Appendix A: GPO Scenario Policy Settings
Applies To: Windows Server 2003 with SP1
The Group Policy settings for each scenario (GPOs for both computer and user policy settings) are documented in the accompanying spreadsheet, CommonScenarios.xls. Using Excel’s column-filtering capability, the spreadsheet allows you to easily browse through the settings associated with each scenario.
In addition, HTML-based GPO reports are provided in the <installdir>\GPO-Reports directory. One report exists for each GPO provided with CommonScenarios.msi and provides a good deal of information about each GPO.
Table 2 lists the feature characteristics of each scenario.
Table 2. Scenario Features
| Lightly Managed | Mobile | Multi-User | AppStation | TaskStation | Kiosk | |
|---|---|---|---|---|---|---|
Number of users |
Multiple |
1 |
Multiple |
Multiple |
Multiple |
1 (anonymous) |
User profile type |
Roaming |
Roaming |
Roaming |
Roaming |
Roaming |
Local |
Profile persistence at logoff |
Cached |
Cached |
Removed at logoff |
Cached |
Removed at logoff |
N/A |
Folder Redirection |
My Documents and AppData |
My Documents and AppData |
My Documents and AppData |
My Documents and AppData |
My Documents and AppData |
No |
User can customize |
Almost all settings |
Some or most settings |
Some settings |
Few settings |
None |
None |
Task bar and Start Menu |
Yes |
Yes |
Yes |
Yes |
No |
No |
Assigned Applications |
Multiple |
Multiple |
Multiple |
Few |
1 (usually computer assigned) |
1 (computer assigned) |
Published applications |
Yes |
Yes |
Yes |
No |
No |
No |
Security context |
User or Power User |
User or Power User |
User |
User |
User |
User |
Based on security template |
Secure Workstation |
Secure Workstation |
Highly Secure Workstation |
Highly Secure Workstation |
Highly Secure Workstation |
Highly Secure Workstation |
Notes:
The scenarios are based on the security templates listed; however, in each scenario, the templates have been modified.
The following significant modifications are made for compatibility reasons:
Mandatory digital signing of SMB traffic is disabled.
Mandatory encryption of secure channel communications is disabled.
LAN Manager Authentication Level is not specified.
When setting up folder redirection, it is recommended that you create the root share only on the server, and let the system create the folders for each user. For the best experience, set the share permissions to Full Control for the security groups you're redirecting, and set the NTFS permissions to Full Control on this folder, subfolders, and files.
If you must create folders for the users, ensure that you set the correct permissions. Tables 3, 4, and 5 below show the default and minimum permissions required for folder redirection.
Table 3. NTFS Permissions Needed for Root Folder
| User account | Folder redirection defaults | Minimum permissions needed |
|---|---|---|
Creator/owner |
Full Control, this folder, subfolders, and files |
Full Control, this folder, subfolders, and files |
Local Administrator |
Full Control, this folder, subfolders, and files |
Full Control, this folder, subfolders, and files |
Everyone |
Full Control, this folder, subfolders, and files |
List Folder/Read data, Create Files/Write Data, Create Folders/Append Data - This Folder only |
Local System |
Full Control, this folder, subfolders, and files |
Full Control, this folder, subfolders, and files |
Table 4. Share level (SMB) Permissions Required for Root Folder
| User account | Folder redirection defaults | Minimum permissions needed |
|---|---|---|
Everyone |
Full Control |
Everyone - no permissions. Use security group that matches the users who will need to put data on share. |
Table 5. NTFS Permissions Required for each User’s Redirected Folder
| User account | Folder redirection defaults | Minimum permissions needed |
|---|---|---|
%User Name% |
Full Control, owner of folder |
Full Control, owner of folder |
Local System |
Full Control |
Full Control |
Everyone |
Traverse Folder, Read Attributes, Read Extended Attributes, and Read Permissions |
Everyone - no permissions |