Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
starter GPOs customized for their organization’s needs.
Starter GPOs can be viewed within the GPMC and can be edited using the Group Policy
Starter GPO Editor, but the files are stored within the domain controller sysvol folders. As
an example, starter GPOs for the companyabc.com domain would be located at the
\\companyabc.com\SYSVOL\companyabc.com\StarterGPOs folder. Microsoft provides
some starter GPOs that will be automatically installed when starter GPO functionality is
enabled. These currently include templates for two environments as described in the
Windows client security guides. These are the Enterprise Client (EC) environment scenario
and the Specialized Security Limited Functionality (SSLF) client environment scenario.
GPO Administrative Tasks
623
The Enterprise Client (EC) environment, as described in the Windows client security
guide, is an Active Directory domain infrastructure that runs Windows Server 2003 and
Windows Server 2008 servers and Windows Vista and Windows XP client workstations
where functionality is as important as security. The preconfigured settings in the EC
starter GPOs have been designed to enable the necessary functionality to allow businesses
to function with centrally managed user and computer configuration management as well
as security management and audit settings.
The Specialized Security Limited Functionality (SSLF) environment, as described in the
Windows client security guide, is designed to provide security configurations and guide-
lines for environments that require higher security, which outweighs the importance of
smoother user experiences and manageability. As an example of this, the Windows Vista
SSLF Computer starter GPO would deny logon through Terminal Services functionality,
whereas the Windows Vista EC Computer policy leaves this setting undefined. This policy
setting allows Administrators and/or members of the Remote Desktop Users groups to
connect using Remote Desktop Connection or Terminal Services clients.
CAUTION
Any Group Policy administrator must take the highest precautions to ensure that no
group policies deployed on a network are released without thorough testing in an isolat-
ptg
ed lab environment. This is especially true when considering deploying policies built on
the EC or SSLF starter GPO policies.
The starter GPOs included with Windows Server 2008 R2 GPCM include the following
policies:
. Windows Vista EC Computer
. Windows Vista EC User
. Windows Vista SSLF Computer
. Windows Vista SSLF User
. Windows XP EC Computer
. Windows XP EC User
19
. Windows XP SSLF Computer
. Windows XP SSLF User
For more information about the EC and SSLF starter GPOs, refer to the Windows client
security guides online.
Enabling Starter GPOs
Before starter GPOs can be put to use, the functionality must first be enabled in the
domain. Enabling this function is about as simple as pushing a button. To enable the
starter GPO feature, perform the following steps:
624
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
1. Log on to a designated Windows 7 or Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. In the right pane, click the Create Starter GPOs Folder button.
Once the task is completed, the eight out-of-the-box starter GPOs will be available for
review in the GPMC. Also, the Group Policy administrator can now create new starter
GPOs from scratch and can also create new GPOs by using starter GPOs as templates.
NOTE
The starter GPOs included with Windows 7 and Windows Server 2008 R2 are read-only
and cannot be edited directly. Copies of the built-in starter GPOs can be edited.
Creating a Starter GPO
Starter GPOs can be created or added to a domain in a few ways. A starter GPO can be
created from scratch using a blank template, it can be created by restoring from a starter
GPO backup folder, or it can be imported from a provided starter GPO cabinet file. Before
the release of the Windows 7 and Windows Server 2008 R2 Group Policy Management
tools, the Microsoft EC and SSLF starter GPO policies were provided as separate down-
ptg
loads, stored in cabinet backup files. If an organization has not yet adopted Windows
Server 2008 R2 domain controllers, this is the only way to import these starter GPO poli-
cies. To create a starter GPO from a backup, please refer to the “Backing Up and Restoring
Starter GPOs” section. To create a new starter GPO, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Verify that the starter GPO functionality is enabled by viewing the right pane.
5. Right-click the Starter GPOs container in the tree pane, and select New.
6. In the New Starter GPO dialog box, type in a name for the new starter GPO, and
enter a comment to describe what will be included in this starter GPO and when
and where it should be applied as a template.
7. Click OK to create the new starter GPO.
8. To configure settings in the new starter GPO, right-click the GPO and select Edit to
open the GPO in the Group Policy Starter GPO Editor.
9. When the GPO is configured as desired, close the Group Policy Starter GPO Editor.
10. In the GPMC, right-click the newly configured starter GPO, and select Backup to
back up this individual starter GPO.
11. Specify a destination folder to back up the GPO, enter a description for this backup,
and click Back Up to back up the starter GPO.
12. When the backup completes, review the backup results and click OK to close the
window.
13. Close the GPMC tool.
GPO Administrative Tasks
625
Creating Starter GPOs from Cabinet Files
To create a new starter GPO from a cabinet file (*.cab), perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Verify that the starter GPO functionality is enabled by viewing the right pane.
5. In the right pane, near the bottom, select the Load Cabinet button.
6. In the Load Starter GPO dialog box, click the Browse for CAB button to specify the
folder location of the starter GPO cabinet file.
7. Locate the cab file, select it, and click Open to return to the Load Starter GPO
dialog box.
8. Back in the Load Starter GPO dialog box, the dialog box will display the version
information of the cab file in comparison with any existing starter GPOs. Also, the
comment will be displayed and the administrator can view the settings. Click OK to
load or import the cab file to the domain starter GPO repository.
9. If an existing starter GPO has the same name, it will be overwritten and a confirma-
tion dialog box will require the administrator to click OK to accept this change.
ptg
10. Once the cab file is imported, close the GPMC.
Backing Up and Restoring Starter GPOs
Backing up and restoring starter GPOs is a simple operation that can be performed using
the Windows 7 or the Windows Server 2008 R2 GPMC. Starter GPOs can be backed up
individually or all of the starter GPOs can be backed up together.
Starting with Windows Vista and Windows Server 2008, the backup functionality of the
GPMC allows for the backup of multiple versions of the same GPOs. In previous versions,
if an organization wanted historical backups of GPOs, or revisions, the GPOs would need
to be backed up to separate folder locations. Now, the backups can all be stored in a
single folder.
19
Backing Up All Starter GPOs
To back up all of the starter GPOs in a domain, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Right-click the starter GPOs and select the Back Up All button.
5. Specify the folder location to store the backup, enter a description of the backup,
and click the Back Up button to back up the starter GPOs.
626
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
NOTE
We recommend that the designated backup folder and the description of the backup
specify or make it very easy to differentiate between starter GPO backups and domain
GPO backups.
6. In the Backup window, review the status of the backup, and click OK when the back-
up completes.
Backing Up a Single Starter GPO
Backing up a starter GPO can only be performed from the Windows 7 or the Windows
Server 2008 R2 GPMC. Starter GPOs can be backed up using the original GPMC backup
method, which includes version or revision history, but a single starter GPO can also be
backed up as a cabinet file. To back up a single starter GPO, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and expand it.
4. Select the desired starter GPO, right-click it, and then select the Back Up button.
ptg
5. Specify the folder location to store the backup, enter a description of the backup,
and click the Back Up button to back up the starter GPO.
6. In the Backup window, review the status of the backup, and click OK when the back-
up completes.
Saving a Starter GPO as a Cabinet File
Starter GPOs can be exported or saved as individual cabinet (*.cab) files. Starter GPO
cabinet files can be used to create new starter GPOs or can be used to move starter GPOs
between isolated test and production Active Directory environments. To save an individ-
ual starter GPO as a cabinet file, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. In the right pane, select a single starter GPO, and at the bottom of the pane, click
the Save as Cabinet button. This option will only be available if the Starter GPOs
container is selected in the tree pane and a single starter GPO is selected in the right
pane when the contents page is selected.
5. Browse or type in the location in which to save the cabinet file, specify a name for
the cabinet file, and click the Save button to save the starter GPO.
GPO Administrative Tasks
627
Restoring a Starter GPO from Backup
Restoring a starter GPO can be performed to revert a GPO to a previously backed-up state
or to recover from a starter GPO deletion.
To restore a deleted starter GPO, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container and select it.
4. Right-click the Starter GPO container and select Manage Backups.
5. Browse to or specify the starter GPO backup location to load the starter GPO
backup set.
6. In the window, select the desired GPO object.
7. If a filtered view is desired, check the Show Only the Latest Version of Each Starter
GPO check box.
8. To view the settings of a particular backed-up GPO, select the desired GPO, and click
the View Settings button. Close the browser window after the settings are reviewed.
9. After the desired starter GPO is determined, select the GPO and click the Restore
button.
ptg
10. Click OK in the Restore confirmation dialog box to restore the starter GPO.
11. Review the GPO restore progress, and click OK when it completes.
12. After all the necessary GPOs are restored, close the Manage Backups window.
To change an existing starter GPO to a previously backed-up version, perform the
following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Starter GPOs container, select and expand it.
4. Locate and right-click the desired starter GPO, and select Restore from Backup.
5. In the Restore Starter GPO Wizard window, click next on the Welcome page.
6. On the next page, browse to or specify the starter GPO backup location, and click
Next.
19
7. If a filtered view is desired, select the Show Only the Latest Version of Each Starter
GPO check box.
8. To view the settings of a particular backed-up GPO, select the desired GPO, and click
the View Settings button. Close the browser window after the settings are reviewed.
9. After the desired starter GPO is determined, select the GPO, and click Next.
10. Review the settings summary on the Completing the Restore Starter GPO Wizard
page, and click Finish to start the restore process.