Appendix A: GPO Scenario Policy Settings

Applies To: Windows Server 2003 with SP1

The Group Policy settings for each scenario (GPOs for both computer and user policy settings) are documented in the accompanying spreadsheet, CommonScenarios.xls. Using Excel’s column-filtering capability, the spreadsheet allows you to easily browse through the settings associated with each scenario.

In addition, HTML-based GPO reports are provided in the <installdir>\GPO-Reports directory. One report exists for each GPO provided with CommonScenarios.msi and provides a good deal of information about each GPO.

Scenario Comparison Table

Table 2 lists the feature characteristics of each scenario.

Table 2.    Scenario Features

  Lightly Managed Mobile Multi-User AppStation TaskStation Kiosk

Number of users

Multiple

1

Multiple

Multiple

Multiple

1 (anonymous)

User profile type

Roaming

Roaming

Roaming

Roaming

Roaming

Local

Profile persistence at logoff

Cached

Cached

Removed at logoff

Cached

Removed at logoff

N/A

Folder Redirection

My Documents and AppData

My Documents and AppData

My Documents and AppData

My Documents and AppData

My Documents and AppData

No

User can customize

Almost all settings

Some or most settings

Some settings

Few settings

None

None

Task bar and Start Menu

Yes

Yes

Yes

Yes

No

No

Assigned Applications

Multiple

Multiple

Multiple

Few

1 (usually computer assigned)

1 (computer assigned)

Published applications

Yes

Yes

Yes

No

No

No

Security context

User or Power User

User or Power User

User

User

User

User

Based on security template

Secure Workstation

Secure Workstation

Highly Secure Workstation

Highly Secure Workstation

Highly Secure Workstation

Highly Secure Workstation

Notes:

  • The scenarios are based on the security templates listed; however, in each scenario, the templates have been modified.

  • The following significant modifications are made for compatibility reasons:

  • Mandatory digital signing of SMB traffic is disabled.

    • Mandatory encryption of secure channel communications is disabled.

    • LAN Manager Authentication Level is not specified.

Permissions Needed for Folder Redirection

When setting up folder redirection, it is recommended that you create the root share only on the server, and let the system create the folders for each user. For the best experience, set the share permissions to Full Control for the security groups you're redirecting, and set the NTFS permissions to Full Control on this folder, subfolders, and files.

If you must create folders for the users, ensure that you set the correct permissions. Tables 3, 4, and 5 below show the default and minimum permissions required for folder redirection.

Table 3.    NTFS Permissions Needed for Root Folder

User account Folder redirection defaults Minimum permissions needed

Creator/owner

Full Control, this folder, subfolders, and files

Full Control, this folder, subfolders, and files

Local Administrator

Full Control, this folder, subfolders, and files

Full Control, this folder, subfolders, and files

Everyone

Full Control, this folder, subfolders, and files

List Folder/Read data, Create Files/Write Data, Create Folders/Append Data - This Folder only

Local System

Full Control, this folder, subfolders, and files

Full Control, this folder, subfolders, and files

Table 4.    Share level (SMB) Permissions Required for Root Folder

User account Folder redirection defaults Minimum permissions needed

Everyone

Full Control

Everyone - no permissions.

Use security group that matches the users who will need to put data on share.

Table 5.    NTFS Permissions Required for each User’s Redirected Folder

User account Folder redirection defaults Minimum permissions needed

%User Name%

Full Control, owner of folder

Full Control, owner of folder

Local System

Full Control

Full Control

Everyone

Traverse Folder, Read Attributes, Read Extended Attributes, and Read Permissions

Everyone - no permissions