Title Details

Jeremy Moskowitz, Group Policy MVP, is the Chief Propeller-Head for Moskowitz, inc., and GPanswers.com. He is a nationally recognized authority on Windows Server, Active Directory, Group Policy, and other Windows management topics. He is one of less than a dozen Microsoft MVPs in Group Policy. He runs GPanswers.com, ranked by Computerworld as a "Top 20 Resource for Microsoft IT Professionals." Jeremy frequently contributes to Microsoft TechNet Magazine, Windows IT Pro magazine, and Redmond magazine. Jeremy is a sought-after speaker at many industry conferences and, in his training workshops, helps thousands of administrators every year do more with Group Policy. Contact Jeremy by visiting GPanswers.com.

Introduction xxiii

Chapter 1 Deploying Windows with Style: Windows Deployment Services (WDS), and Microsoft Deployment Toolkit 2008 1

It’s All About Imaging 2

High-Level Imaging Process 2

Imaging Software Isn’t about Speed 5

Windows Deployment Services (WDS) 6

Inside WDS 7

Setting Up the WDS Server 8

Managing the WDS Server 13

WDS Specifics for Windows Server 2008 15

Installing and Managing Clients via WDS 16

Utilizing Multicast Deployment with WDS and Windows Server 2008 24

Beyond the Basics: Care and Feeding of WDS and Your Images 30

Troubleshooting WDS 46

Microsoft Deployment Toolkit 2008 (MDT), Formerly Known as BDD 50

Understanding Microsoft Deployment Toolkit 2008 50

WDS vs. Microsoft Deployment Toolkit 2008 (Better Together?) 54

Setting Up Microsoft Deployment Toolkit 2008 56

Beyond the Microsoft Deployment Toolkit 2008 Basics 70

Troubleshooting Microsoft Deployment Toolkit 2008 74

Final Thoughts 78

Chapter 2 Profiles: Local, Roaming, and Mandatory 79

What Is a User Profile? 80

The NTUSER.DAT File 80

Profile Folders for Type 1 Computers (Windows 2000, Windows 2003, and Windows XP) 81

Profile Folders for Type 2 Computers (Windows Vista and Windows 2008) 83

The Default Local User Profile 88

The Default Domain User Profile 91

Roaming Profiles 95

Setting Up Roaming Profiles 97

Testing Roaming Profiles 102

Migrating Local Profiles to Roaming Profiles 105

Roaming and Nonroaming Folders 107

Managing Roaming Profiles 110

Manipulating Roaming Profiles with Computer Group Policy Settings 113

Manipulating Roaming Profiles with User Group Policy Settings 124

Mandatory Profiles 128

Establishing Mandatory Profiles from a Local Profile 129

Mandatory Profiles from an Established Roaming Profile 131

Forced Mandatory Profiles (Super-Mandatory) 133

Final Thoughts 133

Chapter 3 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the
Synchronization Manager 137

Overview of Change and Configuration Management 138

Redirected Folders 140

Available Folders to Redirect 140

Redirected Documents/My Documents 142

Redirecting the Start Menu and the Desktop 159

Redirecting the Application Data 160

Group Policy Setting for Folder Redirection 160

Troubleshooting Redirected Folders 161

Offline Files and Synchronization 164

Making Offline Files Available 165

Inside Windows XP Synchronization 170

Inside Windows Vista File Synchronization 174

Handling Conflicts 180

Client Configuration of Offline Files 182

Using Folder Redirection and Offline Files over Slow Links 197

Synchronizing over Slow Links with Redirected My Documents 198

Synchronizing over Slow Links with Public Shares 199

Using Group Policy to Configure Offline Files (User and Computer Node) 207

Using Group Policy to Configure Offline Files (Exclusive to the Computer Node) 216

Troubleshooting Sync Center 222

Turning off Folder Redirection for Desktops 223

Final Thoughts 230

Chapter 4 The Managed Desktop, Part 2: Software Deployment via Group Policy 233

Group Policy Software Installation (GPSI) Overview 233

The Windows Installer Service 235

Understanding .MSI Packages 236

Utilizing an Existing .MSI Package 236

Assigning and Publishing Applications 240

Assigning Applications 241

Publishing Applications 241

Rules of Deployment 242

Package-Targeting Strategy 243

Understanding .ZAP Files 252

Testing Publishing Applications to Users 254

Application Isolation 256

Advanced Published or Assigned 257

The General Tab 259

The Deployment Tab 259

The Upgrades Tab 264

The Categories Tab 266

The Modifications Tab 266

The Security Tab 272

Default Group Policy Software Installation Properties 273

The General Tab 273

The Advanced Tab 274

The File Extensions Tab 275

The Categories Tab 275

Removing Applications 276

Users Can Manually Change or Remove Applications 276

Automatically Removing Assigned or Published .MSI Applications 277

Forcefully Removing Assigned or Published .MSI Applications 278

Removing Published .ZAP Applications 279

Troubleshooting the Removal of Applications 279

Using Group Policy Software Installation over Slow Links 280

Assigning Applications to Users over Slow Links Using Windows 2000 282

Assigning Applications to Users over Slow Links Using Windows XP, Windows Vista, and Windows 2003 284

Managing .MSI Packages and the Windows Installer 284

Inside the MSIEXEC Tool 285

Affecting Windows Installer with Group Policy 288

Do You Need a “Big Management Tool” for Your Environment? 297

SMS vs. GPOs: A Comparison Rundown 297

GPSI and SMS Coexistence 300

Final Thoughts 301

Chapter 5 Application Virtualization and SoftGrid Essentials 303

About Application Virtualization 304

Why Would We Need Application Virtualization? 305

How Does Application Virtualization Solve the

Aforementioned Problems? 306

How Does Application Virtualization Work? 308

Good and Bad Applications to Virtualize 308

Who Makes Application Virtualization Solutions? 309

SoftGrid Architecture and Server-Side Installation 310

SoftGrid Components and Requirements 310

SoftGrid Files and Theory FAQ 311

SoftGrid Accounts and Shares 315

Installing SoftGrid Server 316

Launching the SoftGrid Console for the First Time 322

Configuring the Sample SoftGrid Application 324

Installing and Using the SoftGrid Client 327

Installing the SoftGrid Client by Hand 327

Testing the Default Application 328

SoftGrid Sequencing 331

Creating the Ideal SoftGrid Sequencing Station 332

Sequencing Your First Application 333

Delivering SoftGrid Applications 343

Changing the Default Content Path 343

Adding a Sequenced Package to SoftGrid 344

Testing out Your Application 346

SoftGrid Troubleshooting 101 348

No Icons at All 348

Application Fails to Launch 351

Deploying Your Applications to the Masses 352

Using Group Membership to Deliver a SoftGrid Application 352

Using the SoftGrid SMS Connector to Deliver a SoftGrid Application 353

Using an .MSI Package to Deliver SoftGrid Applications (via Group Policy and Other Methods) 353

Final Thoughts 366

Chapter 6 SoftGrid—Beyond the Basics 367

SoftGrid Management Console 367

SoftGrid Administrators Node 369

Applications Node 372

File Type Associations Node 377

Packages Node 378

Application Licenses Node 382

Server Groups Node 387

Provider Policies 392

Account Authorities Node 397

Reports Node 398

SoftGrid Client Management Console 407

General Properties of the SoftGrid Client Management Tool 408

Client Applications Node 419

Client File Type Associations Node 423

Desktop Configuration Servers Node 426

Remotely Managing Another Client 430

SoftGrid Client Applet 433

Refresh Applications 433

Load Applications 433

Message History 434

Work Offline 435

Final Thoughts 437

Chapter 7 SoftGrid Sequencing Secrets 439

Inside the SoftGrid Sequencer 440

Before Sequencing an Application 440

After Sequencing an Application 448

Advanced Sequencing 454

Web-based Applications 455

Upgrading an Application Using an Active Upgrade 461

Creating an Application Suite 465

Package Branching 468

Sequence Troubleshooting 473

Accessing the Q: Drive from Internet Explorer 473

Using Process Monitor to Troubleshoot a Sequence 476

Troubleshooting Sequences by Modifying the .OSD File 478

Final Thoughts 484

Chapter 8 Client Security with WSUS 3.0 and MBSA 487

Patch Management’s Cast of Characters: WU, MU, MBSA, WSUS, SCE, and SCCM 488

Understanding the Components of WSUS 490

Installation Requirements and Prerequisites 493

WSUS Architectures 494

Simple 495

Simple with Groups 495

Centralized 495

Distributed 496

Disconnected 496

Roaming 497

High Availability 497

Installing the WSUS Server 497

Installing WSUS Prerequisites 498

Installing WSUS 3.0 SP1 498

Windows Server Update Services Configuration Wizard 500

Distributing the Windows Update Agent 502

WSUS and Group Policy 502

Computer Configuration Settings 503

User Configuration Settings 506

Client Targeting (aka Group Assignment) 506

Setting Up Our Example Environment 508

The WSUS Console 510

Computers 510

Updates 512

Downstream Servers 514

Synchronizations 514

Reports 515

Options 516

Troubleshooting WSUS 517

Event Logs and Log Files 517

Patch Distribution and Network Usage Issues 520

WSUS from the Command Line 521

Shell Commands 521

WSUS Scripts 522

Tips and Tricks for a Smooth WSUS Experience 524

Implementing WSUS Reporters 524

Implementing Network Load Balancing 525

Implementing Intranetwork Roaming 526

Hacking WSUS’s Database 527

Best Practices in Patch Management 528

Considerations for Desktops 528

Considerations for Servers 530

The Microsoft Baseline Security Analyzer 530

Performing Scans 531

MBSA at the Command Line 532

Interpreting Scan Results 533

Troubleshooting MBSA 534

Final Thoughts 534

Chapter 9 Network Access Protection with Group Policy 535

Network Policy Services and Network Access Protection 535

How You Can Use NAP 538

Setting up a Quick NAP Test Lab with Specific Goals in Mind 540

Configuring NAP via the NAP Wizard 544

Inspecting Our Wizard Work 548

Setting Up the Windows System Health Validators 549

Configuring DHCP to Use NAP 551

Testing NAP with Non-NAP-Enabled Clients 554

Preparing for Domain-Joined NAP-Capable Machines 556

NAP Clients in a Domain-Joined Environment 560

Testing out Auto-Remediation of a NAP Client 563

Turning Off Auto-Remediation and Forcing the Users to Get Help (Just for Fun) 565

Troubleshooting NAP 567

Domain-Joining Issues When NAP Is Engaged 568

Group Policy RSoP 570

Client Logs 571

Server Logs 571

Tracing 572

NPS Configuration 572

Final Thoughts 573

Chapter 10 Finishing Touches with Group Policy: Controlling Hardware, Deploying Printers, and Implementing Shadow Copies 575

Restricting Access to Hardware via Group Policy 576

Devices Extension 577

Restricting Driver Access with Policy Settings for Windows Vista (and Windows Server 2008) 581

Getting a Handle on Classes and IDs 582

Restricting or Allowing Your Hardware via Group Policy 584

Understanding the Remaining Policy Settings for Hardware Restrictions 588

Assigning Printers via Group Policy 589

Using the Printers Group Policy Preference Extensions 590

Using the Printers Snap-in and pushprinterconnections.exe 597

Final Thoughts on Zapping Printers Using the Printers Snap-in 606

Shadow Copies (aka Previous Versions) 606

Setting up and Using Shadow Copies for Local Windows Vista Machines 607

Setting up Shadow Copies on the Server 607

Delivering Shadow Copies to the Client 609

Restoring Files with the Shadow Copies Client 610

Final Thoughts 613

Chapter 11 Full Lockdown with Windows SteadyState 615

Windows SteadyState Concepts and Installation 616

SteadyState Concepts 616

Preparing for Windows SteadyState 618

Installing Windows SteadyState 619

Configuring Windows SteadyState (for Nondomain-Joined Computers) 622

User Settings 622

Global Computer Settings 627

Application Installation Strategy (for Nondomain-Joined Windows SteadyState Machines) 633

Multi-Tier Access Environments 636

Configuring Windows SteadyState (for Domain-Joined Computers) 638

Joining the Computer to the Domain and Moving It into Its OU 640

Create GPOs That Will Affect All Users Who Use the Computer 641

Testing Your Group Policy 646

Turning on Windows Disk Protection 646

Deciding When to Clean Up 648

Deploying Software When Using Windows SteadyState 652

Remotely Updating the Custom Updates Script 654

Final Thoughts for This Chapter and for the Book 656

Index 659