Deploy Work Folder in Azure Cloud

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. The work folder can be deployed on-premises and in Azure Cloud. In this article, I will demonstrate how to deploy Work Folder in Azure. Before that, let’s start with application of Work Folder.

Applications of Work Folder in Corporate Environment

  • Provide a single point of access to work files from a user’s work and personal devices
  • Access the work files online and offline. While accessing offline, the data can be synced back to the Sync Server when the device connected to internet or intranet again
  • Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
  • Use Windows File Server, SMB Share and other CIFS share for example NetApp CIFS share
  • Use file classification and folder quotas, to manage user data
  • Apply security policy and encryption to encrypt Work Folders and use a lock screen password
  • Use Microsoft Failover Clustering with Work Folders to provide a high-availability solution

Enhanced Functionality:

  • Azure AD Application Proxy support
  • Faster change replication
  • Integrated with Windows Information Protection (WIP)
  • Microsoft Office integration

Supported Environment:

  • NetApp CIFS, Windows File Server or Windows SMB Storage as the UNC path of Sync Share
  • Windows Server 2012 R2 or Windows Server 2016 for hosting sync shares with user files
  • A public certificate or internal certificate domain joined computer
  • Windows Server 2012 R2 level AD DS Schema
  • Windows 10 version 1703,
  • Android 4.4 KitKat and later
  • iOS 10.2 and later

Internal DNS records (CNAME records)

  • workfolders.domain.com pointed to syncserver1.domain.com and sycserver2.domain.com
  • sts.domain.com point to ADFS Servers
  • enterpriseregistration.domain.com pointed to ADFS servers

Internal DNS records (Host A Record)

  • syncserver1.domain.com
  • syncserver2.domain.com

Publishing Work Folder for mobile workforce

  • Access from Internet or use Azure Credentials
  • Web Application Proxy
  • Active Directory Federation Services (AD FS) with public DNS record sts.domain.com and enterpriseregistration.domain.com
  • A public DNS record i.e. CNAME = workfolders.domain.com
  • A public certificate from a public CA i.e. CN= workfolders.domain.com SAN=syncserver1.domain.com, syncserver2work.domain.com. There must be private key associated with the certificate which means the certificate must in pfx format before importing into the sync servers.

Deploy Work Folder Server

  1. Log on to Azure Portal, Deploy a Windows Server 2016 from Azure Marketplace. Since we will be using this VM for Sync Share. I would recommend selecting an L series VM which storage optimised VM.
  2. Once the VM is provisioned, attached premium data disk for high I/O and low latency file store.
  3. Build a Windows Server 2016, Configure TCP/IP and Join the server to the domain
  4. Remote into the server using domain admins credential. Open the Add Roles and Features Wizard.
  5. On the Select installation type page, choose Role-based or feature-based deployment.
  6. On the Select destination server page, select the server on which you want to install Work Folders.
  7. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.
  8. When asked if you want to install IIS Hostable Web Core, click Ok to install the minimal version of Internet Information Services (IIS) required by Work Folders.
  9. Click Next until you have completed the wizard.
  10. Repeat the steps for all Work Folder Servers.

Install Certificate on the Work Folder Server

  1. On the Windows server 2016 where you want to install the SSL certificate, open the Console.
  2. In the Windows start menu, type mmc and open it.
  3. In the Console window, in the top menu, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add
  5. In the Certificate snap-in window, select Computer account and then click Next
  6. In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish
  7. In the Add or Remove Snap-ins window, click OK.
  8. In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), right-click on the Web Hosting folder, and then click All Tasks > Import.
  9. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
  10. On the File to Import page, browse to and select the file that you want import and then, click Next.
  11. Notes: In the File Explorer window, in the file type drop-down, make sure to select All Files (*.*). By default, it is set to search for 509 Certificate (*.cert;*.crt) file types only.
  12. On the Private key protection page, provide the password when you exported the certificate, check Mark the Private Key exportable for future use, and check import all extended properties.
  13. On the Certificate Store page, do the following and then click Next, Select Place all certificates in the following store and click Browse.
  14. In the Select Certificate Store window, select Web Hosting and click OK.
  15. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
  16. Repeat the steps for all Work Folder Servers.

Bind the Certificate:

  1. Log on to a jump box where IIS Management Console is installed, Open IIS Management Console, Connect to Work Folder Server. Select the Default Web Site for that server. The Default Web Site will appear disabled, but you can still edit the bindings for the site and select the certificate to bind it to that web site.
  2. Use the netsh command to bind the certificate to the Default Web Site https interface. The command is as follows:

netsh http add sslcert ipport=<IP address of Sync Share Server>:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

Create Active Directory Security Group

  1. You need minimum two AD security groups for Work Folder. One for Work Folder Admin and another for Work Folder Sync Share. For this article, let’s assume we have a Sync Share. We will create two Security Groups named FS-HRShareUser-SG and FS-HRShareAdmin-SG
  2. Make sure these security group scope is Global not Universal. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

Create a Sync Share

  1. In Server Manager, click File and Storage Services, and then click Work Folders.
  2. A list of any existing sync shares is visible at the top of the details pane. To create a new sync share, from the Tasks menu choose New Sync Share…. The New Sync Share Wizard appears.
  3. On the Select the server and path page, specify where to store the sync share. If you already have a file share created for this user data, you can choose that share. Alternatively you can create a new folder.
  4. On the Specify the structure for user folders page, choose a naming convention for user folders within the sync share. Select either User alias or User alias@domain
  5. On the Enter the sync share name page, specify a name and a description for the sync share. This is not advertised on the network but is visible in Server Manager
  6. On the Grant sync access to groups page, specify the group that you created that lists the users allowed to use this sync share.
  7. On the Specify device policies page, specify whether to request any security restrictions on client PCs and devices. Select either Automatically lock screen, and require a password or Encrypt Work Folders based on your requirements.
  8. Review your selections and complete the wizard to create the sync share.

Setup a Tech Support Email Address

  1. In Server Manager, click File and Storage Services, and then click Servers.
  2. Right-click the sync server, and then click Work Folders Settings. The Work Folders Settings window appears.
  3. In the navigation pane, click Support Email and then type the email address or addresses that users should use when emailing for help with Work Folders. Click Ok when you’re

Publish Work Folder using ADFS Server

You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn’t been set up yet. The relying party trust must be set up to enable Work Folders to use AD FS. Because you’re in the process of setting up AD FS, now is a good time to do this step.

To set up the relying party trust:

  1. Log on to ADFS Server. Open Server Manager, on the Tools menu, select AD FS Management.
  2. In the right-hand pane, under Actions, click Add Relying Party Trust.
  3. On the Welcome page, select Claims aware and click Start.
  4. On the Select Data Source page, select Enter data about the relying party manually, and then click Next.
  5. In the Display name field, enter WorkFolders, and then click Next.
  6. On the Configure Certificate page, click Next..
  7. On the Configure URL page, click Next.
  8. On the Configure Identifiers page, add the following identifier: https://workfolders.domain.com/V1. This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. Click Next.
  9. On the Choose Access Control Policy page, select Permit Everyone, and then click Next.
  10. On the Ready to Add Trust page, click Next.
  11. After the configuration is finished, the last page of the wizard indicates that the configuration was successful. Select the checkbox for editing the claims rules, and click Close.
  12. In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.
  13. The Edit Claim Issuance Policy for WorkFolders window opens. Click Add rule.
  14. In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.
  15. On the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.
  16. In the Attribute store drop-down list, select Active Directory.
  17. In the mapping table, enter these values:
    • User-Principal-Name: UPN
    • Display Name: Name
    • Surname: Surname
    • Given-Name: Given Name
  18. Click Finish. You’ll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.
  19. In the AD FS snap-in, select the WorkFolders relying party trust, On the properties, choose the Encryption tab, Remove the certificate encryption
  20. Choose the Signature tab and make sure the Work Folder Certificate was imported
  21. Click Apply, Click Ok.

Set relying part trust options

These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can’t be set through the UI. These options are:

  • Enable the use of JSON web tokens (JWTs)
  • Disable encrypted claims
  • Enable auto-update
  • Set the issuing of Oauth refresh tokens to All Devices.
  • Grant clients access to the relying party trust

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -EnableJWT $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -Encryptclaims $false

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -AutoupdateEnabled $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -IssueOAuthRefreshTokensTo AllDevices

Grant-AdfsApplicationPermission -ServerRoleIdentifier “https://workfolders.domain.com/V1&#8221; –AllowAllRegisteredClients

Enable Workplace Join

To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName domain\svc-adfsservices$

Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

Set up AD FS authentication

To configure Work Folders to use AD FS for authentication, follow these steps:

  1. Log on to Sync Share Server. Open Server Manager.
  2. Click Servers, and then select your Work Folders server in the list.
  3. Right-click the server name, and click Work Folders Settings.
  4. In the Work Folder Settings window, select Active Directory Federation Services, and type in the ADFS URL. Click Apply. In the test example, the URL is https://sts.domain.com.

Publish the Work Folders web application

The next step is to publish a web application that will make Work Folders available to clients. To publish the Work Folders web application, follow these steps:

  1. Import Work Folder Certificate into WAP Servers
  2. Open Server Manager, and on the Tools menu, click Remote Access Management to open the Remote Access Management Console.
  3. Under Configuration, click Web Application Proxy.
  4. Under Tasks, click Publish. The Publish New Application Wizard opens.
  5. On the Welcome page, click Next.
  6. On the Preauthentication page, select Active Directory Federation Services (AD FS), and click Next.
  7. On the Support Clients page, select OAuth2, and click Next.
  8. On the Relying Party page, select Work Folders, and then click Next. This list is published to the Web Application Proxy from AD FS.
  9. On the Publishing Settings page, enter the following and then click Next, use these values:
  1. The confirmation page shows the Windows PowerShell command that will execute to publish the application. Click Publish.
  2. On the Results page, you should see the application was published successfully.

Configure Work Folders on the client

To configure Work Folders on the non-domain join client machine, follow these steps:

  1. On the client machine, open Control Panel and click Work Folders.
  1. Click Set up Work Folders.
  1. On the Enter your work email address page, enter either the user’s email address (for example, user@domain.com) or the Work Folders URL (in the test example, https://workfolders.domain.com), and then click Next.
  2. If the user is connected to the corporate network, the authentication is performed by Windows Integrated Authentication. If the user is not connected to the corporate network, the authentication is performed by ADFS (OAuth) and the user will be prompted for credentials. Enter your credentials and click OK.
  3. After you have authenticated, Click Next.
  4. The Security Policies page lists the security policies that you set up for Work Folders. Click Next.
  5. A message is displayed stating that Work Folders has started syncing with your PC. Click Close.
  6. The Manage Work Folders page shows the amount of space available on the server, sync status, and so on. If necessary, you can re-enter your credentials here. Close the window.
  7. Your Work Folders folder opens automatically. You can add content to this folder to sync between your devices.

To configure Work Folders on the domain joined client machine, follow these steps:

  1. Configure using GPO, use Go to User Configuration > Administrative Templates > Windows Components > Work Folders > Specify Work Folders settings.
  2. Specify Work Folder URL as workfolders.domain.com
  3. Apply the GPO to selected OU.

Relevant Article:

Work Folder FAQ

NetApp CIFS shares not mounting to Windows Server 2012

 

Windows Time Configuration Best Practice—Step by Step

The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:

  • All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
  • All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
  • All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.

Microsoft recommends the following:

  • Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
  • Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.

  • There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
  • Never put a virtualized domain controller in a saved state.
  • Never sync a domain controller time with the virtual host
  • Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
  • Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
  • Do not restore a snapshot to a production domain controller (PDC)

Step1: Remove Time Synchronisation of Guest with Host

Follow the procedure if the host is Hyper-v Host

1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.

2. On the Integration Service, uncheck Time synchronization.

3. Click OK.

Follow the procedure if the host is ESXi Host

1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,

2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.

Step2: Configure Cisco Switch as NTP Source

global configuration mode

switch# config t

Enable NTP

switch(config)#ntp enable

Show NTP Status

switch(config)# show ntp status

configures the NTP server

switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

configures the NTP peer to communicate over
the specified NTP Server

switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

Displays the configured server and
peers.

switch(config)#show ntp peers

Saves the changes

switch(config)# copy running-config startup-config

Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.

Step3: Configure a Domain Controller as a NTP Server

Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line. 

  1. Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.

Netdom query fsmo

  1. Run the following commands from an Elevated command prompt to stops the time service

net stop w32time

  1. Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied.  If you get an access denied, just run it again.

w32tm /unregister

  1. Re-creates the Registry Settings

w32tm /register

  1. Starts the service

Net start w32time

  1. Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.

w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update

when using hardware time source, use this command

w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update

  1. Updates the configuration

w32tm /config /update

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

Step4: Configure a NTP Server using Group Policy Object

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

au.pool.ntp.org time.windows.com

OR

IP Address of Cisco Core Switch if you are using Hardware Time Provider.

Type

NTP

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard time configuration should look like this:

Location

Configuration

Status

Settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

au.pool.ntp.org

time.windows.com

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Enabled

Step5: Create and link a separate GPO for domain joined client or server

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

dc.superplaneteers.com

Type

NT5DS

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard configuration should look like this:

Location

Configuration

Status

settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

NT5DS

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Disabled

Broadcasting Time Configuration using DHCP Server

Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.

  1. Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
  2. Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.

NTP Client Configuration for domain joined Hyper-v Server 2012

  1. Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
  2. Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
  3. Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.

NTP Client Configuration for non domain joined Hyper-v Server 2012

  1. Sets the server to sync with the NTP servers

w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update

Where DC.superplaneteers.com is the PDC and Time Provider.

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

NTP Client Configuration in ESXi Host

Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property

clip_image002[4]

On the General Tab, Select Start and Stop with Host

clip_image004[4]

Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok

clip_image006[4]

If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.

clip_image008[4]

Time drifting error in Windows Machine

Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.

clip_image010[4]

Further Study

Microsoft Reference

Time Drifting Issue

Timekeeping best practices for Windows on ESXi Host

Detailed explanation of time configuration GPO

Cisco NTP Network Appliance

Windows 8: Configuring AppLocker Step by Step

AppLocker is a customizable rules that allow/disallow applications, scripts and installers on a per user or per group basis. By using this feature, an administrators can ensure that security and licensing compliance needs are met, and to provide granular level security to align with corporate security compliance. You can configure the following rules in AppLocker via group policy object

  • Executable Rules
  • Windows Installer Rules
  • Script Rules
  • Packaged App Rules

AppLocker can be found in Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker location shown in picture

image

an administrator creates or edits a Group Policy Object based on business needs. Rules can be created to allow/deny any applications/scripts/installers to run per user or per group. The following is an example to create a rule allowing Adobe Acrobat using AppLocker.

Right Click on Executable Rules, Click Create New Rule

image

On the Permission page, Click Allow, Click Next

image

Select Publisher, Click Next

image

Click Browse and go to the C:Program Files (x86)AdobeAcrobat 10.0Acrobat and select Acrobat.exe. If you would like to select specific version, Click Next otherwise drag mouse product name shown product name. in this way you have selected Adobe Acrobat and any version will be allowed by this rule.

image

image

On the Exceptions page, Click Next

image

On the Name page, Click Create.

image

Now you will see the rule in the following screen

image

AppLocker is a robust tool to manage corporate compliance and security on the desktop and server platform.

Advanced Group Policy Object Management 4.0

Why do you need Advanced Group Policy Management (AGPM)? If you are a midsize or large organization with several group policy administrator in multiple sites, everybody is playing their part in group policy administration but does not have a proper control in terms of who does what than you are in real mess in production environment. In this scenario, AGPM helps role based GPO management such as who can review, edit, approve and deploy Group Policy objects. AGPM also plays an integral part of change control practice in your organization. AGPM can improve GPO deployment and provide better management in IT department. You can use AGPM to track each version of each GPO and history, just as application developers use version control to track source code. AGPM can be found in Microsoft Desktop Optimization Pack (MDOP). A generic GPO deployment process using AGPM are as follows.

  

image

AGPM is combined with server component (the AGPM Service) and a client component (the AGPM snap-in). you have to install Microsoft Advanced Group Policy Management – Server on a system that has access to the policies that you want to manage. you can install the Microsoft Advanced Group Policy Management in a domain controller. An AGPM Client is installed  on any system from which Group Policy administrators will review, edit, and deploy GPOs. AGPM provides advanced change control features that can help you manage the lifecycle of GPOs.  The following is a Change Control view of AGPM.

31

The following steps are necessary to change and deploy a GPO:

Check out the GPO from the archive.

32

Edit the GPO as necessary.

33

Check in the GPO to the archive.

33

Deploy the GPO to production.

32

A controlled GPO can not be changed by any GPO Administrator anytime without prior approval. AGPM keeps a history of changes for each GPO, as shown in screenshot.

34

You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.

35

Role-Based Delegation: Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown below delegation model.

30

Role View Compare Edit Create Approve Deploy
Reviewer × × × ×
Editor × ×
Approver

Cross-Forest Management: AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:

Export the GPO from domain A in the first forest to a CAB file, by using AGPM. Import the GPO into the archive in domain B in the second forest, by using AGPM.

36

When you import the GPO into the second forest, you can import it as a new controlled GPO. You can also import it to replace the settings of an existing GPO that is checked out of the archive.

Install AGPM Server: Computers on which you want to install AGPM must meet the following requirements and you must be domain admin to create AGPM roles. If you have AGPM 3.0 installed, you do not have to upgrade the operating system before you upgrade to AGPM 4.0.  AGPM Server Requirements are as follows.

  • GPMC Features for Windows Server 2008 R2 or Windows Server 2008
  • Remote Server Administration Tools for Windows 7
  • WCF Activation; Non-HTTP Activation
  • Windows Process Activation Service
  • Process Model
  • .NET 3.5 SP1 Environment
  • Configuration APIs

you can install AGPM Server on the member server or domain controller that will run the AGPM Service, and you configure the archive. All AGPM operations are managed through this Windows service and are executed with the service’s credentials. The archive managed by an AGPM Server can be hosted on that server or on another server in the same forest. Log on with an account that is a member of the Domain Admins group. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Server.

1

23

In the Welcome dialog box>click Next>accept the terms and then click Next.

4

In the Application Path dialog box, select a location in which to install AGPM Server. The computer on which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next.

567

This account must be a member of the either the Domain Admins group or, for a least-privilege configuration, the following groups in each domain managed by the AGPM Server: Group Policy Creator Owners and Backup Operators

8

In the AGPM Service Account dialog box, select a service account under which the AGPM Service will run and then click Next.

9

In the Port Configuration dialog box, type a port on which the AGPM Service should listen. Do not clear the Add port exception to firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.

1011121314

Click Install, and then click Finish to exit the Setup Wizard.

Important! Do not change settings for the AGPM Service through Administrative Tools and Services in the operating system. Doing this can prevent the AGPM Service from starting.

Install AGPM Client: AGPM Client 4.0 requires Windows Server 2008 R2, Windows Server 2008, Windows 7 and the GPMC from RSAT. Both 32-bit and 64-bit versions are supported. AGPM Client can be installed on a computer that is running AGPM Server. AGPM clients requirements are as follows.

Before you begin this scenario, create four user accounts for AGPM Administrator (Full Control), Approver, Editor, and Reviewer. These accounts must be able to send and receive e-mail messages. Assign Link GPOs permission to the accounts that have the AGPM Administrator, Approver and Editor roles.

Each Group Policy administrator—anyone who creates, edits, deploys, reviews, or deletes GPOs—must have AGPM Client installed on computers that they use to manage GPOs. For this scenario, you install AGPM Client on at least one computer. You do not need to install AGPM Client on the computers of end users who do not perform Group Policy administration. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Client.

15

In the Welcome dialog box, click Next>accept the terms and then click Next>select a location in which to install AGPM Client. Click Next.

1617

In the AGPM Server dialog box, type the DNS name or IP address for the AGPM Server and the port to which you want to connect. The default port for the AGPM Service is 4600. Do not clear the Allow Microsoft Management Console through the firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.

1819

In the Languages dialog box, select one or more display languages to install for AGPM Client.

202122

Click Install>click Finish to exit the Setup Wizard.

To configure an AGPM Server connection for all GPO administrators

On a computer on which you have installed AGPM Client, log on with the user account that you selected as the Archive Owner. Click Start>point to Administrative Tools>click Group Policy Management to open the GPMC.

In the details pane, double-click AGPM: Specify default AGPM Server (all domains). In the Properties window, select Enabled and type the DNS name or IP address and port (example, MicrosoftGURU.com.au:4600) for the server hosting the archive. Click OK>Click close the Group Policy Management Editor window.

24

Configure e-mail notification: As an AGPM Administrator (Full Control), you can designate the e-mail addresses of Approvers and AGPM Administrators to whom an e-mail message that contains a request is sent when an Editor tries to create, deploy, or delete a GPO. In the details pane, click the Domain Delegation tab> Type following From e-mail address field>type the e-mail address for the user account to which you intend to assign the Approver role>type a valid SMTP mail server. In the User name and Password fields, type the credentials of a user who has access to the SMTP service. Click Apply.

37

 To delegate access to all GPOs throughout a domain: On the Domain Delegation tab>click the Add button>select the user account from Domain>Select GPO Role as Editor>click OK. Repeat the process for Reviewer and Approver Role.

232425

26272829

Create a GPO: In an environment that has multiple Group Policy administrators, those with the Editor role can request that new GPOs be created. However, that request must be approved by someone with the Approver role.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the Editor role in AGPM. In the Group Policy Management Console tree>click Change Control>Click managed GPOs. Right-click the Change Control node>click New Controlled GPO.

38

Click Submit. The new GPO is displayed on the Pending tab.

To approve the pending request to create a GPO

On a computer on which you have installed AGPM Client, log on with a user account that has the role of Approver in AGPM. Open the e-mail inbox for the account, and notice that you have received an e-mail message from the AGPM alias with the Editor’s request to create a GPO.

In the Group Policy Management Console tree>click Change Control>Click manage GPOs. On the Contents tab>click the Pending tab to display the pending GPOs. Right-click on Pending GPO>click Approve. Click Yes to confirm approval and move the GPO to the Controlled tab.

39

40

Edit a GPO: You can use GPOs to configure computer or user settings and deploy them to many computers or users. In this step, you use an account that has the Editor role to check out a GPO from the archive, edit the GPO offline, check the edited GPO into the archive, and request deployment of the GPO to the production environment. For this scenario, you configure a setting in the GPO to require that the password be at least eight characters long.

On a computer on which you have installed AGPM Client, log on with a user account that has the role of Editor in AGPM. In the Group Policy Management Console>click Change Control>manage GPOs. On the Contents tab in the details pane>click the Controlled tab to display the controlled GPOs. Right-click Managed GPOs>click Check Out>Type a comment > click OK. click Close.

To request the deployment of the GPO to the production environment, On the Controlled tab, the state of the GPO is identified as Checked In>right-click managed GPO>click Deploy.

Because this account is not an Approver or AGPM Administrator, you must submit a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.

When the AGPM Progress window indicates that overall progress is complete, click Close. MyGPO is displayed on the list of GPOs on the Pending tab.

Review and deploy a GPO: In this step, you act as an Approver, creating reports and analyzing the settings and changes to settings in the GPO to determine whether you should approve them. After you evaluate the GPO, you deploy it to the production environment and link the GPO to a domain or an organizational unit (OU). The GPO takes effect when Group Policy is refreshed for computers in that domain or OU.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.

Open the e-mail inbox for the account and notice that you have received an e-mail message from the AGPM alias with an Editor’s request to deploy a GPO. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

On the Contents tab in the details pane>click the Pending tab>Double-click a single managed GPO to display its history. Review the settings in the most recent version of GPO.

To deploy the GPO to the production environment

On the Pending tab, right-click a single managed GPO and then click Approve.

Type a comment to include in the history of the GPO>Click Yes. When the AGPM Progress window indicates that overall progress is complete, click Close.

To link the GPO to a domain or organizational unit

In the GPMC, right-click either the domain or an organizational unit (OU) to which you want to apply the GPO that you configured, and then click Link an Existing GPO. In the Select GPO dialog box>click selected GPO>click OK.

Use a template to create a GPO: In this step, you use an account that has the Editor role to create and use a template. That template is a static version of a GPO for use as a starting point for creating new GPOs. Although you cannot edit a template, you can create a new GPO based on a template. Templates are useful for quickly creating multiple GPOs that include many of the same policy settings.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. In the Group Policy Management Console tree>click Change Control>Click manage GPOs.

On the Contents tab in the details pane>click the Controlled tab>Right-click on a single GPO>click Save as Template to create a template incorporating all settings currently in GPO.

Type a name of Template and a comment, then click OK>click Close. To request that a new GPO be created and managed through AGPM. Click the Controlled tab>Right-click the Change Control node>click New Controlled GPO.

In the New Controlled GPO dialog box, type your e-mail address in the Cc field. Type a name of GPO as the name for the new GPO. Type a comment for the new GPO.

Click Create live so that the new GPO will be deployed to the production environment immediately upon approval.

For From GPO template>select Template>Click Submit>click Close. The new GPO is displayed on the Pending tab.

To check the GPO out from the archive for editing

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. Right-click GPO>click Check Out>Type a comment to be displayed in the history of the GPO while it is checked out>click OK>click Close. On the Controlled tab, the state of the GPO is identified as Checked Out.

To edit the GPO offline and configure the account lockout duration

On the Controlled tab>right-click GPO>click Edit to open the Group Policy Management Editor window and change an offline copy of the GPO. For this scenario, configure the minimum password length:

Under Computer Configuration>double-click Policies>Click Windows Settings>Click Security Settings>Click Account Policies>Click Account Lockout Policy.

In the details pane, double-click Account lockout duration. In the properties window, check Define this policy setting, set the duration to 30 minutes, and then click OK.

Close the Group Policy Management Editor window.

To compare a GPO to another GPO and to a template

To compare Test GPO1 and Test GPO2, On the Controlled tab, click Test GPO1>Press CTRL and click Test GPO2. Right-click Test GPO2, point to Differences, and then click HTML Report.

To delete a GPO

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

On the Contents tab>click the Controlled tab to display the controlled GPOs>Right-click GPO, and then click Delete. Click Delete GPO from archive and production to delete both the version in the archive and the deployed version of the GPO in the production environment. Type a comment to be displayed in the audit trail for the GPO>click OK>click Close.

To restore a deleted GPO

On the Contents tab>click the Recycle Bin tab to display deleted GPOs>Right-click GPO>click Restore.

Type a comment to be displayed in the history of the GPO>click OK> click Close.

Important! Restoring a GPO to the archive does not automatically redeploy it to the production environment.

To roll back to an earlier version of a GPO

On the Contents tab>click the Controlled tab>Double-click MyGPO to display its history>Right-click the version to be deployed>click Deploy>click Yes>click Close.

Last but not least PowerShell commands are very handy to work with GPO on the fly. Before you can use PowerShell command you have to install Active Directory Web Services in any Domain Controller in your AD infrastructure. Download PowerShell v2 and install on a utility server or windows 7 admin PC. Open PowerShell Window as an Administrator and type following commands. 

get-command –module grouppolicy

get-command –module grouppolicy | get-help

List of PowerShell Command for GPO and their functionality: 

Backup-GPO                  Backs GPO 

Copy-GPO                      Copies a GPO.

Get-GPInheritance       Retrieves GPO inheritance 

Get-GPO                        Gets one GPO or all GPOs 

Get-GPOReport           Generates a report in either XML or HTML

Get-GPPermissions     Gets the permission level for security principals

Get-GPPrefRegistryValue               Retrieves one or more registry preference

Get-GPRegistryValue                      Retrieves one or more registry-based policy settings

Get-GPResultantSetOfPolicy         Outputs the Resultant Set of Policy (RSoP) information

Get-GPStarterGPO                         Gets one Starter GPO or all Starter GPOs in a domain.

Import-GPO              Imports the Group Policy settings from a backed-up GPO

New-GPLink              Links a GPO to a site, domain, or OU.

New-GPO                   Creates a new GPO.

New-GPStarterGPO Creates a new Starter GPO.

Remove-GPLink        Removes a GPO link from a site, domain, or OU.

Remove-GPO             Deletes a GPO.

Remove-GPPrefRegistryValue Removes one or more registry preference items

Remove-GPRegistryValue Removes one or more registry-based policy settings

Rename-GPO             Assigns a new display name to a GPO.

Restore-GPO             Restores one GPO or all GPOs in a domain from

Set-GPInheritance    Blocks or unblocks inheritance for a specified domain or OU.

Set-GPLink                Sets the properties of the specified GPO link.

Set-GPPermissions    Grants a level of permissions to a security principal

Set-GPPrefRegistryValue Configures a registry preference item

Set-GPRegistryValue  Configures one or more registry-based policy settings

Relevant References:

Active Directory Best Practice

Download Advanced Group Policy from TechNet

Finally! Copy and merge GPOs! PowerShell saves the day!

Microsoft® Desktop Optimization Pack (MDOP)

 

 

Choosing Which Version of AGPM to Install

Active Directory Web Services

 

 

 

 

 

Remove initial configuration wizard on Windows Server 2008 using GPO

Open GPO management console using administrative privilege. Create and link a GPO with Enterprise Server OU. Right Click on Enterprise Server OU> Click on Property

image

Expand and locate Server Manager section in the following section of GPO. Expand Computer Configuration>Expand Policies>Expand Administrative Templates>Expand Systems>Select Server Manager.

image

image

Enable both the options as shown on screenshots.

image

Close the window. Run gpupdate on servers to apply GPO or wait for GPO to refresh at configured GP refresh time.

How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step

WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD server in which WPAD.dat or Wspad.dat is stored. WPAD server can be a Forefront TMG server or an separate IIS server holding WPAD.dat or wspad.dat URL. Configuring a WPAD server is pretty simple as described in the following steps:

  1. Select and configure an automatic discovery mechanism.
  2. Implement a WPAD server and DNS or Implement a WPAD Server and DHCP.
  3. Configure automatic discovery through GPO for Windows client computers

What’s in WPAD.dat and WSPAD.dat file? The Wpad.dat file is a Microsoft JScript® file used by the Web client browser to set browser settings. Wpad.dat contains the following information:

  • The proxy server that should be used for client requests.
  • Domains and IP addresses that should be accessed directly, bypassing the proxy.
  • An alternate route in case the proxy is not available.
  • TMG Enterprise Server, Wpad.dat provides a list of all servers in the array

In the TMG Server WSPAD implementation uses the WPAD mechanism, and constructs the Wspad.dat file to provide the client with proxy settings, and some additional Firewall client configuration information not required for automatic detection. The relevant automatic detection entries in Wspad.dat are the server name and port name.

Configure WPAD Entry in an authoritive DHCP Server:

Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

In the console tree, right-click the applicable DHCP server, click Set Predefined Options, and then click Add.
Windows Server 2012 Step by Step
 12    

In Name, type WPAD. In Code, type 252. In Data type, select String, and then click OK.

3

In String, type http://Computer_Name:Port/wpad.dat where Port is the port number on which automatic discovery information is published. You can specify any port number. By default, Forefront TMG publishes automatic discovery information on port 8080. Ensure that you use lowercase letters when typing wpad.dat. Forefront TMG uses wpad.dat and is case sensitive.

46

Right-click Scope Options, and then click Configure options. Confirm that Option 252 is selected.

57

Note: Assign the primary domain name to clients using DHCP. A DHCP server can be configured with a DHCP scope option to supply DHCP clients with a primary domain name. You can use port 8080 if you are using DHCP to deliver WPAD. Most corporate uses port for so many web application or primary web site. My preferred method is to deliver WPAD using DHCP.

Configuring WPAD Entry in Active Directory DNS (AD DS):

Click Start, point to All Programs, point to Administrative Tools, and then click DNS.

In the console tree, right-click the forward lookup zone for your domain, and click New Alias (CNAME).

 8

In Alias name, type WPAD.

 9

In Fully qualified name for target host, type the FQDN of the WPAD server. If the Forefront TMG computer or array already has a host (A) record defined, you can click Browse to search the DNS namespace for the Forefront TMG server name.

10

Note: If clients belong to multiple domains, you will need a DNS entry for each domain. Firewall clients should be configured to resolve the WPAD entry using an internal DNS server. For WPAD entries obtained from DNS, the WPAD server must listen on port 80. Do NOT configure CNAME entry in AD DS if you are using DHCP to deliver WPAD.

Important! Use ONLY one deliver method that means either DNS or DHCP
Configuring TMG Server as the WPAD Server: You can configure Forefront TMG as the WPAD server as follows

In the console tree of Forefront TMG Management, click Networking. In the details pane, click the Networks tab, and then select the network on which you want to listen for WPAD requests from clients (usually the default Internal network).

 22

On the Tasks tab, click Edit Selected Network.

On the Auto Discovery tab, select Publish automatic discovery information.

In Use this port for automatic discovery requests, specify the port on which the Forefront TMG WPAD server should listen for WPAD requests from clients.

 23 

Click on Forefront TMG Client Tab, Check Enable Forefront TMG Client Support for this network, by default TMG server name will selected in this option, for TMG Enterprise Edition, you can select any Array Member hosting WPAD. Check Automatically Detect Settings, Check Use Automatic configuration script and select Use Default URL, Check Use a web proxy server. You may select one of the following:

24

  • Use default URL. Forefront TMG provides a default configuration script at the location http://FQDN:8080/array.dll?Get.Routing.Script, where the FQDN is that of the Forefront TMG computer. This script contains the settings specified on the Web Browser tab of the network properties.
  • Use custom URL. As an alternative to the default script, you can construct your own Proxy Auto-Configuration (PAC) file and place it on a Web server. When the client Web browser looks for the script at the specified URL, the Web server receives the request and returns the custom script to the client.

25

Apply Changes, Click ok.

To run the AD Marker tool for automatic detection:  Use this tools if you use active directory as deliver mechanism.

To store the marker key in Active Directory, at the command prompt, type:

TmgAdConfig.exe add -default -type winsock -url <service-url> [-f] where:

The service-url entry should be in the format http://<TMG Server Name>:8080/wspad.dat.

The following parameters can be used in the commands:

To delete a key from Active Directory, at a command line prompt, type:TmgAdConfig.exe del -default -type winsock

To configure the Active Directory marker for a specific site, use the –site command line parameter.

For a complete list of options, type TmgAdConfig.exe -?

For detailed usage information, type TmgAdConfig.exe <command> -help

The TmgAdConfig tool creates the following registry key in Active Directory: LDAP://Configuration/Services/Internet Gateway(“Container”) /Winsock Proxy(“ServiceConnectionPoint”)

The key’s server binding information will be set to <service-url>. This key will be retrieved by the Forefront TMG Client and will be used to download the wspad configuration file.

Configuring an Alternative WPAD Server: An alternative configuration is to place the Wpad.dat and Wspad.dat files on another computer instead of on the TMG Server computer. For example, you can place the files on a server running IIS. In such a configuration, the DNS and DHCP entries point to the computer running IIS, and this computer acts as a dedicated redirector to provide WPAD and WSPAD information to clients. The simplest way to download the Wpad.dat and Wspad.dat files is to connect to the TMG Server computer through a Web browser and obtain the files from the following URLs:

 3132

33

Configuring Internet Explorer for Automatic Discovery in a single computer: Configure WPAD for automatic detection for DHCP delivery method as follows:

  1. In Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Connections tab, click LAN Settings.
  3. On the Local Area Network (LAN) Settings tab, select Automatically detect settings.

image

Enabling browsers for automatic detection using a static/custom configuration script

  1. In Internet Explorer, click the Tools menu, and then click Internet Options.
  2. On the Connections tab, click LAN Settings.
  3. On the Local Area Network (LAN) Settings tab, select Use automatic configuration script. Enter the script location as http://fqdnserver:port/array.dll?Get.Routing.Script. Where fqdnserver is the fully qualified domain name (FQDN) of the Forefront TMG server. The configuration script location can be specified in each browser, or it can be set for all clients who use Group Policy.

1920 

 21

To export the settings from your computer to an .ins file using IEM

In Group Policy, double-click Local Computer Policy, double-click User Configuration, and then double-click Windows Settings.

 28 

Right-click Internet Explorer Maintenance, and then click Export Browser Settings.

29

Enter the location and name of the .ins file that you want to use.

30

Copy this WPAD.INS file and host this in a separate IIS server.

Configure Automatic Detection through GPO for entire Windows fleet

Log on to Domain Controller as an administrator.

Open Group Policy Object Management Console, Select desired Organisational Unit, Right Click, Click on Create a GPO in this Domain and in it here

Type the Name of the GPO, Click ok

 1112

Right mouse click on newly created GPO, Click on Edit,

Expand GPO editor to User Configuration>Windows Settings>Internet Explorer Maintenance>Connections>Double Click Automatic Browser Configuration

1314

If you decide to use DHCP as WPAD.dat delivery method then check Automatic Detect Configuration Settings.

15 

If you decide to default Routing Script from TMG server

16

If you want to deliver wpad.dat through DNS server use the following option

 17

For WPAD.INS deployment use the following option

18

In the automatic configure every ~ minutes, you can setup time and type 0 (zero) for auto update after restart.

Testing Automatic Detection

To test DHCP delivery method, Log on to a client machine. Open IE8 and setup IE Proxy settings as Automatically detect setting

Run GPUPDATE.exe /Force and reboot computer 

21

Browse any websites to test proxy is detected by browser.

27

For a WPAD entry in DNS, you can test the automatic discovery mechanism by typing the following in the Web browser:

For a WPAD entry in DHCP, you specify the FQDN of the WPAD server. For example, if the WPAD DHCP entry is available on an TMG Server computer, type the following:

To test that the automatic configuration script is being retrieved as expected, type the following in the Web browser:

 

Relevant Articles:

Forefront TMG 2010 Tools & Software Development Kit

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure 3-leg perimeter using TMG 2010 step by step

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

 

Group Policy for Windows 7 and Windows Server 2008 R2

Microsoft Advanced Group Policy Management (AGPM) 4.0 advance control and management feature for computers running Windows 7 and Windows Server 2008 R2. Systems administrator will be able to do change control on each features deployed through GPO. AGPM 4.0 introduces the ability to filter and search the list of GPOs that it displays. GPMC is also an integral part of Microsoft Desktop Optimization Pack (MDOP). Microsoft Advanced Group Policy Management (AGPM) is the MDOP application that can help you overcome the challenges that can affect complex Group Policy management in any IT infrastructure. AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. Microsoft created such a nice tool to establish tight command and control relation between servers and clients. 

Computers on which you want to install and run AGPM with complete functionality must meet the following Systems requirement:

Server: Windows Server 2008 R2

In the Windows Server 2008 R2, the following Windows features are required by AGPM Server and will   automatically be installed if they are not present:

· WCF Activation; Non-HTTP Activation

· Windows Process Activation Service

· Process Model

· The .NET Environment 3.5 or later

· Configuration APIs

Client: Windows 7

In Windows 7 .Net Framework 3.5 will also automatically be installed. It is by default compatible with new GPMC.  

Windows Server 2008 and Windows Vista SP1 are supported but can not report or edit policy settings. 😐

Management Tools: You have to download and install Remote Server Administration Tools on a Windows 7 Admin PC to administer and manage roles and features that are installed on computers that are running Windows Server 2008 R2, Windows Server 2008 and Windows Server 2003. If you are migrating from Windows 2003 Active Directory to Windows Server 2008 R2 Active Directory, then entire group policy object will automatically be migrated to new Active Directory and GPO.

Added features:

Computer Configuration | Preferences | Windows Settings & Control Panel settings

User Configuration | Preferences | Windows Settings & Control Panel settings

Screen Shots:

3  1 2

Further Study:

Microsoft GPO

Group Policy Management Console Sample Scripts

Operation Guide

Keywords: GPO, MDOP, Windows7, Windows Server 2008 R2