Even better there is a deny execute access policy setting prevents your users the running on BYO applications such as Firefox Portable and even some malicious software via USB sticks.

While most of the device types seem obvious, the WPD Device allows you to control access “to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.”.

You can even configure the “Time (in seconds) to force reboot” which will enforce the change once it is applied to the computer.

These policy setting can be found under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Its the best thing to control access to USB storage device since the invention of the hot glue gun….

About this time I then noticed a new blog post http://jorgequestforknowledge.wordpress.com/2011/12/12/the-active-directory-web-service-adws/ about the new Active Directory Web Services (ADWS) feature with 2008 R2 which explained why I was getting this message. The environment I was dealing with was a Windows 2008 only domain environment meaning that there was no ADWS for PowerShell in Windows 7 to utilise. This article explained that both PowerShell and the the Active Directory Administrative Center (ADAC) in Windows 7/2008 R2 used the WS-* protocols and therefore needed a ADWS server somewhere in the domain to work. Not having an ADWS DC in the environment meant that these tools would not work…

So to get around this issues you will need to either need to spin up a Windows Server 2008 computer to run the commands or apply the necessary KB’s to some of the domain controllers your environment to enable ADWS.

Update: I just learnt that the AD PowerShell commands are only supported on Windows 7/2008 R2.

The moral of this story is that its always good practice to make sure that your server and client infrastructure are upgraded together due to the advantages of the tight integration the two product have with one another.

Related KB’s:

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers

Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers

Note: ADWS was included with Windows Server 2008 Service Pack 2.

Tip: Make sure that the issue is related to the users roaming profile by testing another account with the same or similar privileges on the same computer. If the other computer account also has the same issues or if the issues seems to does not follow them to other computers then it is highly unlikely it is a roaming profile issue.

So lets assume you have troubleshoot this issue for many hours and you are at your wits end about to rip out your hair (if you have any) and have decided to reset the users profile… how do you do it?

In Windows XP days you could just delete the users local and roaming profile files and the next time the user logged on they would generate a new profile. However if you do this in Windows 7 you will find that this no longer works…

So what is the correct way to reset a roaming profile in Windows 7?

Step 1. Open Active Directory Users and Computers and to the profile tab of the user account you want to reset. Now take note of the roaming profile path….

Step 2. Reboot the users computer that is having issues and logon with an account that has local admin and is NOT the account you are tyring to fix.

Step 3. Open control panel and type “Advanced” in the search field then click on “View advanced system settings”

Step 4. Click on the “Advanced” tab and under User Profiles click the “Settings” button

Step 5. Now select the user you want to reset the profile and press the “Delete” button.

Step 6. Press “Yes”

And now the local copy of the roaming profile is deleted you also need to remove the network copy…

Note: If you have implemented folder redirection as per my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) then the vast majority of the users information will not be part of the users roaming profile. This means other than a few program setting the users is unlikely to lose any work. The exception to this is the AppData folder however if you are trying to preserve this folder as well note you may be copying over the issues that are trying to fix.

WARNING: Always be careful you have everything backed up before deleting any users profile.

Step 7. Before you log off that computer go to the path you noted in step 1 and delete (or rename) the roaming profile for that users on the network.

Note: You many need to take ownership of the folder before it can be deleted.

Tip: To avoid having to take owner ship of the roaming profile be sure you have enabled the  Add the Administrator security group to roaming users profiles setting.

How to fix the “You have been logged on with a temporary profile” issue in Windows 7

So… that was the easy way… But what do you do if just deleted the users profile files and now the users is “logged on with temporary profile” like you did back in the Windows XP days….

Step 1. Reboot the computer again and logon as the local admin.

Step 2. Open Regedit and go following registry key path:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Step 3. Find the Profile that has the ProfileImagePath of the users you are fixing and delete that entire key.

Step 4. Log off and logon as the user you are trying to fix.

TIP: If this is successful make sure you get the use to log off straight away so the new profile is save to the network which will then propagate to any other computer when then log on.

Hopefully this will have fixed your roaming profile issues and the users is now back up and running with a minimum of fuss… Of course some of the users personal settings may have been lost but hopefully a well managed SOE should allow them to run all the essential programs with little to no additional set up.

Source: I found the registry key trick from this TechNet Forum article http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/5ec0b949-effa-4e30-ba09-dc948a4c7a8b

Get it here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

Related Article: How to download and install the Group Policy Management Console (GPMC)

Update: Now that I have installed the final version of IE9 on 6 computers 2 of them needed to rebook so it would seem that it may or may not require a reboot. This seems to be dependent on what application you are running at the time. Therefore it would still be prudent to plan for a reboot but not always expect it to happen.

I have just install IE9 on a Windows 7 and a Windows Server 2008 R2 computer running Service Pack 1 and I was very pleased to see that in both cases it does not required a reboot to install. Previously I have installed IE9 on 3 Windows 7 computers that were not running service pack 1 however they all required a reboot to install IE9. Therefore it seems that with Windows 7 / 2008 R2 Service Pack 1 installed it is now possible to install IE9 without a reboot. (see images below).

Disclaimer: I have only seem this behaviour on one computer so far but I am testing it one more really soon. I have now repeated this process on a Windows Server 2008 R2 SP1 and Windows 7 SP1. It looks more likely that this option to install IE9 without a reboot is a new feature of Service Pack 1.

One of the dialogue boxes (see below) on Windows Server 2008 R2 Service Pack 1 during the IE9 install asks if you want to the installer to close your running programs to install it without a reboot. So if you select the “Close programs for me (I already save my work)” opting the browser will be installed without a reboot.\

( FYI: The screenshots below are from a computer running Windows Server 2008 R2 Service Pack 1 with the Domain Controller role installed and running. )

The next screen is the dialogue box during install of IE9. As you can see IE8 and the Explorer shell has been closed during the install but the OS has NOT rebooted.

After IE9 is installed the Explorer Shell is launched again still without interruption to the OS.

This is a huge deal as it means that it is likely that updates to the browser will be able to be installed without having to require a reboot of the OS. Now this may be a nice have for end users however this is a much bigger deal for Windows Servers as IT administrators as they can now patch what is the most vulnerable part of the server OS (the browser) without any down time. This should hopefully mean that IT administrators will not need to revert to installed “Server Core” versions of the server OS’s just to ensure that they don’t have to reboot them every patch Tuesday to keep them secure.

I know this is not specifically a Group Policy topic however this is a really super cool find that I just had to share with everyone…

Update: Service Pack 1 is now available for download for TechNet and MSDN subscribers.

Previously I had listed the hotfixes in the beta version of the service pack, so I have again combed through the hotfix list for you convenience and I have updated the list to include the release candidate hotfixes. While this is not the final list of hotfixes Ned Pyle [MSFT] says “it’s very doubtful that the lists below will be altered much” so you can pretty much take the following list as final. In any case I will review the list when the final list of fixes is out but for now here is the list of issues.

Updated: The final list of hotfixes is now out ( Here ) and after a quick look they appear to be the same as expected.

If you have anything to do with supporting group policy in your organisation then I recommend that you at least take a look at the articles to see if you have encountered any of the problem described.

You can also see the complete list of Active Directory Hotfix’s at Ask the Directory Services Team blog posting SP1 and Directory Services: What’s New .

I do note that KB981704 has been out for a while and seems to have been just updated to reflect that it is still required for Service Pack 1.

KB981704 – The file name of an ADM file is displayed incorrectly in the GPMC report in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2.

KB2460922 – Group Policy preference item-level targeting does not work for 64-bit versions of Windows 7

Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.

Below I will explain the new way of configuring control panel items for Windows 7 and show you the affect that this has on the control panel.

Before you begin I recommend that you take a look at http://msdn.microsoft.com/en-us/library/ee330741(VS.85).aspx which lists all the Canonical names for the control panel items for Windows 7. You will need to know what CN of the item you want to restrict or allow.

Note: In this example we are only going to show the control panel items we want to see (white list) however if you use the Hide specified Control Panel items policy setting you can black list only the items you don’t want listed.

Step 1. Edit the Group Policy object that is applied to the users that you want to apply the Control Panel configuration.

Step 2. Navigate to User Configuration > Policies > Administrative Templates > Control Panel

Step 3. Double click on the Show only specified Control Panel items setting then check Enabled and then click then Show button.

Step 4. Now you have the Show Contents dialog box open  you need to visit the web site that list the names at Canonical Names of Control Panel Items and copy the Canonical name for the control panel item you want to display.

Paste the name into the value field enter the canonical name of the control panel item you want to show in the Value field and click OK.

You will now see that the only available control panel item is the Region and Language options (see below).

However this view is somewhat confusing for users as they can still click on the category but there are not items to display (see below).

To get around this problem also enable the Always open All Control Panel Items (a.k.a Force classic Control Panel) when opening Control Panel setting in the same GPO.

Note: This option is probably not needed if you used the Show only specified Control Panel setting instead.

Now when the users open control panel they will only see the specific control panel items you have allowed without the empty categories.

To log on to Windows by using the disabled local Administrator account, start Windows in Safe mode.

However this behaviour has change since Windows Vista (and 7) and now you are no longer able to logon to a computers local administrator account if it is disabled (see Built-in Administrator Account Disabled ).

On domain joined computers, the disabled built-in administrator account cannot logon in safe mode

This presents some challenges as IT administrator as sometime you still need to ability to logon to a computer using the local administrator. The most common scenario you need to do this is when you need to troubleshoot domain account issues (e.g. re-join the computer to the domain) when the AD computer account has been reset or deleted or the password has become out of sync and you get a workstation trust relationship issue (see below).

The problem is that the local administrator account is now disabled and due to the new behaviour of the account you can no longer log with it using safe mode.

The built-in administrator account is disabled by default in Windows Vista on new installations.

This of course makes it almost impossible to configure the computer into a workgroup so that it can then be re-added to the domain to fix the problem. Its even more difficult if you have BitLocker encryption enabled on your local hard drive.

It is possible that you could logon with a user with local administrator access using cached credentials however this is limited to the last 10 people that logged on (increasable to 50 if you change the CachedLogonsCount below registry key).

But even so, this would also mean you have to know the username and password of the account at the time they last logged onto the computer. This may be a bit hard to do as they may have changed their password a number of times since they logged on to that computer.

Unfortunately, it is also much more unlikely now that the normal local user of the computer has not been given local admin due to all the improvement with Windows 7 (e.g. UAC) that allows users to work with standard user permissions.

Now you might think the really obvious solution is to just enable the local administrator account and set a password in advanced using Group Policy Preferences (see below) so that you can use it when you need to however doing this has a few security issues.

However enabling the local administrator account means it can be used by anyone who knows the credentials and they could then use the account to remotely access any workstation on the network (not good). It also mean a normal user that knows the local admin credentials ( we would like to think they don’t but somehow they find out) could us them whenever they are presented with a specify credentials UAC prompt. So it’s pretty much a back door that anyone can use to get around the fact you spent all this time setting up their computers for them to not require local administrator access…

So to get around this issues you could just set the password on a regular basis using Group Policy Preference (see above image) however this also has a few problems as well… While setting the local administrator password is easy to do however it is stored in the SYSVOL as an encrypted string that is fairly easy to crack (see Passwords in Group Policy Preferences ).

A password in a preference item is stored in SYSVOL ….. it is not stored as clear text in the XML source code of the preference item. However, the password is not secured.

To help mitigate this I have also written an article that explain a way to more securely apply the new password to all the computers (see How to use Group Policy Preferences to change account Passwords ) but even if you did this on a regular basis you would still need to tell all the IT support staff what the new password is when you change the password and thus people quickly learn the local admin account credentials all over again…

Note: That all being said it is still a really good idea to set a password for the local administrator account as the default password is configured as blank.

The other solution you might think of is to boot the computer using a third-party tool that can reset and enable the local admin account (see http://www.bing.com/search?q=sethc.exe+%22windows+7%22+administrator+password&form=QBRE&qs=n&sk= ) however these tools don’t work if your local drive is encrypted with BitLocker nor are they supported from Microsoft (see Microsoft policy about lost or forgotten passwords ).

If you want help to break or to reset a password, you can locate and contact a third-party company for this help. You use such third-party products and services at your own risk.

So lets assume you have a computer that is no longer properly connected to the domain with a disabled local administrator account. The computers local system drive is BitLocker encrypted and and you don’t know the credentials of any other accounts that have previously logged on with local administrator permissions… What do you do?

So below I will show you how to enable the local administrator account so that you can at least still logon with the local administrator even if the account has been disabled…

How to enable a disabled local administrator account on a Windows 7 computer with BitLocker enabled

Before you begin you are going to at a minimum know the following information:

• The account name and password of the local administrator account.
• The BitLocker recovery key for the local system drive. (see instruction on how to get the key from here How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1 )

Step 1. Boot the computer using the Windows 7 Installation media

Step 2. When prompted to “Install now” click the “Repair your computer” option at the bottom left.

Step 3 (optional). If your local computer hard drive is BitLocker is encrypted you will now be prompted to type in the recovery key (see below) and just follow the next couple of step that is appropriate for your situation.

Note: You may need to use the Recovery Key Identifier (e.g. A5103515) to find the correct encryption recovery key from Active Directory.

Note2: This step is only required if your local hard drive is encrypted using BitLocker drive encryption.

Step 4. After you have entered the correct recovery and unlocked the drive select the appropriate installation of Windows 7 that you wish to gain access to (You will probably only have one option to select).

Note: Remember the drive letter in the location column as you will need to use this later (Almost definitely going to be “(D:) Local Disk” ).

Step 5. From the System Recovery Options click on “Command Prompt”

Step 6. Now run “regedit” from the command prompt.

Step 7. Click on HKEY_USERS and then click on File > Load Hive

Step 8. Navigate to D:\Windows\System32\Config folder and select the SAM file then click Open

Note: The drive letter you use in the path above is the same as the the drive letter in the Location column in Step 4.

Step 9. Now type “SAM_TEMP” (or any value) in the Key Name text field and click OK

Step 10. Expand SAM_TEMP\SAM\Domains\Account\Users\000001F4 and double click on the “F” key.

Step 11. Change the value “11” in the first column, row 0038 to “10” and click OK

Before	After

Step 12. Click back on “SAM_TEMP” and then from the File > Unload Hive and Yes to confirm.

Step 13. Exit Regedit and close the Command Prompt and click Restart from the System Recovery Option menu

Done…

Summary

You will now be able to logon as the local administrator account by using the account name “.\administrator” and the password of the account (which you should already know). This will enable you to configure the computer into a workgroup and then re-join the computer account back into the domain but without having to resort to enabling a back door administrator account on the all the computers in your environment…

Now you might now be wondering what is the point of security is on Windows 7 (i.e. BitLocker and disabled local admin) if it is so easy to circumvent however you need to remember that for this process to work you still need to know the local administrator password and more importantly you will need to know the unique BitLocker recovery key… Obviously this makes it very important to have BitLocker drive encryption deployed otherwise it will make it very easy to break into pretty much any computer if you have physical access.

the best network software security measures can be rendered useless if you fail to physically protect your systems

I know this is not strictly a Group Policy topic however it is very closely related topic and one I feel that this is still well worth knowing for any IT administrator so you can configured a more secure environment…

Other References

How to configure Group Policy to use Data Recovery Agents with “Bitlocker to Go” drives – Part 2
How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1

Windows Seven Forums: How to Enable the Built-in Administrator Account from WinRE

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

The video below is part 1 in a 3 part series that give an overview about how Roaming Profiles and Folder Redirection give you User State Virtualisation.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Before you begin I would also recommend that you read the following articles from Microsoft about User State Virtualization.

• Choosing an Appropriate User State Virtualization Solution
• Understanding User State Virtualization Improvements In Windows 7

Note: I am going to mainly focus on Windows Vista/7 setups however most of the setting/principals I do mention below will still apply to Windows XP.

Update: Here is a really good video from Darren Mar-Elia (Fellow Group Policy MVP) from TechEd North America 2011. This session is entitled Optimizing Group Policy in Virtual Desktop (VDI) Environments however much of it covers User State Virtualization.

Setting up Folder Redirections using Group Policy

Below I will show you how to setup folder redirection for you users profiles. It is very important that you realise the impact that redirection some of these folder can have as if users have many GB’s of music of videos on their local computers you could quickly find yourself running out of disk space on the server.

Setting up file server share for User State Virtualization

When setting up the file server you need to be sure that the permission on the folder are setup so that a user can create a new folder however you also need to ensure that they can only see their own files if they start to snoop about.

Below I will go though the setup of a folder to be used for folder redirection and the roaming profiles. Combining a users redirected folders and roaming profile path to the one spot on the network is far easier to manage as it consolidates all the users information in one locations.

Note: This consolidated storage of users information can only applies to Windows Vista/7 systems. Otherwise you will need to create a separate share for roaming profiles with offline caching disabled for Windows XP systems.

Step 1. Create a folder to be used as a root folder for all the users information (e.g. Users)

Step 2. Open the properties of the folder and then go to the Security tab and then click on the Advanced button.

Step 3. Now click on the “Change Permissions” button

Step 4. Un tick “Include inheritable permission form this object’s parent.

Step 5. Click the “Add” button

Explanation: We have now setup a folder with no inheritable file permissions from the parent. We do this so we can remove the Read permission from Users for all subfolders and files in a later step.

You should now see something like this below.

Step 6. Select the Users “Special” ACL and then click the Edit Button.

Step 7. Change the Apply to: permission to “This folder only” and press “OK”

Step 8. Select the Users “Read & execute” ACL and then click the “Edit” button.

Step 9. Again select the “This folder only” option from the Apply to: section and then press “OK”

Notice how the two “This folder only” permissions for Users have now combined into one ACL.

Step 10. Then press “OK” and “OK” to get you back to the Users Properties screen.

Now we need to share the folder…

Step 11. Click on the “Sharing Tab” on the Users Properties screen and then click on the “Advanced Sharing” button.

Step 12. Tick “Share this folder” and give the type in a share name ending with a $ (e.g. Users$) then click on the “Permissions” Button.

Note: The $ symbol at the end of the share name makes it hidden to a users so they cannot browser to the folder. This is not necessary but it is good practice to help stop nosey users.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

you should always hide the profile share using a dollar sign ($).

Step 13. Tick “Allow” for the Full Control permissions (change should then get automatically ticked) and then press OK then OK then Close.

(Optional) Setting up Roaming Profile Folder

If you are still using Windows XP then I would recommend configuring the roaming profile folder is the same as the Users folder for the redirected folders except that you need to disable file caching. Simple repeat the steps above for “Setting up file server share for User State Virtualization” instead use the folder name called “Profiles” and a share name called “Profiles$”.

After you configure the share permissions (see step 13 above) also click on the “Caching” button and select the “No Files or programs from the share folder are available offline” options then press OK then OK then Close.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

You should disable Offline Files

Enabling Access Based Enumeration

Now we are going to enable Access Based Enumeration for the Users$ share so that any users that manually goes to \\server04.contoso.local\users$ will only see their own folder. This is optional however as it simple stops your snooping users from seeing who else is in the organisation.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance.

Step 1. Open Server Manager and expand Roles > File Services > Share and Storage Management and then highlight the Users$ share

Step 2. From the menu click on Action and then Properties and then click the “Advanced” button

Step 3: Tick “Enable access-based enumeration” and then click “OK”

Step 4. Click OK

The folder on your server is now ready for your users roaming profiles (Windows Vista/7) and folder redirections.

Tip: You can also also enable a File Screen using the File Server Resource Manager to prevent your users from saving files type of a certain extension (e.g. MP3, AVI or MP4) to their redirected folders. Another option this gives you is the ability to apply an Auto Apply Quota to the users folders and have then get warning email messages whenever they consumer a lot of disk space.

How to configured Roaming Profiles for a user using Group Policy

Before we begin, take the time to watch part 2 video that shows an example of how Roaming Profiles can be used to give your users a better experience. This video also demonstrates some of the pit falls with just implementing a roaming profile for a user without Folder Redirection enabled.

Per User Roaming Profile

You have always been able to configured a users roaming profile patch by configuring the Profile Path on the users account (see image below). This method allows you to granularly configure a users roaming profile path location however it is a lot more laborious process to ensure that they are consistent with the folder redirection policy that is also applied to the users.

Below is the view of a users roaming profile configured to \\server04.contoso.local\users$\%username%\profile . If you are a Windows XP user this will translate to \\server04.contoso.local\users$\sam\profile and if you are a Windows Vista/7 users this will translate to \\server04.contoso.local\users$\sam\profile.v2 .

Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers.

If you setup the optional Profiles$ share for Windows XP then you will need to make sure the share you use is profiles$ (not users$) and there is no need for the additional \Profiles folder to be specified.

Once feature that was introduced in new version of Active Directory Users and Computer in Windows Server 2003 was the ability to update user attributes with multiple users in one action (see image below). This made the whole process of configuring the users profile patch much easier especially when dealing with many users accounts.

Per Computer Roaming Profile

Before Windows Vista the only way you could configure the roaming profiles path for a users was by configuring it on the users account via Active Directory Users and Computers. While configuring the roaming profile path on the users account is now far easier with the multiple user attribute update feature this still left the setting configured for each individual users and unless you do an audit of all the user account it is possible that some path’s could be setup incorrectly.

However in ever since Windows Vista there is now a group policy setting you can apply to computers that configured the roaming profile path for anyone who logs onto that computer called “Set roaming profile path for all users logging onto this computer”.

Warning: The biggest problem with the Per Computer roaming profile configuration is that there is no way to exclude you administrator accounts from also getting this policy as it is a per computer policy. This means if any administrator logs on to a workstation with this policy applied they will be configured to use a roaming profile.

Step 1. Edit a Group Policy object that is targeted to your workstations

Step 2. Navigate to Computer Configuration > Policies > Administrative Templates > System > User Profiles and enable the “Set roaming profile path for all users logging onto this computer” and configure the path to \\PROFILESERVERNAME\Users$\%username%\profile .

Explanation: I have added “\profile” onto the end of what would normally be the profile path so that when the profile is created it is placed at the same level as all the other redirected folders. You will see how this works later on in this post.

If you are still running Windows XP this policy works very well if you have used a geographical OU structure (see Best Practice: Active Directory Structure Guidelines – Part 1 ) for your workstations as you will be able to send the users  roaming profile path for each user  to a local file server. This would allow you to point users in the local site to the closest/quickest roaming profile server to reduce the time it takes to logon and logoff. However as Windows Vista and Windows 7 now uploads the profile asynchronously loading the profile via a higher latency lower bandwidth link is not so noticeable unless the users has never logged on to that computer before.

Which do I recommend?

Amazingly I am not going to recommend the per computer Group Policy method as there is no way you can get around not having a roaming profile if you logon as an administrator. This is a real show stoper as I think it is really bad for administrator accounts should not be encumbered with “crud” in their profile when logging onto a computer.

Therefore I recommend the per user roaming profile configuration method, which is made much easier to do with the multiple user attribute update option you get with the newer version of Active Directory Users and Computers.

Other Roaming Profile Group Policy settings

In this section I will go through (in no particular order) the Group Policy settings I recommend you configure for setting up roaming profiles.

Computer Configuration > Policies > Administrative Templates > System

• Verbose vs normal status messages

Reference: Managing Roaming User Data Deployment Guide

Windows Vista provides little information about the status of loading or unloading roaming profiles during user logon and logoff. This lack of information is misleading and may give a user the impression Windows Vista is unresponsive.

Computer Configuration > Policies > Administrative Templates > Systems > User Profiles

• Add the Administrator security group to roaming users profiles (HIGHLY RECOMMEND)
• Background upload of a roaming user profile’s registry file while user is logged on
• Delete use profiles older than a specified number of days on system restart

Users Configuration > Policies > Administrative Templates > Systems > User Profiles

• Do not check for users ownership of Roaming Profile Folders

Usefully if you are doing a cross domain/forest migration of user accounts. Also reduces logon issues caused by incorrectly set permissions on the folders.

• Limit profile size (NOT RECOMMENDED)

Reference: Managing Roaming User Data Deployment Guide

Vista still respects this policy setting; however, no longer prevents the user from logging off the computer. Windows does not synchronize the user’s profile to the profile server when it exceeds the policy enabled limit.

• Exclude directories in roaming profile

Handy to exclude applications that incorrectly write very large caches from the users Application Data folder if you do not have folder redirection enabled.

Trusted Sites

• As you are redirecting the Desktop and Start Menu to a network location you will need to add the file server into the trusted sites list otherwise Windows will warn you are trying to run a program form an un-trusted location (see below).

Tip: To avoid having to enter in the name of every file server in your organisation simple added the Domain name portion of the server name so that all servers will be Intranet Zone (e.g. file://*.contoso.local ). See my other blog post How to use Group Policy to configure Internet Explorer security zone sites on how to do this…

Error Message you will get if you do not add you file servers into the Intranet Zone.

Updates: Roaming Profile Improvement in Windows 7

Background Synchronisation

The most significant improvement to Roaming Profiles with Windows 7 is the introduction of a new feature called Background upload of a roaming user profile’s registry file while user is logged on this enables the IT administrator to schedule a background upload of the users NTUSER.dat file if they don’t log off their computer. Even if your users are in the habit of logging off at the end of the day this is a setting you should consider turning on to ensure that the users settings are always being backed up as failures can happen at any time.

How to configure Folder Redirection via Group Policy

Now lets take a look at how to setup folder redirection for a user so that the files stored in their personal folders (e.g. Documents, Music & Videos) are stored on the file server an not on the local computer. By default all folders that are redirected are automatically made available offline which is done so that users can still access their personal files if they are disconnected from the file server. On a Windows XP system this can add substantial time to the logon/logoff process as the user has to wait for the files to be synced however in Windows Vista/7 this is done in the background therefore it is a much more seamless process.

Part 3 of this video series also goes though an example that explains how Folder Redirection can help your roaming user access their files from various desktops and laptops.

Step 1. Edit a Group Policy Object that is targeted to your users and navigate to User Configuration > Policies > Windows Settings > Folder Redirection > Documents

Now we are going to setup folder redirections for the Documents (a.k.a. My Documents) folder as this is the most commonly redirected folder however you will need to repeat the same instructions for each of the other folders (if required).

Step 2. From the menu click on Action and then Properties

Step 3. Select the “Basic – Redirect everyone’s folder to the same location” option

For the purpose of this demo I am only going to show you how to setup a “Basic” redirection. However if you want to spread out the users amongst multiple locations you can use the advanced options and apply a different folder redirection based on the users security group membership (see image below). This option is useful if you want to distribute the load across multiple server but it can start to get complicated as the users roaming profile may then be stored in a different locations to their redirected folders. Also be careful with the order you apply these advanced settings as if the users is a member of multiple groups it will pick up the top entry in the list and there is no way to reorder the list after the entries are created. For these reasons unless you REALLY want to you should try and avoid using the Advanced option.

Advanced redirection (just for your FYI)

Step 4. Select the “Create a folder for each user under the root path” option under the “Target folder location” and then type the full UNC path in the root path that we created before (e.g. \\server04.contoso.local\users$ ) then click on the “Settings” Tab.

Step 5. Un tick “Grant the user exclusive rights to Documents”

Explanation: If leave “Grant the user exclusive rights to Documents” ticked then when the folder is initially setup Windows will block inheritance on the folder and grant exclusive access to the users on these files. This will lockout even administrators to the files which makes administration of these folders very difficult. If an administrator did need to access these files they will need to take ownership which in turn removes access from the users to their files. The admin will then need to ensure that they need to re-setup the permission on the folder to ensure that they users can still access the files….. very messy…  The only scenario I see you wanting to keep this ticked is if you have a VERY strict privacy policy in your organisation but as I said before its not as if a determined administrator cannot get access to these files if they really wanted to.

Reference: http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: “Grant the user exclusive rights to” on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.

Note: If this is also one of the support folder redirection types in Windows XP you will have the option to also apply this policy to Windows XP computers. I would strongly recommend that you think hard before ticking this option however as I am a strong believer in not crossing the streams when it comes to running dual SOE’s.

“Also apply…” option greyed out as its not a down level (a.k.a. Windows XP) supported setting.

Note2: The other option you may want to consider it the “Redirect the folder back to the local userprofile location when policy is removed”. What this means is that if a users is not longer subject to that Group Policy setting the the contents of the redirected folder are moved back to the local computer. This sounds good until this actually happens to a users and then it takes them about 2 hours to copy all their file down to the local computers. I recommend that you leave this at the default setting.

Step 6. As we did not tick the “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP and Windows Server 2003 operating systems” setting… phew… then you will need to press the “Yes” button.

Now repeat the setups above to configured all the other redirected folders (as shown below).

Note: You will see on the Pictures, Music or Video options you will have the option to select the “Follow the Documents folder” option. However I have found that selecting this option can cause the Video and Music libraries in Windows 7 to disappear so i recommend that you do n so that they will automatically inherit the Documents settings.

Warning (Pre Windows 7): When enabling folder redirection for existing users for the first time expect the logon to be very slow. Not only are you copying the contents of all the user’s personal folders across the network to the server you are doing this for multiple users at the same time when the login. This means that it is highly likely that your file server will be the bottle neck. To mitigate this you might want to security filter the policy and only enable it for a few users at a time working you way up to all your users.

Folder Redirection Improvements in Windows 7

Fast First Logon

One of the new feature with Windows 7 is called Fast First Logon which allows users to logon to their computer without having to wait for the folder to be moved first. This means if your are enabling folder redirection for users already running Windows 7 the performance impact will be greatly reduced.

Reference: What’s New in Offline Files

the user must wait only for Windows to move the files into the local Offline Files cache. After the files are moved, the user logs on and is free to perform other tasks while Windows synchronizes the locally cached data over the network as a background task

Background Synchronisation

As all redirected folder are also made available offline it allows users to work on their files when in offline mode but still have them periodically sync in the background when connected via a low link. This is very useful for roaming users connected via a VPN or even when the file server might be experiencing heavy load.

Reference: What’s New in Folder Redirection and User Profiles

When the network connection is slow or unavailable, Offline Files routes requests for the user folders that are stored on the server to the local computer cache. Users read and write from their local cache. Offline Files synchronizes new and changed files and folders from the local computer cache to the server when the network becomes available or in the background when the connection is slow.

The difference between Local, LocalLow and Roaming Applications Data

One of the most confusing aspect of folder redirection is all the type of Application Data folders there are and what they do. Below is my attempt at trying to explain the difference between the Applications Data folders and how they will affect your computers.

Reference: Managing Roaming User Data Deployment Guide

Local and LocalLow folders for application data that does not roam with the user.

Local AppData & AppData

The “LocalAppData” and “AppData” folder’s for a user that does not have folder redirection enabled is one and the same and will be located at “C:\Users\USERNAME\AppData\Local”. The most commonly saved files in this path would be very large cache files that would be impractical to constantly send and receive across the network. As the files are only cache’s then there would be no issues if they were lost as they information would simple need to be re-cached. A good example of this is the TEMP and TMP path variable that is configured where most applications are configured to save temporary files.

That being said when folder redirection is enabled the “AppData” environment variable will point to the network path that it is configured in the Group Policy (see image below). This then splits you AppData folder into two locations with any application configured to use the “AppData” variable will be pointed the path on the network and any application that is configured to use the “LocalAppData” variable will still be pointed to the local hard drive.

Enabling folder redirection for AppData is far more practical to do with Windows Vista/7 than Windows XP as the offline file cache can seamless transition form offline to online mode if the network latency goes above a threshold.

Warning: If you are running Windows XP and the users is connected via a slow link then the affect of having this folder redirected could be devastating to the users performance. In my experience even the simple act of scrolling a word document requires constant writing to this “Local” application data folder.

To identify if a user has application data folder redirection enabled by simple running “set” from the command prompt and the look at the value of the  “APPDATA” variable (see image below). The below image also illustrates that the “LOCALAPPDATA” variable will always point to the local hard drive even when folder redirection is enabled.

LocalLow AppData

The “LocalLow” folder for all users is “C:\Users\USERNAME\AppData\LocalLow”.  This BIG difference of “Local” to “LocalLow” is that it is specifically intended as a place for “Low Integrity” applications to write files such as Internet Explorer add-on like Google Gears, Google Earth, Adobe Acrobat, Apple QuickTime and Microsoft Silverlight. It also appears that this folder is neither redirected nor part of the roaming profile therefore all information stored into this folder is local to the computer and will not roaming with the user.

Reference: The difference between Local and LocalLow Folders

Updated: Should you enabled Local AppData Folder Redirection?

Should AppData Local be redirected? No… Because you Can’t… Hence the name “LOCAL”. In Windows XP days a users would either have their AppData folder online or offline and not matter how slow your connection was to the server so long as your still got a response you would stay online thus bringing your entire computer to a grinding halt. But if the Administrator did not enable folder redirection for the users this normally resulted in them having a MASSIVE roaming profile that would take forever to sync during the logon and logoff process. The work around to this was to exclude the entire AppData folder from the roaming profile but this meant you risked losing some of the users personal data.

As Aaron mentioned in the comments the decision to enable Application Data folder redirection is one that should not be taken lightly and can have real negative consequences for the performance of your users. As I mentioned above having AppData folder redirection enabled to a location that is performing slow will have very noticeable performance impact for your users especially if you are running Windows XP. However not having AppData redirection could mean that you are likely to lose some of the users settings and data if their computer’s hard drive fails. A good article to read on the the matter is Should AppData be Redirected or Left in the User Profile? which discuses the Pro’s and Con’s of enabling AppData Redirection.

However now with Windows 7 (and to a lesser extent Vista) the decision to enable folder redirection for Local AppData is tricky at best. Not made any easier by Microsoft on one hand by providing a specific Roaming\AppData folder for persistent information but on the other making improvements to the OS that makes it a far more practical option to enable.

The new Windows 7 features called Transparent Caching and Background Sync for offline files the issues with redirecting the Local AppData folder are now largely mitigated as the users will automatically work on the local copy of the file whenever network performance is poor. Thus making it far more practical to enable Local AppData folder redirection while still not something that you really should do…

Updated: Roaming AppData

The “Roaming” AppData folder is located on the user local hard drive at “C:\Users\USERNAME\AppData\Roaming” this is the folder where applications should store all the users persistent information.

AppData\Roaming is part of the users roaming profile so when a user log’s off their computer the files are location are copied up to “\\PROFILESERVER\Users$\USERNAME\Profile.v2\AppData\Roaming”. Any well written application for Windows Vista or later should be aware of the Roaming Application Data folder and should use this folder to save persistent information. A good example of something that should be saved to this location is a users custom dictionary or a browsers internet cookies.

Reference Managing Roaming User Data Deployment Guide

Roaming folder for application specific data, such as custom dictionaries, which are machine independent and should roam with the user profile.

Below is a screen shot of a users AppData\Roaming folder as stored on the local computer and the same location stored on the server.

Note: Unlike the users Registry information in the ntuser.dat file on Windows 7 the AppData\Roaming folder cannot be synchronised using the Background upload of a roaming user profile’s registry file while user is logged on setting.

AppData\Roaming on the local computer	AppData\Roaming store on the Server

So Should you enable this “AppData(Roaming)” folder redirection option? Probably not…. Why? You should ensure that your computers it is always using the local HDD which should give MAXIMUM performance (unless you driver is REALLY slow). This with all the improvements in Roaming Profiles Syncing such as Background Synchronisation (See What’s New in Folder Redirection and User Profiles) then the user AppData(Roaming) will still be saved to the network to reduce chance of any data loss for the user.

Updates: Excluding AppData Folders

Some applications may not be well written (SHOCKER) and as such save a numerous or large files to this location to the AppData\Roaming folder. This significantly adds to the logon and logoff with all the extra it takes to transfer all the excess files. Therefore you should fully understand where applications save the applications specific configuration and look at excluding these folders from the users roaming profile so they are not copied up to the network thus saving a lot of time during logoff and logon.

For a good starting point of a list of common applications that save large amount of information into the AppData\Roaming folder check out Stealthpuppy: Reduce logon times by excluding the bloat .

User State Virtualization Folder Structure Explained

Now that we have configured the user roaming profile and folder redirections the next time a users logon they will automatically create the required folders on the network for them to enable User State Virtualization.

As you can see below in the image below a user personal folders are part of their roaming profile. The files in these folders (e.g. documents and music) are saved locally and are synchronised asynchronously in the background with the server. Having no folder redirection also means that a users will take some time to logon to a computer for the first time as you will need to download a copy of the entire profile.

User State Virtualization Folder Structure before Folder Redirection is Applied

After folder redirection is applied to the user you can see that all the user folders (excluding AppData) have been moved up a folder out of the profile and into the root folder for the users data.

User State Virtualization Folder Structure after Folder Redirection is Applied

Summary

Hopefully you now have a good idea as to how to setup User State Virtualization in your environment. Just remember that this is not a product but more a combination of roaming profiles and folder redirection to enable a users to use any computer in your organisation while maintaining a consistent experience.

The other part of User State Virtualization that I did not go into on this post was the ability to have all your users applications also follow them no matter which computer they are log into however to do this you need to use Microsoft App-V and for that i would refer you to Aaron Parker’s Stealthpuppy web site.

Other Resources

This is just a list of other related articles that I have found since writing this post.

• Best Practices for User Profiles (Windows XP)

• KB2250489 You cannot turn off the screen saver in the Windows Mobility Center when the "Prevent changing wallpaper" Group Policy setting is enabled on a computer that is running Windows Vista SP2
• KB2261826 You cannot find a network drive in the "Browse For Folder" dialog box in the GPMC MMC snap-in on a computer that is running Windows Server 2008 or Windows Vista
• KB2096902 Virtual machines in a VDI environment are not rolled back as expected if the disconnected Remote Desktop connections on the virtual machines are stopped by Group Policy
• KB2254754 You experience a GPO report-generation issue in the GPMC window when you try to generate the report in a localized version of Windows 7 or of Windows Server 2008 R2
• KB2258620 You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2
• KB2275315 You cannot read the GPO in the SYSVOL directory in Windows 7 or in Windows Server 2008 R2 if you enable the "Deny write" permission of the GPO
• KB2284538 Apply once and do not reapply Group Policy setting is never applied after the first GPO deployment fails on a client computer that is running Windows 7 or Windows Server 2008 R2

Source: Jul. 29 – Aug. 12 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

Note: If you do apply this setting to your existing users all the existing pinned taskbar programs will be removed on the next logon.

Below are some screenshots of the UI with the setting enabled.

“Pin to Taskbar” is removed

“Pin this program to taskbar” is removed

All existing pinned programs will be removed.

If you have setup your computer to support Hybrid-Sleep then you should consider configuring this option to help ensure that your users select the “sleep” option.

Before

After

Note: If you select the “Sleep” or “Hibernate” options and the computers does not support that power mode then the option of shutdown will be used instead.

Its good to see that this book is quite comprehensive in the number of areas of technology as I firmly believe that you really need to take a multi-prong approach when it comes to security. Here is a list of the just some of technologies that this book talks about to achieve a Least Privilege Security:

• Program Compatibility Wizard
• Applications Compatibility Wizard
• User Account Control
• Group Policy Software Deployment
• Internet Explorer Add-on Management
• Troubleshooting Remote Users
• Configuring Windows Firewall
• Software Restrictions Policies and AppLocker
• Microsoft Deployment Toolkit
• CD Burning
• ActiveX Controls
• Changing system time and time zones
• Power Management
• Managing networks
• Standard Users Analyzer
• Applications Compatibility Toolkit
• Logon Scripts
• Remote Desktop Services
• App-V
• Med-V

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

Configuring security is something that organisation rarely spend much time thinking about and even more rarely do anything about. Having this book in your library will at least give you the knowledge that is required to start to configure your Windows system to be more secure. I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

As a special offer Packt Publishing are also letting people download preview chapter of this book by download here Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit 

Packt Publishing have also announced discount for purchases of two or more so you could use this offer to get a discount when you buy another book from their catalogue (See new-discounts-launched-purchases-multiple-books for details).

You can either purchase the paper and/or PDF (for convenient iPad reading) version of this book right now from: Least Privilege Security for Windows 7,Vista and XP by Russell Smith

The beta of Windows 7/Server 2008 R2 Service Pack 1 beta has now been released to the public for testing. For your benefit I have parsed through the complete list of hotfixes and I have listed out all the group policy specific setting.

I have highlighted the two hotfixes that stand out it my mind as the issues that have been most annoying bugs with group policy with Windows 7 RTM.

I have also posted an installation screenshot walk though on my other blog here http://www.smartergeek.info/2010/07/install-screenshots-windows-7-service-pack-1-beta/

Below you can see how the “pointers” tab is removed when the policy is enabled.

Not Configured/Disabled	Enabled

 Be careful however when you apply this setting however as it will locks the use into whatever mouse pointer scheme they had active at the time the policy is applied.

P.S. I jumped #30 and #31 because I recently discovered that I had two other setting of the week post’s with the same number. So as to not rename all the other setting of the weeks I have decided to just correct the numbering from this article going forward.

As you can see from the “Numerical Sorting” example below the folder list will sort based on the numerical value of the folder name. This means that a single digit number will be ordered higher than a two or more digit number when sorting alphabetically.

Numerical Sorting (Setting Disabled or Not Configured)

If you take a look at the Literal Sorting example you can see that the number “10” is in position 2 because the sorting is treating the number as a literal text. You can get around this sorting problem by padding with zero’s however you need to add enough zero’s to match the same number of digits as the largest number.

Literal Sorting (Setting Enabled)	Literal Sorting with padded Zero’s (Setting Enable)

While it is unlikely that you will need to turn this on for all users in your organisation it is possible that you have some folder on your file server that have been created in such a ways that the new view method would cause a problem. Obviously in this case you would need to consider carefully if you just need to turn this on for selected users.

You might want to enable this setting if you are in a corporate environment and you centrally managed Backups, Firewall and Updates using other programs. However disabling this means that your users will not receive any alerts if the is some critically wrong with thier computer so please use this option after careful consideration.

If you decided that you don’t want to completely disable the Action Center and only disable certain alerts then check out my other post How to use Group Policy to turn off the Backup Notification in the Windows 7 Actions Center

This is a user setting and can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and is of course only for Windows 7 and Windows Server 2008 R2.

KB979621 A removable storage device is disabled when you enable a Group Policy to deny write access or to deny read access to the device on a computer that is running Windows Vista or Windows Server 2008

Fixes an issues with removable storage devices being totally disabled when you configure the “Deny write” option for removable devices. This will happen when configure the option and shutdown the computer. You will also get the following error message “The device is disabled. (Code 22)” when you go to the properties of the device.  This applies to the following types of devices:

• CD and DVD
• Floppy Drives
• Removable Disks
• Tape Drives
• WPD Devices

For more info see http://support.microsoft.com/?kbid=979621

KB980628 The “Load a specific theme” Group Policy setting is not applied correctly on a computer that is running Windows 7 or Windows Server 2008 R2

Fixes a problem with specifying a them to load when you also enable the Prevent changing desktop background option. For more info see http://support.microsoft.com/?kbid=980628

KB979731 Some Group Policy preferences are not applied successfully on computers that are running Windows 7 or Windows Server 2008 R2

For more info see http://support.microsoft.com/?kbid=980628

KB981877 You cannot open an HTML GPO report that is created by the German version of Windows Server 2008 R2 or of Windows 7

This hot fixe resolves a problem creating a HTML report with a German version of GPMC. For more info see http://support.microsoft.com/kb/981877 

Thanks to Aaron Parker for the heads up on the KB981877

KB981054 The Group Policy preference settings for the “Terminal Session” item-level targeting item are not applied in Windows 7 or in Windows Server 2008 R2.”

This is a fix for a really cool feature of Group Policy Preferences which allow IT administrator to target settings based on the IP address of the RDP client. For more info see http://support.microsoft.com/kb/981054 

KB981177 You can still unpin a program from the taskbar unexpectedly when you enable the “Do not allow pinning programs to the Taskbar” Group Policy on a computer that is running Windows 7 or Windows Server 2008 R2.

This hot fix is just a minor UI bug. For more info see http://support.microsoft.com/kb/981177 

KB981265 You cannot create a software installation Group Policy setting on a read-only domain controller in Windows Server 2008 R2.

This fixes a problem with GPMC trying to make a policy change against a read-only domain controller when someone tries to create and “assigned” software deployment. For more info see http://support.microsoft.com/kb/981265 

KB981750 Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: “An error has occurred while collecting data for Software Restriction Policies”.

This fixes the following error message when you error message when you access Computer Configuration > Windows Setting > Security Settings > Software Restriction Policies due to a bug in GPMC calling an incorrect function when reading multiple string type registry key. For more info see http://support.microsoft.com/kb/981750 

Hope you find these users but as always make sure you thoroughly test any hotfix before you deploy them into production.

AppLocker is a new feature in Windows 7 that allows system administrators to block a particular executable from running on a computer. This is a enhanced version of Software Restriction Policy which did a similar thing in Windows XP/Vista, but it can only block programs based on either a file name, path or file hash. The AppLocker feature takes it a step further and allows administrators block executables based on its digital signature. The benefit of basing this on a digital signature is that you can block programs based on a combination of the version, program name or even vendor name. This means that even if the vendor updates the program with a new version (which happens often with browsers) the AppLocker rules will still apply greatly saving administrative overhead. You can also set the rule based on the program version which means you can set a minimum supported versions that is allowed to run. Another advantage is that AppLocker applies to any program that runs on a computer meaning that no matter where the program is being run from (e.g. USB Memory stick) it will prevent it from running.

Note: You can also use this tutorial to block the running of any other program weather it be from a third-party or even from Microsoft. In this example I show you how to block running Google Chrome on any of your computers in your network however you can just as easily apply the same process to any other browser (e.g. Firefox, Safari).

Step 1. Edit the Group Policy Object that is targeted to the computer you want to apply this policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies and then click on “Configure rule enforcement”

Step 2. Under Executable rules tick “Configured” and select the “Enforce rules” option from the pop-down menu then click “OK”.

Step 3. Right click on “Executable Rules” and click on “Create New Rule..”

Step 4. Click “Next”

Step 5. Select “Deny” and then click “Next”

Step 6. Select “Publisher” condition and click “Next”

Note: The “Path” and “File hash” option are the same condition as was available in a software restriction policy that was in Windows XP and Vista.

Step 7. Click on “Browse”

Step 8. Select the “chrome.exe” executable file and click “Open”

Note: Again I have used Chrome as an example you can easily select the executable of any other browsers (including Internet Explorer) here as well if you want to block multiple browsers.

Step 9. In this example we are just going to accept the defaults and click “Next”.

Optional: If you wanted to just block a particular version of browser (or program) or just any version below a certain number tick “Use custom values” and then enter the version number in the “File version” field and select “And Below” from the pop-down menu.

 Step 10: Click “Next”

Step 11: Click “Create”

Step 12: You will now be prompted to create some default rules that ensure that you don’t accidently stop Windows from working. Click “Yes” to this if you don’t already have these rules created.

Step 13 (Optional): If you also want this AppLocker rule to apply computer administrators then right-click on the “BUILTIN\Administrators” rule and click “Delete”

Step 14 (Optional): Click “Yes”

You AppLocker Rules are now setup and should now look like this…

Now there is one more thing you need to do to enable AppLocker on the computer…

Step 15. In the same Group Policy Object you were just editing navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and double click on the “Application Identity” service.

Note: This is the process that scan’s all the file before they are executed to check the name, hash or signature of the executable before it is run. If this is not turned on then AppLocker will simple now work.

Step 16: Tick “Define this policy setting” and tick “Automatic” then click “OK”

The services section should now look like this…

Your all done… Now when the user tries to run an un-approved browser (or program) they will be presented to this dialogue box…

Now if you want to make sure you have covered all the bases below is a an image of the AppLocker rules configured with a few more denied browsers…

This setting is used to “Enabled Transparent Caching” and can be found under Computer Configuration > Policies > Administrative Templates > Networks > Offline Files. Unfortunately I have not had a chance to try this option for my self but reading the description it seems to be nothing short of hidden killer feature for Windows 7. The transparent cache feature kicks in on any offline files whenever latency to the file server goes above a certain limit. Now everyone’s environment is going to be different based on file server performance and network latency so be sure you do some testing first to get the right balance. When this setting is combined with last weeks “Configure Background Sync” option then you could drastically reduce latency to the file server and decrease bandwidth consumption. This options sound ideal for Direct Access and VPN users as their latency to the file server could vary drastically depending on the networking conditions or it could be configured to mask any performance issues that are noticed when a file server is being backed up.

If you are working in an environment that has Windows 7 deployed then this is definitely one setting you need to look at enabling. That being said deploy a Brach Cache to a remote site would still deliver more benefits as files that are cached as one computers cache can be users for other computers on the same LAN segment. This is as opposed to this option which only gives a bandwidth saving benefit for any files that have already been made available offline on that particular computer.

• 90% of Critical Windows 7 vulnerabilities reported to date
• 100% of Microsoft Office vulnerabilities reported in 2009
• 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
• 64% of all Microsoft vulnerabilities reported in 2009

Obviously Microsoft has pushed very hard to not have users run with administrator access with the introduction of User Account Control (UAC) in Windows Vista. This forced any users even if they were administrator to run in normal privilege mode unless required and only then grant them administrator access via a prompt.

So if your environment is ready for you users to have admin access removed and you want an easily way to lock down the local administrator groups on all your computers you can achieve this using Group Polices in one of two ways.

Method 1. Restricted Groups

The first and most common method is called "restricted groups" which can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups. This policy has a mode called "Members" can be used to tightly control who is a member of any local group on a computer (e.g. "administrators" and "power users") however this is also not very granular. The "Member of" option of the "restricted groups" will add an additional member to the local group but it will not remove any un-authorised members. So while both modes are very powerful they certainly have their limitations. One advantage of this option however is that it is a native setting and therefore will work out of the box with Windows 2000, XP and Vista.

Method 2. Group Policy Preferences

You can use Group Policy Preferences to secure local administrator groups in a ways that still removes any au-authorised users but still have the flexibility to granularly grant permission for a single user to a single local group on a particular computer. While this does not get around the problem of having to grant a users administrator access to their own workstation it does prevent them from being administrator of other workstation on the LAN. This greatly mitigates the possibility of one users  infecting the entire network quickly as they will NOT have admin access to all the other computers around them. For more instructions on how to use Group Policy Preference to secure the local admin group you can read my previous blog here http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Of course removing administrator access is certainly a big step in one direction but whenever considering security make sure you take a “Defence In-depth” approach. To do this you should start by making sure you also regularly install security updates; have current Anti-Virus software installed and consider enabling host based firewalls even when connected to the corporate LAN.

You can download the BeyondTrust whitepaper from http://www.beyondtrust.com/downloads/whitepapers/Microsoft_Vulnerability_Analysis_2009.asp

Configured this setting would be very useful if you have a large number of computers at a single site that sync their files over a WAN link. In this case the background sync of a large number of users could cause a large amount of traffic. You could then use this setting to back off the sync interval. You may also want to do the opposite and crank up the sync interval to ensure that users files are being saved to the server as soon as possible.

The other scenario where this could be used if for users that are running Direct Access mode or a VPN and you just want to control the amount of traffic they push via their connection.

There is also and option called “Enabled Background Sync for shares in users selected “Work Offline” mode” which forces offline files to sync even when the users has manually chosen offline mode. I would be careful of this setting however as this behaviour might confuse as they might create the document thinking that it was not going to be saved to the server straight away for other people to view.

This setting can be really useful when you have user policies in your environment that block certain types of files on your file servers such as *.jpg or *.mp3. When combined with Windows Server File System Filters you can use it to make some very tight controls on your corporate file servers.