server and the path to your Users share. If you used the option to create a folder for each user under the path, you’ll see that your folder structure should be in the format \\fileserver\Users\%username%\redirectefoldername for each Folder Redirection you configure.

Root Path setting

Go to the Settings tab. Uncheck the checkbox by “Grant the user exclusive rights to Documents.” If you don’t uncheck this setting, the permissions will be configured so that even Administrators won’t be able to access the files without changing the folder permissions.

Settings Tab

Choose the settings for the remaining options that work for your environment and click OK.

That’s it! All you need to do is go to your test system, refresh Group Policy, log off, and log back in. Just be aware that when you run gpupdate, you’ll get a reminder that you need to log out and back in for the changes to take place.

In the last post of this Folder Redirection series I will share some best practices tips.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.

First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.

Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:

User can’t enumerate folders

However, if the user tries to go to \\fileserver\Users\%username%, he can see all of his folders:

User CAN see inside username folder

To the Administrator, you’ll still be able to see everything on the server:

Redirected folders on server

Why would you want to do it this way? The biggest reason is that we’re giving the user the ability to create folders in the Users share. That means that there is nothing to stop a user from creating a few hundred folders and then saving files into those folders inside of Users. By removing the ability to enumerate folders in the Users share, you eliminate the ability of the user to see what is in the folder. It doesn’t stop the user from being able to create other folders or copy data into them, but it makes is much more difficult to use should they decide to try.

The other big benefit you get is that users can’t see the other user account folders that are stored in the Users share. Can’t I do that with Access Based Enumeration? Yes… Access Based Enumeration will essentially hide any files/folders to a user that he/she doesn’t have permissions to see; but, it doesn’t solve the problem of the user being able to create new folders in your Users share. If you enable Access Based Enumeration and allow users to enumerate the contents of the share, they’ll just see their %username% folder and all of the other folders they’ve created there.

In the next post I will show you how to configure folder redirection in Group Policy.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

Before you set up Group Policy for Folder Redirection, you need a properly configured file server. In my examples, I’ll be using Windows Server 2008 R2, but earlier versions will have the same settings, more or less.

The first decision you’ll need to make is on the share name. My preference is typically to use “Users” since we’ll be redirecting user folders. As an added step, you can make this a hidden share (by adding a $ to the end of the share name) if you think that is necessary for your file server. It is fairly easy for users to discover where their folders are being redirected. Personally, I’m not a big fan of hiding shares unless they are being used in DFS or there is another good reason to hide them; but, that is typically a personal (or organizational) preference.

Starting with the Sharing tab, you’ll want to share the folder by clicking the Advanced Sharing button. Click the “Share this folder” checkbox and the share name should fill in automatically. Caching should default to “Only the files and programs that users specify are available offline.” Click the Permissions tab. In Permissions, you can probably check the Full Control checkbox and OK, but make sure that works for your environment. If you provision Guest accounts or have users that don’t need access to the Folder Redirection share, consider limiting the share to Domain Users or smaller groups of users.

Share permissions

The easiest method for provisioning new folders for users is to allow the logon process to create all of the folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are the commands you’ll need:

icacls.exe C:\Shares\Users /inheritance:d

This removes inheritance on the folder and copies the existing permissions. We want to do this for two reasons: first off, any permission changes to the volume or top-level folder will propagate down to your shared folder which we don’t want. Second, the default file permissions will give “Users” access to read everything in the folder… we don’t want that either.

icacls.exe C:\Shares\Users /remove:g Users

Remove “Users” access to the folder so that users can’t get nosey and go through other users’ files.

icacls.exe C:\Shares\Users /grant Everyone:(x,ra,ad)

• Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After running the command, your permissions should look like this:
• Administrators (Full Control) – This folder, sub-folders, and files
• SYSTEM (Full Control) – This folder, sub-folders, and files
• CREATOR OWNER (Full Control) – Sub-folders, and files
• Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder only

File permissions

In my next post I will discuss folder permissions.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 1: Introduction (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

If you’re like me, you’ve probably gotten a frantic call from a customer because they have a computer that won’t boot and they have irreplaceable files on their local hard drive. Try adding clicking or grinding sounds coming from that computer along with no recent backup to the mixture. Sound familiar? That combination can add up to a very upset customer and possibly a very expensive bill if you have to get data restored from that failed hard drive.

The good news is that there is something you can start doing today to start combatting that problem: Folder Redirection in Group Policy. To get started with Folder Redirection, you’ll need to be running Active Directory (any functional level), have an available file server, and a management station running the Group Policy Management Console. As with most Group Policy, the latest version of the GPMC is preferred, but most of these settings are available in older versions.

So what exactly does Folder Redirection do? Folder Redirection takes common user profile folders from C:\Users (or C:\Documents and Settings\ in Windows XP) like the Desktop or Documents and puts them on a UNC path instead of the local hard drive of the computer. I

In addition to the immediate benefit of having that data on a file server that is much easier to keep backed up, the user also gets the benefit of being able to go to multiple computers in your organization and still have access to their data. Using the default Windows settings and the default share settings on your file server, these redirections will be even made available offline automatically for your users. (Don’t worry, this can be controlled separately in Group Policy, which we’ll cover in a later article.)

Documents Redirected in Windows 7

In the GPMC, the Folder Redirection settings can be found in User Configuration > Policies > Windows Settings > Folder Redirection. If you’re using the GPMC in Windows XP, you can redirect Application Data, Desktop, My Documents, and the Start Menu. In addition, folders in Windows XP that are inside the My Documents folder like My Music and My Pictures will follow My Documents when it is redirected.

GPMC in Windows XP Showing Folder Redirection

If you’re using the GPMC in either Windows 7 or Windows Server 2008 R2, you’ll see that the list of folders that can be redirected is much longer. AppData (Roaming), Desktop, Start Menu, Documents, Pictures, Music, Videos, Favorites, Contacts, Downloads, Links, Searches, and Saved Games can all be redirected in Vista, 7, Server 2008, and Server 2008 R2.

GPMC in Windows 7 Showing Folder Redirection

In the next post of this series I will explain how to set up Folder Redirection.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM) (0)

In terms of desktop management, Group Policy is the cornerstone of a Windows administrator’s arsenal. With Group Policy, you can deploy software, printers and drive mappings. You can configure default settings and manage client behavior. But how do you manage Group Policy? The built-in mechanics for managing Group Policy are simply inadequate for most organizations. Windows administrators either have complete access or no access by their addition and removal from the Group Policy Creator Owners Security Group. Further, Group Policy Object (GPO) management lacks in terms of change control, automated backups, and role based delegation. Microsoft’s Advanced Group Policy Management (AGPM) addresses all of these issues.

AGPM is comprised of a server side component and a client. The component will add a Change Control Node to the Group Policy Management Console (GPMC) on the AGPM server.

The Change Control node within the GPMC

When configuring the server side component, you will need to configure a Group Policy service account. This Active Directory account is placed in the Group Policy Creator Owners Security Group and acts as a middle-man between you and the GPOs. When your GPMC makes a request to edit a policy, the AGPM server checks to make sure your AD account has the correct permission to do so. Those changes are then made by the AGPM service account. These permissions are specified in the Domain Delegation tab within Change Control and are divided into four roles.

The Domain Delegation tab allows for the granular delegation of Group Policy Permissions.

These roles are: Full Control, Approver, Editor, and Reviewer.

The table outlines the permissions each role has.

By separating GPO management into distinct roles, IT administrators can properly delegate permissions accordingly. For example, a first level support personal would probably be granted the reviewer role. Second tier level support or Organizational Unit administrators would probably be given the Editor role, Approver role, or both. While only a few trusted individuals would have full control. The approval request field (under the Domain Delegation tab) even allows for automated requests to be sent to a group of approvers or administrators.

To make the GPMC easier to navigate, you can use the Production Delegation tab to give all helpdesk personal read. To ensure that Editors/Administrators cannot edit GPOs outside of the Change Control node, you should remove them from Group Policy Creator Owners and remove their ability to edit settings, delete, and modify security from the Production Delegation tab. Existing GPOs will need to have their Delegation permissions modified as well to ensure a consistent environment. To make this task easier, use the GrantPermissionOnAllGPOs script which is in the Group Policy script pack.

Once your GPOs have the correct Delegation permissions and your environment is setup according to the roles above, you can begin managing GPOs. One of the first tasks is to take Control of existing GPOs. In Change Control, under the Contents tab, exist all GPOs that AGPM is aware of. By default, all GPOs are left in the Uncontrolled node. To import a GPO (or multiple GPOs), highlight the object – right click – and select Control. This will move the GPO to the Controlled node.

Importing an Uncontrolled GPO

Once a GPO is in the Controlled node, you can then have a proper change control management of policies. The process of deploying a GPO is:

1. Creation

1. To create a new GPO, right click on Change Control and select “New Controlled GPO” where you will be prompted for a name and to add a comment.
2. If you are using anything beside the default empty GPO template, select it now.

The New Controlled GPO prompt allows for the creation of controlled policies.

2. Checking-Out

1. Before a policy is checked out, it is wise to import it from production. This ensures that any changes made to the live GPO in the past, such as linking to OUs, are kept when the GPO is deployed again.
2. This ensures that changes are documented and only one person is changing the policy at one time.
3. To check out a policy, right click the GPO and select Check Out.
4. An offline copy (beginning with AGPM) is created for editing. You can view this GPO under the Group Policy Objects Container.
   
   A checked out GPO under Group Policy Objects
5. If changes aren’t made, select Undo Check Out. This will delete the offline copy.

3. Applying security filtering/WMI filtering to the GPO

1. If you need to make a WMI filtering change, you can select the GPO under Group Policy Objects and set the WMI filter.
2. Security Filtering Scope options should be modified by going to Action and then properties (within the Group Policy Management Editor).

4. Editing the GPO: This is the same process without AGPM.

5. Checking-In

1. After editing, check back in the policy to merge changes. To do so, right click on the policy and select Check in.
2. Checking-In the policy allows for reports to be ran and for the GPO to be edited by another technician.

6. Request for Approval/Approval

7. Deployment

The Advanced Group Policy Management console solves many of the problems IT administrators have with Group Policy such as tracking changes, automatically backing up/restoring GPOs, and granular delegation of GPO management. Although it does require additional effort in configuration, the results are well worth it!

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

Now that you’ve established your rules, tested them in Audit mode, and also tested them in Enforce mode, you’re ready to start deploying AppLocker to all of your computers. In your GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and find the Application Identity Service. Double-click it, click the checkbox next to Define this policy setting, and set the startup mode to Automatic. This will change the Application Identity Service so that it starts automatically and will start the service at the next policy refresh.

AppLocker – Enable Application Identity Service in GPMC

I mentioned in a previous article that I like to keep my AppLocker settings in a separate GPO. There are two reasons I do it this way: First, if you need to disable AppLocker quickly, all you need to do is delete or disable the link without having to make changes to all of your new AppLocker rules.

The second reason is because of the Application Identity Service. I like to make sure that the setting to enable the Application Identity Service is in the same GPO as all of my AppLocker rules. This ensures that at the next policy refresh that the Application Identity Service startup is set to Manual along with the AppLocker rules being removed from the computer.

That’s it. You’re ready to start linking your new AppLocker GPO to computer OU’s for deployment! Before you just go linking the GPO, I highly recommend letting end users know about this change. You may be surprised by the number of users that have installed applications into non-standard locations, their profile, or USB drives.

Publisher digital signatures

Eventually, you’re going to be burned by a vendor’s digital signature. Some vendors are better than others about signing ALL of their executable files. Unfortunately, there’s no real way to handle that problem until you come across one that isn’t signed.

Some vendors use multiple certificates for signing their software. Citrix is a good example: They use one that has “Citrix Systems, Inc.” and another that has “Citrix Online.” The big difference between the two is that one is used by Citrix GoToMeeting and the other by the parent company.

AppLocker – Citrix Systems Digital Signature | AppLocker – Citrix Online (Go To Meeting)

Customize the block message (sort of)

One of my complaints with AppLocker is the message that is shown to the end user. The biggest problem I have is the “contact your system administrator,” part. It would be really nice if you could customize the text to say whatever you want. Unfortunately you can’t. You can, however, add a link to a web site on this dialog box. To do so, in your GPO, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Set a support web page link. Set the policy to Enabled and enter your URL.

AppLocker – Support Site Policy

When a user has an application blocked, they’ll get the same error message, but will also be presented with a link they can visit to get more information.

AppLocker – Block Message with Link

Users with Admin Rights

AppLocker rules will still apply to users with Admin rights just like any other user. The big difference is that users with Admin rights can circumvent AppLocker pretty easily. All an Admin would need to do is create a Path rule for the path * for ‘Everyone’ and now AppLocker is effectively disabled. If you’re still giving end users Admin rights, consider changing the practice.

UAC and default rules

I know I’ve already mentioned this, but because of some of the problems it has caused for me, I feel the need to repeat it. Users with Admin rights are probably going to see deny messages if you only use the default rules. The default AppLocker rule that allows all executables for Builtin\Administrators assumes that a user with Admin rights has used elevated privileges. This means that any Admin will need to right-click and choose “Run as Administrator” any time they need the allow Builtin\Administrators to run all executables rule. Where would this apply? Let’s say you download some kind of installer to C:\downloads. C:\downloads isn’t covered by the default rule for Program Files or Windows. If you double-click the executable as an Admin, you’ll get a deny message.

There are really only two ways around this: One is to make sure your people with Admin rights know they need elevated credentials when they need Admin rights. The other way around this is to create a Path rule that uses * as the path and a Group that you specify. You can essentially duplicate the ‘All files’ rule for BUILTIN\Administrators and just change the group. Just be aware that this is removing the AppLocker protections for this group. Do this very sparingly.

I hope this series on AppLocker has been helpful to you!

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

Go back into your GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Right-click on AppLocker and choose Properties. Check the box next to Configured for each area of AppLocker that you’ll be testing and change the pull-down to Audit only. This will log all of the rule results to the Event Log without actually blocking any applications.

AppLocker – Properties Audit

I like to keep my AppLocker rules in a dedicated GPO. If you’re setting up AppLocker the same way, you can now link your GPO to an OU for testing. At this point, I haven’t configured what to do with the Application Identity Service (AppIDSvc). When I tested initially, I applied the GPO to a few volunteers’ computers (with the rules in Audit mode) and manually started AppIDSvc remotely and left the Startup type as Manual. I asked the users to let me know if they rebooted their computers so I could also restart AppIDSvc. With the rules in Audit mode, nothing should be blocked. But why take anything to chance? Should a user have problems with AppLocker, simply rebooting will disable AppLocker.

Now, you wait. After a few days, you can check the Event Log to see what’s getting blocked. Microsoft has a dedicated area of the Event Log just for AppLocker that makes things easy. In the Event Viewer, go to Applications and Services Logs > Microsoft > Windows > AppLocker and you should see “EXE and DLL” and “MSI and Script.” You should be able to skim through these events and see Warnings where things would be blocked by AppLocker if the rules were not in Audit. On my test system, you’ll see that the user ATL\testuser ran Google Chrome that is installed in the user’s profile in AppData. Since I’m looking to block applications from users’ profiles, this is the expected behavior I’m looking for.

AppLocker – AppLocker Event Log blocked app

After you’ve gotten comfortable with your rules, you can move on to enforcing them. First off, I still haven’t set the Application Identity Service (AppIDSvc) settings anywhere in Group Policy. The AppIDSvc service is disabled by default. By starting the service manually on the client computer, the end user has the fallback position of rebooting to disable AppLocker should the rules break something. Go back into the GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies, right-click on AppLocker, and choose Properties. Make sure Configured is still checked and change the pull-down to Enforce Rules. Since we’re testing the policy, you can run a quick gpupdate on the client to refresh the Group Policy.

AppLocker – AppLocker Enforce Rules

Once you’ve made sure that AppIDSvc is running and still set to Manual, you’re back to waiting. The good news is that now your customer is going to see the block messages in addition to the entry you’ll see in the Event Log. The end user will be told that, “This program is blocked by group policy. For more information, contact your system administrator.”

AppLocker – End user message for blocked app

Back in the Event Viewer, you’ll see that the Warnings are now Errors that AppLocker is enforcing rules.

AppLocker – Event Viewer application blocked

You should now be at the point where you have a pretty good idea of what works and what doesn’t work for your AppLocker rules. In the next, and final, part of this series, I’ll discuss the best way to enable the Application Identity Service for your computers and some of the common issues I’ve seen during an AppLocker implementation.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

By now, you should have a pretty long list of rules that have been generated by the GPMC. I would consider these rules as a starting point and not something you should use in production. If you’ve looked through the list, you’ll notice that there is a lot of redundancy. If you scanned the entire C:\ drive, you may also notice some things that you actually want to block with AppLocker. Here are some things I did to clean up my rules:

Use the default rules

If you’re going to use the default rules, you should be able to pare down some of the rules that were automatically generated. You don’t need 100+ rules for executables in the Windows or Program Files folder if you’re already allowing everything in those folders to execute.

Use publisher digital signatures

Most of the reputable software companies like Microsoft, Adobe, Citrix, Cisco, VMware, etc. do a relatively good job at digitally signing their executables. Several of these companies tend to have their installers end up in temporary folders inside of AppData that will be blocked if you don’t include a Publisher rule. Instead of allowing Adobe Reader, Acrobat, Illustrator, Photoshop, InDesign, etc. individually, you can use a publisher rule that allows anything digitally signed by Adobe.

AppLocker – Adobe Publisher Rule

Specify file paths IT controls

If you have file shares that are read-only to users/computers that are controlled by IT that are used for network applications or software distribution, consider creating path rules to allow those paths if the applications residing there aren’t digitally signed. This includes Sysvol! If you’re controlling scripts with AppLocker, they could be blocked from running in Group Policy if you haven’t created a rule to allow them to execute.

Keep hash rules to a minimum

Using hash rules can get dangerous really quick. The biggest downside to Hash rules is that you have to constantly update them. Every time an application update comes out, you’ll have to make sure you have the most current hash as well as the previous hash until you’ve patched all your machines. That could get time consuming very quickly.

Use descriptive names for rules or use descriptions

The default names that are created aren’t necessarily helpful at letting you know why the rule was created. If you have a Publisher rule named “Signed by O=Acme Software, Inc. , L=ATLANTA, S=GEORGIA, C=US,” you can’t really tell that the rule was created for software signed by Acme Software that is used by your Accounting department. There’s also a Description field if you need to include more detailed information like a reference back to a support ticket.

Does ‘Everyone’ need to be able to run that app?

I, like many other people, support several applications that don’t behave well in Program Files on Windows 7, but will run without major issues if you put them in a folder on the C:\ drive. Another pitfall of these applications for me is that they aren’t digitally signed requiring me to use a Path or Hash rule. If you have applications like this, consider giving a Group the ability to run the application instead of ‘Everyone.’ The same is true for software distribution shares and other resources used by IT; you don’t necessarily need to let ‘Everyone’ execute files from those locations.

UAC matters

Users with Admin rights are probably going to see deny messages. Microsoft has a TechNet article that explains the default rules that can be created for AppLocker. Unfortunately, it fails to explain that if you have UAC enabled, users with local Admin rights are going to see AppLocker deny messages. Why? The default AppLocker rule that allows all executables for Builtin\Administrators assumes that a user with Admin rights has used elevated privileges. This means that any Admin will need to right-click and choose “Run as Administrator” any time they need the allow Builtin\Administrators to run all executables rule.

The way around this is to create a Path rule that uses * as the path and a Group that you specify. You can essentially duplicate the ‘All files’ rule for BUILTIN\Administrators and just change the group. Just be aware that this is removing the AppLocker protections for this group. Do this very sparingly.

You should now have what you need to generate a list of AppLocker rules that you can start testing. In my next article, we’ll cover auditing your rules on a test computer to determine if your AppLocker rules are working the way you want them to and pushing the rules out to everyone.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

Like any good systems administrator, I always try to do my research before implementing a new technology. While researching AppLocker, I came across quite a bit of documentation from Microsoft, questions various people posted to message boards, but nothing that really gave me an idea of what I could actually expect during my implementation. Here are the things I’ve learned after a couple of AppLocker deployments that I hope will help you.

AppLocker – Group Policy Management Editor

What is AppLocker?

AppLocker is an application whitelisting and blacklisting that is built in to Windows 7 and Windows Server 2008 R2. It allows you to write rules in Group Policy for which applications, scripts, and Windows installers are allowed to run (and which ones aren’t) that are enforced on the client PC by the Application Identity Service (AppIDSvc). Michael’s done a great job of giving an overview of AppLocker.

Prerequisites

To implement AppLocker, you’re going to need a management station that is running Windows 7 or Windows Server 2008 R2 with the latest GPMC. AppLocker policies cannot be edited on earlier versions of Windows. You’ll also need to be running Windows 7 or Windows Server 2008 R2 on any client systems where you want to use AppLocker. If you’re using older versions of Windows, you’ll have to work with Software Restriction Policies since the older OS will ignore the AppLocker settings in a GPO.

Planning

First, you’re going to have to decide on what you would like to accomplish by implementing AppLocker. This is important because it will determine how you’re going to write your AppLocker rules. In my situation, I wanted to block malware from running in user profiles as well as preventing unauthorized software from being installed or run from USB media. There are two ways you can deploy your rules: Blacklisting and Whitelisting.

Blacklisting

Blacklisting in AppLocker lets you allow everything, but block specific applications, scripts, and Windows installers that you do not want to allow on your computers. (Microsoft recently published a whitepaper on how Microsoft IT did this internally. This method will most likely cause the fewest headaches if you know exactly what you want to block. The downside is that you’ll have to generate a list of what you want to block and keep the list up to date. This method is also easier to circumvent if you’re using file paths to identify the application or file hashes that don’t include every version of an application.

Whitelisting

Whitelisting in AppLocker lets you deny everything except for specific applications, scripts, and Windows installers you want to allow. Anything that is not included in your list will be blocked. This method will require a lot more upfront work to make sure that you don’t accidentally block something, but in the long run will stop more unauthorized applications from running.

Detective work

Now that you’ve decided how you want to implement AppLocker, you need to identify the executables that you’ll need to allow or deny. (I’m probably going to use the term executable most often since my goal was to control applications. In most of what I’ll discuss, script or Windows Installer can be interchanged with the term executable.) Create a new GPO in the Group Policy Management Console and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker (see screenshot above).

Here, you can right-click on Executable Rules and choose Create Default Rules. This will create rules that will allow Everyone to run files that are in Program Files and in the Windows folder. It will also create a rule that allows users with local Admin rights to run anything. The default action is Deny. This means that you’ll need to explicitly create a rule to allow everything if you’re planning on Blacklisting only.

Next, you’ll need a computer that is running a typical software load for your organization that has the Remote Server Administration Tools installed. Run the GPMC and go back to the AppLocker settings in your new GPO. Right-click on Executable Rules and choose Automatically Generate Rules. By default, you’ll be prompted to scan Program Files. You may want to consider changing the path to C:\ to catch things that end up outside Program Files. Just be aware that if you do change it, you may end up with things in your initial set of rules that you actually want blocked.

The wizard will ask whether you want Hash or Path rules for executables that don’t digital signatures. The answer really depends on your environment and how often those files will be updated. Just be aware if you choose file hash, you’ll need to keep your rules updated after each application update.

Between the default rules and the rules created automatically by the GPMC, you should have a good starting point for your AppLocker rules. In my next article, I’ll discuss the rules that were created by the GPMC and strategies for paring them down into something more manageable.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

DNS

Your DCs should be pointing to each other for DNS and your clients should be pointing to the DCs. If your clients are using other DNS servers, you’re going to have problems at some point. If you are, for some reason, required to use third-party DNS for external lookups, put those DNS servers in as Root Hints servers instead of pointing clients or DCs at them.

Just Say NO to top level policies

The Default Domain Policy should be your only top level GPO unless you have a really good reason to add more. In addition, the Default Domain Policy should be edited very sparingly. Why? Anything you link at the top level applies to EVERYTHING in your Domain. Do you really want all of your servers and Admin accounts locked down with the same policies you give to everyday workstations and standard user accounts? Decide on an organizational structure for your OUs where you can link your GPOs instead of linking them at the top level.

Group Policy doesn’t apply to Groups

Despite the name, you can’t apply Group Policy to a Group directly. GPOs can only apply to users and computers. If you need it to apply to a group of users or computers, you’ll need to remove Authenticated Users from the Security Filtering for the GPO and then put your group there to apply it to your subset of objects.

Getting a 5 minute hang at logon?

You’ve got a logon script problem. The default timeout for scripts is 5 minutes.

Group Policy Preferences not applying in XP (or other older OS’es)?

Is the CSE installed? Pre-Windows 7 OS’es will ignore Group Policy Preferences unless the Client Side Extensions are installed.

Enforced policies & block inheritance

If there are GPOs at a higher level that you don’t want to apply, you can use the Block Inheritance option on an OU to stop those GPO’s from applying. To combat this, a GPO can be set as Enforced so that it can’t be overridden at a lower level. If you can avoid both of these options, do so. They can cause major headaches.

Is something disabled?

This is something you’ll see in gpresult.exe output. When you right-click on a GPO, the Link Enabled option should be checked. If it isn’t, the icon next to the GPO will be lighter than other GPO’s. Also, make sure that the GPO Status in the Details tab of a GPO is set to Enabled.

Are you applying settings to the right OS version?

If you’re running a mixed environment of XP, Vista, and 7 like just about everyone, make sure that the policy that you’re trying to apply wasn’t intended to a different OS. When you’re editing a GPO, each option will have a “Supported on” area that tells you which operating systems are supported.

Group Policy – Supported Windows version

Permissions

This is also something that will show up in gpresult.exe (seeing a trend here?). By default, the Security Filtering for a new GPO is set to Authenticated Users; that’s everybody including Domain Users and Domain Computers. There’s no reason to change it unless you only want that GPO to apply to a subset of objects. You can put Deny’s in the Delegation, but I won’t usually recommend it.

File/share permissions

If you’re storing scripts outside of Sysvol, deploying software, mapping drives/printers, or using Folder Redirection, file and share permissions are your biggest enemies. Double, triple, and quadruple check them and they could still be wrong. If you’re having problems accessing a network resource, try connecting to it manually to see if you still can’t connect. The Event Log will also tell you if your user/computer can’t access the resource.

Precedence

Lowest linked GPO wins. If there is a top level policy set by a Domain Admin and 16 sub-OUs down there is a conflicting policy set by a departmental Admin, the lowest linked policy will win out unless the Enforced option has been checked. When in doubt, go to the OU in the GPMC and check the Group Policy Inheritance tab and you’ll be able to see the order they are processed.

Group Policy Precedence

Slow links

I’ve seen a few networks where the clients would detect that they were on slow links even if they weren’t. You’ll see in your gpresult.exe output if the client thinks it is on a slow link. If this is a continuing problem, you can disable slow link detection in Group Policy in Computer Config, Policies, Administrative Templates, System, Group Policy, Group Policy slow link detection, and set it to 0.

Loopback processing

No user polices? Check to see if Loopback processing is set to Replace.

Misplaced Objects

Is the user or computer where they’re supposed to be? I helped someone troubleshoot a problem for three days only to discover that the user account was in the wrong OU. Moved the user, refreshed the policy, problem resolved.

Apply policy to the correct object type

Make sure that you’re applying user polices to users and computer policies to computers. Separating your users and computers into separate OUs makes this easier to keep track of.

Folder Redirection oddities

Folder Redirection can do some weird things if you don’t watch out your settings. If you’re migrating to a new server name and moving all of the files yourself, make sure that you disable the option to move the users’ files to the new location. If not, you’re going to wind up with some angry users with missing files.

If the move option is disabled in Windows 7, the old folders will still be left behind even if a user logs in to the computer for the first time. You’ll either need to delete those folders or change the option to move the contents of the folder.

If you’re redirecting the My Documents folder, make sure that you mind the naming convention that the GPMC uses. If your file server is still using the old “My Documents,” the GPMC may try to change that to just “Documents.”

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

DNS

If you’ve gotten to the point where it looks like Active Directory (AD) is the problem, you’re most likely looking at some kind of replication issue. By far, the most common cause of AD replication problems (short of failed DCs) is DNS. Are you using AD integrated DNS? Are your DCs pointing to each other for DNS? Are the firewalls between each DC open on the correct ports?

Event Log

So the obvious place to look first is the Event Log. If you’re having replication problems, you’ll have errors in the Event Log, most likely a lot of them. Take a look here first for anything actionable.

GPOTool

GPOTool.exe is a handy utility that Microsoft puts into the Microsoft Product Support Reports suite of utilities. It is buried a bit, but after extracting the executable before installing the tools, GPOTool.exe can be found in your computer’s temp.

Running GPOTool.exe from one of your DCs without any switches will run through all of your GPOs and verify that your Group Policy Templates and Containers are synced and consistent across all of the DCs. You can also use the /gpo option if you just want to check one specific GPO.

GPOTool

Sysvol Replication

Are you still using FRS for Sysvol replication? Move to DFSR.

If you’re stuck on FRS, Microsoft has a great tool for troubleshooting FRS replication issues called Ultrasound.

If you’ve moved on to DFSR, you can run diagnostics by running the DFS Management snap-in, go to Replication, Domain System Volume, right-click and choose Create Diagnostic Report. Choose Health Report and you can stick mostly to the defaults. On the Options tab, make sure to change your Reference Member to the PDC Emulator (or the machine you typically connect to for editing Group Policy).

DFS Diag

As you can see, my one DC isn’t having replication problems (thank goodness!). If it was, you would get some nice errors or warning that you could use to track down the root cause of the problem.

DFS Diag Report

In the last post of this series I will cover a few common problems.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

When all else fails, reboot!

There are a few changes in Group Policy that require a reboot for the computer or a logoff/logon for the user. If you have clients that go long periods without rebooting or users that just lock their computers at the end of the day, this could be why some policies aren’t updating. If you’re deploying software to computers, using Folder Redirection, or have startup/shutdown scripts, you’ll need your computers to restart occasionally. The same goes for logon/logoff scripts, if you’re relying on scripts in your policy for changes, users will need to actually log out on occasion to get changes. If you can, time your policy changes that require a reboot with Patch Tuesday since the computers will, most likely, reboot to apply patches.

Wait… or run gpupdate

Group Policy refreshes every 90 minutes with a randomized offset of 30 minutes. If you change a policy right now, it could be as much as 2 hours before all of your clients get the policy. (Depending on how long Sysvol replication takes in your AD (or if you have a DC on the other side of a slow connection), it could possibly be longer.) If you made the change an hour ago and clients aren’t getting the setting, that’s completely normal. On the client, you can run gpupdate.exe to update changes that have been made to Group Policy. Running a gpupdate.exe /force will ignore any processing optimizations and reapply all of the Group Policy. Or, you can just keep on waiting until all of your computers complete their regular refresh.

gpupdate

Group Policy should refresh on its own without you having to manually run gpupdate.exe on every computer. Running the command manually is a great way for testing or to make sure a user/computer gets the change immediately, but shouldn’t be a necessity on every system. If gpupdate.exe hangs or generates an error, you may need to move on to the Event Log.

Gpresult

Gpresult.exe is a great invaluable tool for troubleshooting Group Policy that has been improved in Windows 7 and Windows Server 2008 R2. The output of gpresult.exe contains a wealth of information like what GPOs are applying to the computer/user, if the GPO was filtered, if the GPO is empty, whether or not the computer is on a slow link, security group memberships, OS version, site name, roaming and local profile locations, which DC the policy was retrieved from, and much more. Basically, gpresult.exe takes the RSoP data and turns it into something that a human being can actually read.

If you’re running the latest and greatest, you can run gpresult.exe /h nameofyourreport.html and get a pretty HTML report about what GPO’s are applying to the current user that looks just like the Setting tab in the GPMC. You may notice that the Computer area will be blank. Run the same command with an Elevated Command Prompt to see the Computer Area.

gpresult HTML output

If you don’t want pretty reports or want the output as text, you can run gpresult.exe with different options to get the output in text. The /r option will give you a pretty limited report that includes everything except the actual settings that are being applied. Personally, I like the verbose output with the /v option. By default, the output will be shown in the Command Prompt window. You can run gpresult.exe /v >> verbose_output.txt to save the output into a text file. If you want total information overload, /z provides “super-verbose” information.

gpresult verbose text output

Resultant Set of Policy (Logging)

Resultant Set of Policy (Logging) is available in the GPMC by right-clicking on a user or computer object, click All Tasks, and click Resultant Set of Policy (Logging). I personally prefer running gpresult.exe on the client side. RSoP Logging requires that the management station that you’re using have the ability to communicate with the remote computer which isn’t always available in every environment. Even if I don’t have physical access to or the ability to remote control the computer, I can have the end user email me the output of gpresult.exe for troubleshooting. I’ve even known people to stick a script on the computer that the user just has to click on to get the output without any pesky command line typing. RSoP Logging also gives the same output as RSoP planning, so it can be a little hard to look at. The output of gpresult.exe is much easier to look at and search.

Next steps

So now you know you have a problem and you have enough information to hopefully track it down. First, did the GPO apply? And, if it wasn’t, was it denied? You can get some of this in the Event Log, but it is usually easier to check your gpresult.exe output since both pieces of information should be there. If it didn’t apply or got denied, check the Event Log for more information about why the GPO didn’t apply or was denied. The potential number of possible possibilities you’ll see there are too great to discuss here, but you should get something good enough to search for online to resolve the problem. The typical causes are things like the Security Filtering, link not being enabled, GPO Status may have user or computer disabled, and issues with WMI filtering.

If the GPO did apply, but you’re missing settings, try a gpupdate.exe just to see if the client hasn’t refreshed. You’ll also want to refer to the gpresult.exe output here too. You may have a system on a slow link, a setting that isn’t applicable to the current OS, another setting taking precedence, loopback processing that is disabling the setting, or client side extension (usually Group Policy Preferences or third-party products) problems. If the output from gpresult.exe doesn’t tell you where the problem is, the Event Log should.

In the next post I will discuss Group Policy Active Directory problems.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

So you’ve got computers or users with Group Policy problems. Where do you start? Troubleshooting any problem is usually a process of elimination. A lot of people want to run directly to the Event Log of the computer having the problem. Before jumping on the first computer where Group Policy is not applied, I suggest asking a few questions first so you can eliminate possible causes. A little detective work up front can make tracking down the actual problem much easier and may save you some time digging through logs.

Is this a local system or a remote (probably VPN-connected) system?

Some policies behave differently depending on whether a user/computer is connected directly to a LAN or remotely over a slower connection. For a remote user, the computer may have identified the connection as a slow link and may not be enforcing all settings properly. Additionally, some settings like Folder Redirection and scripts only run during a reboot and may require pre-logon VPN access to network resources like file servers or they won’t run. If the user is connected remotely, you may need to recommend that they connect to the VPN prior to logging into AD so their policy can process.

Were any changes made to Group Policy recently?

So this is probably the biggest no-brainer of all of the questions. If someone made a change, did the reported problem matched the change that was made? Was the change tested before it was rolled out to everyone?

Are there other cases where Group Policy is not applied?

If the issue is isolated to one person or one computer, you may be looking at an individual client issue. Do you have some users/computers getting the policy and others that aren’t? You may be looking at a clients that haven’t refreshed yet or a possibly even an AD issue.

If it is a subset, is there something unique about them?

Do any of the users/computer have anything in common that may relate to the problem they are having? Are all of the users/computers located at a specific AD Site? Are all of the computers running the same OS? Are all of the computers on the same subnet? Are they in the same building? Are all the users assigned to the same file server?

Does the user have Admin rights?

I haven’t seen it a lot, but a user with Admin rights can cause problems for Group Policy processing. Did the user change the assigned DNS servers? If you can’t get to the DCs, you can’t process Group Policy. Did the user go into the Registry Editor and make changes to any of the Registry keys related to Group Policy? Did the user make changes to the local firewall? Has the user installed any other kind of application that could be interfering with Group Policy?

Is the computer having hardware problems?

A bad stick of memory or a failing hard drive can play all sorts of tricks on a computer. I can’t say I’ve personally seen Group Policy processing issues because of hardware problems, but I have had someone try to blame a problem on Group Policy that ended up being a bad stick of memory.

Can you replicate the problem?

If someone else logs into the computer, do they have the same issue? If the user logs into another computer, does that person still have the same problem? If you drop a test user or test computer into the same OU and refresh the policy, are the Group Policy settings applied correctly?

Are there any outages known to IT?

This is another no brainer… If you’re having replication issues between your DCs that you or someone else is trying to resolve, it makes no sense to spend time troubleshooting Group Policy problems until the replication issues are resolved. If there are network issues that are disabling clients’ access to DCs, those network issues need to be resolved first.

Have IT infrastructure changes been made recently?

Was a file or print server replaced? Were any DCs upgraded or replaced recently? Has any network hardware like switches or firewalls been replaced/upgraded recently? All of these can potentially cause issues with Group Policy processing.

At this point, you are hopefully armed with enough information to help you track down the source of the problem if Group Policy settings were not applied. In my upcoming articles, I’ll discuss what you can do on the client and server side to track down and resolve your problem.

In my next post I will cover Group Policy problems that are related to client issues.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

I can’t stress enough how important it is to test out your new Group Policy settings before you start pushing them out to end users. How do you know they will work correctly in the real world if you haven’t tested them in a controlled lab setting first?

Creating a Group Policy test environment

In larger environments, IT departments may have a Test Active Directory Forest just for testing things like Group Policy. Unless you’re applying Group Policy to thousands or tens of thousands of computers, that may be overkill for your organization. Here’s what I typically do to test:

In my Active Directory (AD) organization, I like to keep a “Test” Organizational Unit (OU) that mimics a typical OU for a department. In that OU, I keep the same sub-OU layout, a few test user accounts, and test computers (usually virtual machines) where I can put any of my test Group Policy before I make it available to end users.

Within the Group Policy Management Console (GPMC), it is very easy to make copies of Group Policy Objects (GPOs) by going to the Group Policy Objects container in the Group Policy Management Console (GPMC), right-click on the GPO, choose Copy, and then right-click again, and choose Paste. I usually make a copy of the original GPO and include “TEST” in the name and link it inside of my Test OU. This gives me an OU where I can make changes to my policy without causing problems for existing users or computers.

GPMC with Test GPOs

Should I use physical computers for testing Group Policy or virtual machines? Personally, I prefer to test with VM’s. Why? If you mess up and lock down a computer to the point that it becomes unusable, you may have to re-image the computer. With a VM, you can rely on snapshots to go back in time without having to spend time or effort fixing the problem. Just be aware that if you decide to use Microsoft Virtual PC, the Undo Disks functionality is limited to rolling back to the last state of the VM. If you’re running Hyper-V, that is typically my choice for VM testing. If not, you can either spend the money for VMware Workstation or get VirtualBox for free.

Test real world scenarios

When you test your new policies, ensure that you’re also testing against computers and/or users that had the old policies applied and that have been in use by real people. In a lab setup, operating systems have this habit of having cleanly applied images that have never been used. User accounts and the files and settings that account have access to are pristine and haven’t been customized or changed. Some user policies can be affected by previous settings in the user’s profile. The biggest place where this happens is Folder Redirection. You’ll want to make sure that the settings that you’re changing take both new logons and existing logons into consideration. A good way to do this is to have some users that can test your changes when you’re almost ready to roll them out to everyone.

Stage changes

Depending on the change you’re making, you may not want to roll it out to every user or computer at the same time. For major changes, I usually like to drop a few user and/or computer objects into the Test OU and allow those objects to run for a few days. In addition to being a good way to test how the change works in the real world, it gives me the chance to see if anything is going to break or cause problems for end users before the change is rolled out to everyone. It is much easier to deal with a few unhappy customers that are having problems than a lot!

“Dog food” your Group Policy

As an IT department, I highly recommend “eating your own dog food.” From a Group Policy perspective, that means that you should have the same GPO’s applied to your day-to-day user account and computer that all of the other users in the organization are getting. It should also mean that new policies should get applied to you first. The quickest way to see how a Group Policy change will impact end users is to use it yourself every day. How do you know that a particular script makes logons slow if it doesn’t apply to you every day? How do you know that the screensaver timeout is too low unless you’re constantly having to log back in because you have the setting, too? How do you know that disabling certain settings hamper a user’s ability to work unless you have to deal with the same issue?

Resultant Set of Policy (Planning)

I’m mentioning the RSoP in Planning mode last because I personally have never gotten much usage out of it. In Active Directory Users and Computers, you can right-click on a User or Computer object, click All Tasks, and click Resultant Set of Policy (Planning) to see how policies will apply to users and computers. RSoP Planning will let you pick a user and computer and then select options like Site, slow network, Loopback mode, group memberships, and WMI filters to see what policies will be applied to a user and computer.

RSoP Planning Wizard

The problem? The output that you’re given makes it impossible to see the results of your policies. You’ll have to manually dig through everything. It is probably quicker to have a VM, drop it into your Test OU, and just test out the policies yourself to see if you’re getting the results you want. The gpresults.exe tool (which we’ll get to in a later article) gives much easier to read results.

RSoP Planning Results

In the next part of this series I will outline how you can identify a Group Policy problem.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

Group Policy is a great tool that can make your life a lot easier as a systems administrator. But, what do you do when computers or users aren’t getting the correct policies? In this series, we’ll take a look at things you can do to prevent problems, common problems people have with Group Policy, and steps you can take to troubleshoot misbehaving Group Policy.

“An ounce of prevention is worth a pound of cure.” — Benjamin Franklin. Those words definitely ring true for deploying new Group Policy settings. There are a number of things you can do before deploying changes that may cost you some time up front, but will definitely save you time and grief down the road.

Know your customer

How well do you know the business processes of the group that will be getting your Group Policy changes? If you’re planning on implementing Group Policy for the first time or making significant changes, these changes can potentially have ramifications on the business operations of the group that will be receiving the policy.

Take screensaver settings for example. Turning on the screensaver and locking the computer after 15 minutes may be perfectly reasonable in an office setting, but could cause major problems on a warehouse or factory floor where employees need to constantly see something on a screen, but don’t necessarily interact with the keyboard or mouse. On the other hand, 15 minutes could be way too high for a computer in a public location like a reception or customer service desk where someone could potentially walk in off the street and start using a computer that has been idle for a few minutes.

Engage your customer and find out how their department operates. Do they have software they use that no other department uses that could be affected by what you do? Are there things their employees are doing on their computers that they want stopped like setting personal wallpapers? Are the settings that you’re planning to implement going to cause problems for their business operations? Asking a few questions up front can potentially prevent things from breaking because of the unforeseen consequences of changes.

Communicating changes

If you’re making a change that is going to be noticed by your customers, you may need to prepare them for that. I helped someone roll out a company logo wallpaper and screensaver to around a hundred computers over a weekend. The change had been requested by the owner of the company to standardize their computers. Unfortunately, the change wasn’t communicated to the employees. On Monday morning, things were crazy for the lone IT person. Numerous employees logged support requests and several even complained to the company owner about the change. Ultimately, the policy change was left in place; but, a quick email from the owner about the change before it was made would have eliminated a lot of confusion from the employees and support requests to IT.

Even if the change isn’t necessarily going to be noticed by the typical user, you still need to let someone know that a change is taking place. Most Group Policy changes are fairly silent when they occur; the average user probably won’t know that something has been changed even if they are having problems. Having a few insiders in the office that are aware of the change can be very helpful once end users start encountering problems and may give you the opportunity to tweak the policy before the problem spreads to other users.

In my next post I will give some tips of how to test Group Policy deployments.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

The traditional method for scoping Group Policy Objects (GPOs) in Windows Server 2008 Active Directory is to perform the following actions:

• Ensure that the GPO is linked to the appropriate Active Directory object (for instance, site, domain, OU)
• Use security filtering to ensure that the GPO affects only specified user and/or computer accounts

Security filtering a GPO

What many Windows systems administrators do not know (or may not want to know due to the learning curve involved) is that we can also use Windows Management Instrumentation (WMI) filtering to dynamically scope Group Policy.

WMI is extremely powerful in GPO application because we can target systems based upon hardware and software attributes such as CPU architecture, operating system, free disk space, BIOS version, and so forth.

It should be noted that because your WMI filters are parsed during every Group Policy refresh, WMI filters in GPOs are best reserved for time-limited scenarios to avoid undue performance impact on your domain controllers.

For instance, you may want to deploy a GPO with a WMI filter that scopes the policy for Windows 7 clients that have a particular hotfix applied in order to undo the installation. After your machines have ingested and processed the GPO, you can simply unlink the WMI filter or disable the GPO entirely.

Creating a WMI filter

To build your first WMI filter, fire up the Group Policy Management Console and expand your domain to expose the WMI Filters container. Next, right-click WMI Filters and select New from the shortcut menu.

Creating a New WMI Filter

In the New WMI Filter dialog box, add a name and (optionally) a description for your new WMI filter. Next, we can build the actual WMI Query Language (WML) query by clicking Add.

New WMI filter

WMI filters consist of two components: (a) the WMI namespace; and (b) the WQL query. The vast majority of Windows systems administration-related WMI classes are contained within the root\CIMv2 namespace.

If you have used the Structured Query Language (SQL) before, then you will be instantly comfortable with the basic syntax of the WQL language. If not, then you have a bit of a learning curve in front of you.

Please check out the following links for some useful assistance in writing WQL:

• WMI Filtering using GPMC
• Scriptomatic 2.0 Utility
• WMI Administrative Tools

In the following example screenshot, my WQL query targets domain systems that run Windows XP Professional.

A WQL query

Note that a single WMI filter can consist of more than one WQL query statement. Once you’ve saved your work, your new filter(s) will appear in the WMI Filters node in Group Policy Management Console.

NOTE: Active Directory replication ensures that both your WMI filters as well as your GPOs are available on all domain controllers.

Linking a WMI filter to a GPO

To link a WMI filter to a GPO using the GPMC, view the properties of the target GPO. Next, open the WMI Filtering drop-down list, which is now populated with any previously created WMI filters. Select the appropriate filter from the list—once you propagate the GPO to your domain, you are finished!

Linking a WMI filter to a GPO

You are probably familiar with the old carpenter’s aphorism “Measure twice, cut once.” This truism is especially relevant for us Windows systems administrators with respect to Group Policy application.

We are faced with the frightening question: How can we know in advance if our WMI filter works? Well, to that end I would like to point you to a nifty free utility by the GPO Guy called the WMI Filter Validation Utility.

The way this tool works is simple: we first have it analyze our GPO infrastructure and report metadata concerning any linked and unlinked WMI filters. This interface is shown in the next screen capture.

The WMI Filter Validator

We can then test a WMI filter by right-clicking its entry in the tool’s interface and selecting Validate from the shortcut menu. This launches a wizard whereby we can target a specific domain member computer.

Validating a WMI filter

We must remember that a WMI filter is essentially a Boolean True/False test in order for Active Directory to determine whether to apply a given GPO to a given computer. The WMI Filter Validation Utility works wonderfully to test this equation in advance.

WMI validation results

Conclusion

At this point you should have a solid idea as to what WMI filters are and how we can use them to dynamically scope our GPOs. You also know how to test WMI filter application prior to GPO deployment.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

The introduction of Group Policy Preferences into Group Policy seems to have quite a few people confused. I think that confusion has been compounded by all of the people who skipped Windows Vista, stayed with Windows XP, and are just now starting to implement Windows 7 on the desktop.

Group Policy Preferences

So what’s all the excitement about anyway? Assuming you’re one of those organizations that skipped Windows Vista, you’ve probably been living in the Windows XP Group Policy Management Console (GPMC) for a while. The first time you fire up the GPMC in Windows 7 and edit a Group Policy Object (GPO), you probably notice a new section under both Computer Configuration and User Configuration. In addition to Policies, you now have Preferences. What are these new “Preferences” and what do they have to do with Policies? First, let’s start by talking about Group Policy.

Group Policy introduction

Group Policy is a way for you to control most of the settings and configurations that exist for a computer or for any user that can log into the computer. Screensaver settings? There’s a Policy for that. Logon/logoff scripts? There’s a Policy for that too! Just about any setting or change you can make by hand can be made in a Group Policy. If you’re using Active Directory and are hand-configuring options for every computer and/or user that you support, or hand-mapping drive letters or printers, or even doing something simple like changing the wallpaper, you should seriously consider putting some of that effort toward learning how to use Group Policy so that your computers and users can be configured automatically.

Group Policy

Adding the computer to Active Directory gives you the ability to edit these Policies at the Domain level and assign them to computer and user objects in AD. So what do you need to do to start managing Group Policy for your Windows 7 and Windows 2008 R2 systems? Install the latest GPMC and start editing.

Group Policy Preferences

Group Policy Preferences was originally a product called PolicyMaker from Desktop Standard. Microsoft acquired Desktop Standard back in 2006 and, starting with Windows Server 2008, began integrating PolicyMaker into Windows. Windows Server 2008, Windows 7, and Windows Server 2008 R2 already have what they need to use Preferences out of the box. If you still have Windows XP, Vista, or Server 2003, the Client Side Extension (CSE) that will allow you to use Preferences is available as a download. Still running Windows 2000? Sorry, there’s no CSE download for Windows 2000.

Assuming you’re using AD, have the latest GPMC, and are running the latest Windows OS or have installed the CSE for the older version of Windows, here are some of the things you can do with Group Policy Preferences:

• Create and make changes to environment variables
• Copy files to the local file system
• Create/delete folders on the file system
• Make changes to .ini files
• Modify the Registry
• Create/modify/delete network shares
• Map network drives
• Create/modify/delete shortcuts
• Create ODBC entries
• Make changes to devices in the Device Manager
• Make changes to file associations
• Create and make changes to local user accounts
• Create and make changes to local groups
• Create VPN and dial-up connections
• Manage user application settings (requires plug-in written for the application)
• Modify power options
• Manage local printers
• Map network printers
• Manage scheduled tasks
• Manage services
• Manage Regional Options
• Make changes to Start Menu settings
• Make changes to some IE settings

Group Policy Preferences – Settings

Group Policy Preferences vs. logon scripts

If you’re experienced with Group Policy, you’re probably noticing that a lot of the options mentioned above are also available in the Policy area of a GPO or can be managed by logon scripts. One of the great things about Windows is there’s always more than one way to do something. If you or your IT shop’s expertise is in scripting, you don’t need to reinvent the wheel and start from scratch if you already have infrastructure that is working for you. But what if you don’t have all of those scripts already written? Preferences are a great way to accomplish the same goal without having to spend a lot of time or money learning something completely new.

Scripting isn’t something you can usually learn overnight. It’s a big hurdle for a lot of people. It’s also something that doesn’t usually have a standard. Ask three people to write a script to map a few drives based on group membership, fix permissions on a folder, and make a registry edit, and you’re probably going to end up with three wildly different scripts. Is that bad? Not necessarily, but if your scripts have a thousand lines of code (or more), you probably sweat every time someone makes an edit. One misplaced character or typo and the whole thing can stop working. And you do have every line of those scripts documented in the event that the person who wrote them is unavailable, right?

Preferences also follow the same refresh rules for Group Policy (every 90 minutes with a random offset of up to 30 minutes). With scripts, they only run at system startup/shutdown and user logon/logoff. Group Policy Preferences also have built-in logging to the Windows Event Log, another area where scripts can lag behind unless the scripts are very robust.

Group Policy Preferences vs. Group Policy settings

How do Group Policy Preferences compare to comparable Group Policy settings? The biggest difference between the two is enforcement. With a Policy, settings are enforced; in most cases, the user interface is either grayed out or gone completely so that the user can’t change the setting. With Preferences, the setting is applied once and can be changed later by the user. One caveat: if you’re using Replace a lot in your Preferences, your users are probably going to figure out that if they make a change to certain settings, those settings are going to change back in an hour or so when Policy refreshes for the computer.

Preferences also aren’t limited by the need for ADM or AMDX files. If you have an application that requires a license file to be copied to the computer, all you need to do is configure a Preference to copy the file. If you need to set an option that is stored in the Registry, such as the network name for a database server, you can browse the local Registry and create a Preference with the setting. Preferences don’t require your applications to have any awareness of Group Policy. As long as the configuration can be edited in the Registry, be made by copying a file over, you can use Preferences.

Group Policy Preferences gotchas

Policies are stored in a separate Policy area of the Registry. If you remove a setting in Policy, it will revert back to the original setting on the computer (or in the user’s account). With Preferences, the setting will stay unless you explicitly create a Preference that deletes it.

Mapping printers? Make sure you set the options for the Point and Print Restrictions for either the Computer (at Computer Configuration > Policies > Administrative Templates > Printers) or the User (at User Configuration > Policies > Administrative Templates > Control Panel > Printers). If you don’t, your printer mappings will fail if the computer is unable to copy print drivers to the local system.

Make sure the Client Side Extension for Group Policy Preferences is installed for XP, Vista, and 2003. If the CSE isn’t installed, those versions of Windows will completely ignore the settings in your Preferences when processing Group Policy.

Replace mode isn’t necessarily your friend. I’ve been burned by Replace mode several times. I can’t underscore enough that you should use Replace sparingly. Replace usually has the effect of running a Delete and then a Create. For example, if you map printers with the Replace option, Group Policy will delete the connection and reconnect to the printer. That may not sound like a big deal, but if your user wants that printer to be his/her default, you’ll have problems. Every time the Replace command runs, the user will lose that printer as the default if they have other printers on the system. I’ve also found that using Replace when you’re creating a local user account causes that user account’s SID to be regenerated.

If user options aren’t working correctly, you might need to check the “Run in logged-on user’s security context (user policy option).” Preferences run as the System account. Preferences that use network resources, such as mapping printers or network drives, need the user’s privileges to run properly. Checking this box ensures that the proper credentials are used.

Copying files? Check your network share permissions. If the local computer is getting the file, you’ll need to make sure that the Domain Computer has at least read access to the network share. The same is true if the user’s security context will be copying the file; make sure the user has at least read access.

Last, but not least, Microsoft maintains a list of currently available hotfixes for Group Policy. There is a section specifically for Preferences that may be of help if you’re having issues with a specific feature.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

LocalGPO in SCM v2

LocalGPO is included with SCM but there’s no dependency between the two programs. Once you’ve installed SCM there’s an option on the Start Menu to also install LocalGPO. The traditional role of LocalGPO is to control workgroup computers where centralized AD deployment of GPOs isn’t an option but in SCM v2 there’s also a new GPOPack feature that works with Microsoft Deployment Toolkit (MDT) 2010.

LocalGPO lets you export the current configuration of a reference computer as a GPO object provided you’re a local administrator and the export folder already exists:

LocalGPO.wsf /Path:c:\GPOBackup /Export

LocalGPO also allows you to apply settings from a GPO backup file type to the local PC:

LocalGPO.wsf /Path:c:\GPOBackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG}

The GUID in italics is the identification of the GPO you want to apply.

The only drawback with LocalGPO in SCM v1 was the fact that you had to install LocalGPO on each machine where you’d like to use it and whilst it’s a quick installation this wasn’t very flexible.

Thus was born the new GPOPack option for LocalGPO which packs the executable and the baseline into a single self-extracting file which can be applied without any prior installation. Whilst you can use this in many situations it works very well as part of a task sequence in Microsoft Deployment Toolkit (MDT) 2010 to apply your security settings to a machine directly after installation with just a single line of code in a script.

If you don’t want to type out (and potentially misspell) long GUID folder names you can name the GPO Pack with a friendly name, be aware that this means you won’t be able to import the GPO object in the GPMC. When applying a GPOPack in a script point to the GPOPack.wsf file that’s created by the GPOPack option like this:

C:\GPObackup\{12345678-9ABC-DEFG-1234-56789ABCDEFG }\GPOPack.wsf /path:C:\GPOBackups\{12345678-9ABC-DEFG-1234-56789ABCDEFG } /silent

You can also use LocalGPO to monitor workgroup computers in your environment for configuration drift, simply export their current settings and then compare them in SCM v2 against your company sanctioned baseline.

LocalGPO is a very versatile tool and the new GPOPack option opens up additional possibilities.

SCM v2 beta in summary

Everyone knows that both servers and client computers need to be locked down in a business environment, each successive version of Windows have added more versatile GPO options to achieve just that. But with the proliferation of GPO settings comes the difficulty in selecting the right settings and the appropriate level of lock down. Too locked down and users are hindered in their work and productivity suffers, too open leads to an insecure environment.

SCM v2 is an awesome tool that helps any administrator with these challenges which should bode well for its popularity. The new GPO Import functionality is great and the GPOPack in LocalGPO is really cool but most importantly the interface is much easier to work with.

SCMv2 is an excellent product that belongs in every sysadmins toolbox, especially considering it’s free.

Resources

Microsoft Solution Accelerators Security & Compliance blog

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)

Adding settings to a baseline in SCM v2

There will be times when a particular baseline is missing a setting that you’d like to include, remember that the baselines only include security settings where Microsoft has best practice guidance. In SCMv1 you had to import a Setting Pack which gave you ALL the GPO settings for a product and you then had to delete the settings you didn’t want.

SCM v2 has a great new feature which is much better, the Add a Setting command lets you pick the relevant product, in which group within the baseline you’d like to add the setting(s) and a comprehensive list of all the settings. You can also search and filter the list of available settings.

Adding settings to your custom baseline has never been easier.

This feature is fueled by a new Settings Library than stores every configuration option that SCM knows about, in every product that SCM v2 covers. Today that includes Windows XP SP3 to Windows 7 and Office 2007/2010, and IE 7 to 9 on the client side, as well as Windows Server 2003 SP2 to Windows Server 2008 R2 SP1 on the server side. New settings will be included in the Library as Service Packs are released and you can check your library version in the About dialog.

The settings grid in SCM v2

A characteristic of using SCM v1 was that there was a lot of scrolling up and down through lists of settings, two innovations in SCM v2 will make this a bit easier.

If you select the Advanced view in SCM v2 (I hope this will be become the default or the only option in the released version) a breadcrumb bar lets you filter down in a baseline settings hierarchy. By clicking each button you’re shown only the settings that are available at that level. To jump back up to the top simply click the red cross at the end of the button row.

Once you’ve drilled down to a particular list of settings they’re grouped by horizontal bars that you can expand or collapse which makes it a lot easier to work with long lists of items. If you’re browsing a signed baseline there’s a link offering to create a modifiable copy on each page. This new way of working with settings soon becomes second nature; the UI was inspired by Windows Intune according to Jeff Sigman, Senior Software Design Engineer with the SCM team.

The thing I love about SCM though is how great a teaching tool it is. Every best practice setting is described in detail, not only what the setting does but what threat it’s designed for and how different settings mitigate the risk. If you prefer to read documents the old Word documents are still included in each baseline.

Use SCM to teach any junior admin about the power of GPO, IT security in general and why we use certain settings.

Merging and comparing baselines in SCM v2

When you’ve imported a GPO from your own environment (see part 1) and you’d like to see how it compares to the official guidance click Compare and select the two baselines. The results are presented in two views; a summary shows the number of settings that are different and lists unique settings in each baseline. The values tab on the other hand displays each individual setting and their configuration in each baseline.

Tag: Comparing two baselines is dead easy in SCM v2.

Sometimes you want to combine two baselines, the Merge feature allows you to pick the source and then point to a target baseline. The wizard then shows you the items that will change, with an option to deselect items that you don’t want to merge as well as which settings only exist in one baseline or the other and if there are settings that are identical in both baselines. If you want to delete settings from a baseline you can now select multiple items in one go; SCM v1 forced you to delete each setting one at a time.

If you’re in the US you might be familiar with the United States Government Configuration Baselines (USGCB) format, used mostly in governmental departments, SCM v2 is more reliable in its import of these files.

SCM v2 can also export baselines in the National Institute of Standards and Technology (NIST) format Security Content Automation Protocol (SCAP) format.

In the final part of this series we’ll look at LocalGPO, a command line companion tool to SCM and a new feature it offers for desktop deployment.

• Folder Redirection – Part 5: Best practices (1)
• Folder Redirection – Part 4: Group Policy configuration (0)
• Folder Redirection – Part 3: Explanation of folder permissions (4)
• Folder Redirection – Part 2: Setting up your file server (0)
• Folder Redirection – Part 1: Introduction (0)