Windows Server 2008 R2 Unleashed (127 page)

starter GPOs customized for their organization’s needs.

Starter GPOs can be viewed within the GPMC and can be edited using the Group Policy

Starter GPO Editor, but the files are stored within the domain controller sysvol folders. As

an example, starter GPOs for the companyabc.com domain would be located at the

\\companyabc.com\SYSVOL\companyabc.com\StarterGPOs folder. Microsoft provides

some starter GPOs that will be automatically installed when starter GPO functionality is

enabled. These currently include templates for two environments as described in the

Windows client security guides. These are the Enterprise Client (EC) environment scenario

and the Specialized Security Limited Functionality (SSLF) client environment scenario.

GPO Administrative Tasks

623

The Enterprise Client (EC) environment, as described in the Windows client security

guide, is an Active Directory domain infrastructure that runs Windows Server 2003 and

Windows Server 2008 servers and Windows Vista and Windows XP client workstations

where functionality is as important as security. The preconfigured settings in the EC

starter GPOs have been designed to enable the necessary functionality to allow businesses

to function with centrally managed user and computer configuration management as well

as security management and audit settings.

The Specialized Security Limited Functionality (SSLF) environment, as described in the

Windows client security guide, is designed to provide security configurations and guide-

lines for environments that require higher security, which outweighs the importance of

smoother user experiences and manageability. As an example of this, the Windows Vista

SSLF Computer starter GPO would deny logon through Terminal Services functionality,

whereas the Windows Vista EC Computer policy leaves this setting undefined. This policy

setting allows Administrators and/or members of the Remote Desktop Users groups to

connect using Remote Desktop Connection or Terminal Services clients.

CAUTION

Any Group Policy administrator must take the highest precautions to ensure that no

group policies deployed on a network are released without thorough testing in an isolat-

ptg

ed lab environment. This is especially true when considering deploying policies built on

the EC or SSLF starter GPO policies.

The starter GPOs included with Windows Server 2008 R2 GPCM include the following

policies:

. Windows Vista EC Computer

. Windows Vista EC User

. Windows Vista SSLF Computer

. Windows Vista SSLF User

. Windows XP EC Computer

. Windows XP EC User

19

. Windows XP SSLF Computer

. Windows XP SSLF User

For more information about the EC and SSLF starter GPOs, refer to the Windows client

security guides online.

Enabling Starter GPOs

Before starter GPOs can be put to use, the functionality must first be enabled in the

domain. Enabling this function is about as simple as pushing a button. To enable the

starter GPO feature, perform the following steps:

624

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

1. Log on to a designated Windows 7 or Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and select it.

4. In the right pane, click the Create Starter GPOs Folder button.

Once the task is completed, the eight out-of-the-box starter GPOs will be available for

review in the GPMC. Also, the Group Policy administrator can now create new starter

GPOs from scratch and can also create new GPOs by using starter GPOs as templates.

NOTE

The starter GPOs included with Windows 7 and Windows Server 2008 R2 are read-only

and cannot be edited directly. Copies of the built-in starter GPOs can be edited.

Creating a Starter GPO

Starter GPOs can be created or added to a domain in a few ways. A starter GPO can be

created from scratch using a blank template, it can be created by restoring from a starter

GPO backup folder, or it can be imported from a provided starter GPO cabinet file. Before

the release of the Windows 7 and Windows Server 2008 R2 Group Policy Management

tools, the Microsoft EC and SSLF starter GPO policies were provided as separate down-

ptg

loads, stored in cabinet backup files. If an organization has not yet adopted Windows

Server 2008 R2 domain controllers, this is the only way to import these starter GPO poli-

cies. To create a starter GPO from a backup, please refer to the “Backing Up and Restoring

Starter GPOs” section. To create a new starter GPO, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and select it.

4. Verify that the starter GPO functionality is enabled by viewing the right pane.

5. Right-click the Starter GPOs container in the tree pane, and select New.

6. In the New Starter GPO dialog box, type in a name for the new starter GPO, and

enter a comment to describe what will be included in this starter GPO and when

and where it should be applied as a template.

7. Click OK to create the new starter GPO.

8. To configure settings in the new starter GPO, right-click the GPO and select Edit to

open the GPO in the Group Policy Starter GPO Editor.

9. When the GPO is configured as desired, close the Group Policy Starter GPO Editor.

10. In the GPMC, right-click the newly configured starter GPO, and select Backup to

back up this individual starter GPO.

11. Specify a destination folder to back up the GPO, enter a description for this backup,

and click Back Up to back up the starter GPO.

12. When the backup completes, review the backup results and click OK to close the

window.

13. Close the GPMC tool.

GPO Administrative Tasks

625

Creating Starter GPOs from Cabinet Files

To create a new starter GPO from a cabinet file (*.cab), perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and select it.

4. Verify that the starter GPO functionality is enabled by viewing the right pane.

5. In the right pane, near the bottom, select the Load Cabinet button.

6. In the Load Starter GPO dialog box, click the Browse for CAB button to specify the

folder location of the starter GPO cabinet file.

7. Locate the cab file, select it, and click Open to return to the Load Starter GPO

dialog box.

8. Back in the Load Starter GPO dialog box, the dialog box will display the version

information of the cab file in comparison with any existing starter GPOs. Also, the

comment will be displayed and the administrator can view the settings. Click OK to

load or import the cab file to the domain starter GPO repository.

9. If an existing starter GPO has the same name, it will be overwritten and a confirma-

tion dialog box will require the administrator to click OK to accept this change.

ptg

10. Once the cab file is imported, close the GPMC.

Backing Up and Restoring Starter GPOs

Backing up and restoring starter GPOs is a simple operation that can be performed using

the Windows 7 or the Windows Server 2008 R2 GPMC. Starter GPOs can be backed up

individually or all of the starter GPOs can be backed up together.

Starting with Windows Vista and Windows Server 2008, the backup functionality of the

GPMC allows for the backup of multiple versions of the same GPOs. In previous versions,

if an organization wanted historical backups of GPOs, or revisions, the GPOs would need

to be backed up to separate folder locations. Now, the backups can all be stored in a

single folder.

19

Backing Up All Starter GPOs

To back up all of the starter GPOs in a domain, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and select it.

4. Right-click the starter GPOs and select the Back Up All button.

5. Specify the folder location to store the backup, enter a description of the backup,

and click the Back Up button to back up the starter GPOs.

626

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

NOTE

We recommend that the designated backup folder and the description of the backup

specify or make it very easy to differentiate between starter GPO backups and domain

GPO backups.

6. In the Backup window, review the status of the backup, and click OK when the back-

up completes.

Backing Up a Single Starter GPO

Backing up a starter GPO can only be performed from the Windows 7 or the Windows

Server 2008 R2 GPMC. Starter GPOs can be backed up using the original GPMC backup

method, which includes version or revision history, but a single starter GPO can also be

backed up as a cabinet file. To back up a single starter GPO, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and expand it.

4. Select the desired starter GPO, right-click it, and then select the Back Up button.

ptg

5. Specify the folder location to store the backup, enter a description of the backup,

and click the Back Up button to back up the starter GPO.

6. In the Backup window, review the status of the backup, and click OK when the back-

up completes.

Saving a Starter GPO as a Cabinet File

Starter GPOs can be exported or saved as individual cabinet (*.cab) files. Starter GPO

cabinet files can be used to create new starter GPOs or can be used to move starter GPOs

between isolated test and production Active Directory environments. To save an individ-

ual starter GPO as a cabinet file, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and select it.

4. In the right pane, select a single starter GPO, and at the bottom of the pane, click

the Save as Cabinet button. This option will only be available if the Starter GPOs

container is selected in the tree pane and a single starter GPO is selected in the right

pane when the contents page is selected.

5. Browse or type in the location in which to save the cabinet file, specify a name for

the cabinet file, and click the Save button to save the starter GPO.

GPO Administrative Tasks

627

Restoring a Starter GPO from Backup

Restoring a starter GPO can be performed to revert a GPO to a previously backed-up state

or to recover from a starter GPO deletion.

To restore a deleted starter GPO, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container and select it.

4. Right-click the Starter GPO container and select Manage Backups.

5. Browse to or specify the starter GPO backup location to load the starter GPO

backup set.

6. In the window, select the desired GPO object.

7. If a filtered view is desired, check the Show Only the Latest Version of Each Starter

GPO check box.

8. To view the settings of a particular backed-up GPO, select the desired GPO, and click

the View Settings button. Close the browser window after the settings are reviewed.

9. After the desired starter GPO is determined, select the GPO and click the Restore

button.

ptg

10. Click OK in the Restore confirmation dialog box to restore the starter GPO.

11. Review the GPO restore progress, and click OK when it completes.

12. After all the necessary GPOs are restored, close the Manage Backups window.

To change an existing starter GPO to a previously backed-up version, perform the

following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Starter GPOs container, select and expand it.

4. Locate and right-click the desired starter GPO, and select Restore from Backup.

5. In the Restore Starter GPO Wizard window, click next on the Welcome page.

6. On the next page, browse to or specify the starter GPO backup location, and click

Next.

19

7. If a filtered view is desired, select the Show Only the Latest Version of Each Starter

GPO check box.

8. To view the settings of a particular backed-up GPO, select the desired GPO, and click

the View Settings button. Close the browser window after the settings are reviewed.

9. After the desired starter GPO is determined, select the GPO, and click Next.

10. Review the settings summary on the Completing the Restore Starter GPO Wizard

page, and click Finish to start the restore process.

Other books

We Dine With Cannibals by C. Alexander London
Roxanne's Redemption by Keegan, Aisling
Indignation by Philip Roth
Silver Guilt by Judith Cutler
The Dells by Michael Blair
Tambourines to Glory by Langston Hughes
Gifts of War by Mackenzie Ford