Group Policy, Profiles, and Intellimirror – Jeremy Moskowitz
November 5, 2007
Group Policy, Profiles, and Intellimirror (third edition)
Author: Jeremy Moskowitz, MCSE, MCSA, MVP
Suggested Publisher Price: $49.99 US / $69.95 CDN / £34.99 UK
ISBN: 0-7821-4298-2 Softcover, 536 pages (+TOC / index)
Buy the book direct from the Author (and get it signed!) (Update: this link now goes to a page for the replacement fourth edition of this book)
Everything you need to know about Group Policy in one useful reference…and loads more besides
The Group Policy Management Console (GPMC) is a dramatic step forward in the way Group Policy is administered. This book provides all the instruction and insight you need to take full control of your Active Directory with GPMC and other Group Policy tools. You’ll also learn techniques for implementing Intellimirror, making it possible for users to work securely from any location; and you’ll find intensive troubleshooting advice, insider tips on keeping your network secure, and hundreds of clear examples that will help you accomplish all your administration goals.
- Create and manage all Group Policy functions within Active Directory
- Understand Group Policy differences in Windows 2000, Windows XP, and Windows 2003 systems
- Troubleshoot Group Policy using Support tools, Resource Kit utilities, log files, registry hacks, and third-party tools
- Create and deploy custom settings for managing client systems
- Manage, secure, and audit client and server systems
- Script complex operations, including linking, back-up, restore, permissions changes, and migrating
- Set up Local, Roaming, and Mandatory profiles
- Set up and manage Intellimirror components with Group Policy
- Use Group Policy Software Installation to perform hands-off installations
- Use Remote Installation Services to automate the installation of new Windows systems
- Ensure the safety of your users’ data with Redirected Folders and Shadow Copies
This book contains everything you ever needed to know about Group Policy and related topics, including loads of things you probably didn’t even know you should have been asking!
Jeremy Moskowitz covers in great depth the whole subject of group policy, as well as profiles (including roaming and mandatory), redirected folders, offline files, Shadow Copies, Remote Installation Services (RIS) and even finds time to take a preliminary look at scripting. I thought I already had a good grasp of most of these things, but this book still provided a wealth of little details, tips and tricks, up to date information and proper explanations of how all this really works. It was also an easy way to get up to date on many of the changes made with the introduction of XP and 2003, since these are highlighted.
When I first started reading this book I was not sure it would suit me. It is written in a very conversational, colloquial style more suited to a Tarantino script than a technical manual, and normally I find this irritating when I want precise answers from a reference work. However, I soon changed this first impression. Through this chatty style the author drew me in, got me intrigued by his passion for the subject and seemed to metaphorically drag me in and say “I just want to show you this other really cool thing you can do…”. I found I could read fluidly through huge chunks of the book and actually take in the information presented along the way as well – quite unusual for a book of this depth.
About 70% of the book is concerned solely with group policy – what policies are, how to create, apply and troubleshoot them, and some tips for more complex scenarios such as multiple-forest environments. It is a little difficult to split it in this way since topics like folder redirection depend on a policy for delivery but involve so much more than a mere setting and are dealt with in a section of their own.
I would guess that many people using group policy have probably dived right in without a thorough knowledge of many of the aspects the author deals with, such as exactly when and how policies are applied “under the hood”, what to do about updating templates (.adm files) for newer settings, and consideration of policies being applied across multiple operating systems. There is a great deal to be gained from the author’s experience here, such as sensible shortcuts to and best practice, as well as common pitfalls to avoid.
One area which does not get much coverage in older books on Windows network administration is the use of software restriction policies. In many cases this is because they were written before XP and 2003 made software restriction available through group policy (rather than older NT-style policies or using appsec.exe). This is one of those complex areas which are not just about ticking a box and everything works automagically, but requires proper attention to planning, design and testing before wholesale rollout. This book devotes a whole chapter to the topic to give it the attention it deserves, and recognises the importance for 2003 Terminal Services / Citrix environments as well as desktop administrators.
The remainder of the book deals with what at first appear to be only a loosely related collection of Windows tools for automating and controlling the user experience. A closer look reveals some deeper insights into things such as user profiles which are often skimmed over and taken for granted. It would be tempting for experienced administrators to skim these chapters on the assumption that they already know what they contain, but to do so would miss much of genuine use. I was pleasantly surprised to find many nuggets of new information as well as proper explanations of when to use these tools as well as how to configure and optimise them. Once more the author’s intimate style and obvious real-world experience came together and it is at times like being shown how to do things by a wiser colleague who can say “I’ve been here before, this is how I would approach it…”
The topics covered in the latter parts of the book include tools for automating installation – Remote Installation Services (RIS) and Group Policy Software Installation (GPSI). Again there is plenty of information here for both first-timers and old hands, and should be read particularly by anyone that has tried and given up on these powerful but troublesome subjects. Coverage is also given to features which were not available in Windows 2000 such as using advanced WMI filters on policies (particularly valuable for GPSI) and this may be enough to justify revisiting this. There is also a brief discussion of how all this fits with more complex tools such as Microsoft Systems Management Server (SMS).
Style, Coverage and Detail
As I said at the start, I was impressed by how well Jeremy Moskowitz has managed to take a potentially dry subject and get across many important details in a relaxed style. This is really important in the many chapters where there is a temptation to skip over things that you “already know”. By keeping the reader engaged it is almost easier to keep reading than to miss sections out.
The author makes good use of screenshots, boxed-off text for extra notes and details and plenty of cross references to other parts of the book and web-based resources. These all help the flow, keeping the important things in the body of the text and leaving you to read the extras which you find particularly relevant. Each chapter has a useful conclusion, bringing together the areas covered, rather like a lesson summary.
The amount of information in the book is a double-edged sword – I expect I will refer back to it frequently as a reference, but I found it occasionally frustrating not being able to get straight to something I knew I had read before, and skim reading large sections was quite hard. The index could have been a little more comprehensive – sometimes you have to know what heading something is under before you can find it. It is easy to get used to being handed things on a plate by search engines these days, so maybe I am being a bit harsh, but at the risk of too much duplication it could be useful if the index were expanded a little. The front and back panels of the book go some way to help using the book as a reference when you first pick it up – one highlights which parts of the book cover different group policy topics and the other lists the areas which are new, which is ideal for people using this as a means to bring old skills up to date.
As an example of the level of detail in this book, it even discusses the subtle differences between the way XP and 2003 handle software restrictions in reality and discusses how XP sp2 may change that (the edition reviewed was published when sp2 was still in Beta; the third edition expected soon will bring this properly up to date). It is this kind of attention to little details which makes this book stand out as a really useful practical reference work for the real-world administrator, especially when it comes to troubleshooting.
When I first saw the book I thought it would be a bit like a “three-in-one” – basically separate topics lumped together with a solid group policy book for padding or publishing convenience. I was not convinced there was enough to be said about profiles, folder redirection and software installation to contribute any real benefit to my bookshelf. This partly highlights how little I thought was involved in some of these topics, but this was largely brought about by many other books giving only a surface-level treatment of such things. Too often I had read other sources which I now realise only described how things appear to work, only with the latest OS in a simple environment, and assuming everything behaves as it should. The real world is a little more complicated than that, a fact which this book easily takes in its stride.
There are a few things which the author acknowledges might be considered missing from this otherwise comprehensive book such as IPSec, PKI and EFS. Clearly there is a limit to fitting in a discussion of every possible policy, and the author does attempt to mitigate these omissions by some useful URLs for relevant MS references. Hopefully some of these might get some space in the third edition as more organisations start to adopt these built-in security features.
Overall, this book covers just about every aspect of delivering, managing and controlling the user environment across your enterprise. It is not intended to cover all aspects of systems security, nor provide a comprehensive manual for writing scripts to automate non-policy events, but it does give both of these a suitable level of attention in the wider context of the whole subject of systems management.
I have read many MS Press, Sybex and other publishers’ titles about Windows servers, active directory design and management and been an administrator and systems architect for several years. I was pleasantly surprised to find so much information that I had not come across before in a single book. Whether you want to consolidate your knowledge for your personal training plan, update your skills from Windows 2000, or have a real issue you are trying to resolve, this is the book for you.
Even if you don’t feel you or your organisation are ready for using group policy extensively (although after reading this you may not be able to resist!), the rest of the book is probably justification for adding a copy of this book to your library.
This is a sound collection of tutorials for anyone who wants to give users a better experience, tighten control of their systems, increase security and do it all without leaving their desk. Rather than being seen solely as a technical reference on a few specific topics, this possibly deserves the broader title of “Managing Windows Systems (using Group Policy and Intellimirror)”.
I would say without hesitation that “Group Policy, Profiles, and Intellimirror” is an essential handbook for any administrator wanting to improve their systems for their users, the business and themselves. This book receives a hard-earned rating of 10/10, and I look forward to the third edition with great anticipation.
This review is © Copyright Adam Vero 2005 and was first published on Security-Forums Dot Com.
It may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.