1 / 27

4. Managing the Desktop

4. Managing the Desktop. Thomas Lee Chief Technologist – QA plc. Agenda. Definitions History Local/Group/System Policy Admin Pack. Definitions. User Profiles User Data and Settings… Outlook settings Local/Group/System Policy Allows administrative control of settings Local Policy

krikor
Download Presentation

4. Managing the Desktop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 4. Managing the Desktop Thomas Lee Chief Technologist – QA plc

  2. Agenda • Definitions • History • Local/Group/System Policy • Admin Pack

  3. Definitions • User Profiles • User Data and Settings… • Outlook settings • Local/Group/System Policy • Allows administrative control of settings • Local Policy • Windows XP workstations • Group Policy • Windows 2000/.Net Domains • System Policy • NT4 Domains

  4. History And Motivation • Default user data • Hard to deploy customized app • Used empirical methods to find reg keys • Mandatory user data • Lots of settings with no policies • Confusion about default policies • Multiple user scenario • Setup only writes user data for the user who installed the app • Registry Tattooing

  5. New Policy Architecture • Office apps always write to their own areas - never to Policies hive • Policy templates write to HKCU\Software\Policies hive • Differences from System Polices in NT4/WIn9x • Policies can be undone • Policy reapplied at each app boot • Policy reapplied without user logon • Policy reapplied while user is logged on

  6. Extending Policy with ADM files • ADM files describe polices • Template policies result in registry settings • Registry settings automatically applied to user environment • Applications that understand the policies can look for these settings

  7. ADM files • Reside in %systemroot%\inf • Simple structure - user Extensible CLASS MACHINE CATEGORY !!WindowsComponents CATEGORY !!WindowsUpdateCat POLICY !!ImmediateInstall_Title KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU" #if version >= 4 SUPPORTED !!SUPPORTED_WindowXPSP1 #endif VALUENAME "AutoInstallMinorUpdates" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY [strings] WindowsComponents="Windows Components" WindowsUpdateCat="Windows Update“ ImmediateInstall_Title="Allow Automatic Updates immediate installation"

  8. Domain Tree Domain Domain Domain Domain Objects Domain Domain GC Domain OU Organizational Unit OU OU Forest Active Directory Structure • Domain • Tree • Forest • Objects • Attributes • OU

  9. Policy Inside AD • Domain/OU/Site objects • Have GPLINK property which points to… • Policy Container • Contains all the policies for the domain which points to… • Sysvol on DCs • Contain the actual policy

  10. Policy in Two Parts • Computer • Only affects Computer objects in an OU • User • Only affects User objects in an OU • Polices can affect one or both

  11. What can Policy do? • Enforce Security • Deploy Software • Enforce Settings

  12. Disabling Features • Disable menus and tool buttons • Disabled items are gray in UI • Tool tip is customizable • Predefined are easy • Any command bar item can be disabled.

  13. Local Group Policy Application • Secedit can be used to configure local group policy for: • Account and local policies • Event log • Restricted groups • File system, registry, system services • For administrative & application template settings: • configure one machine manually • Copy%systemroot%\system32\GroupPolicy to new machines

  14. GPMC Feature Summary • New UI for managing Group Policy • Reporting • Search • Resultant Set of Policy (RSoP) integration • Backup/Restore • Copy/Paste and Import • Scripting of GPO operations (not settings)

  15. Managing GPO Scope and Inheritance • GPO Scope is managed by • Linking GPOs to an Active Directory Container (Sites, Domains and OUs) • Adding Security Filters to a GPO • Adding WMI Filters to a GPO • Group Policy inheritance can be altered by • Changing GPO link order • Enforce (previously No Override) • Block Inheritance

  16. Admin Pack (adminpak.msi) • Windows 2000 Admin Pack will not work with Windows XP • Windows 2003 Admin Pack does  • Requires XP SP1 (or see KB 329357) • Get download from: http://tinyurl.com/ab7q

  17. Show me… • Local Policy • ADM files • Policy architecture inside AD • Managing Scope

  18. Group Policy Management Console • Manages Active Directory Group Policy • Free download • Used in Windows 2000 and Windows 2003 domains • Runs on Windows XP SP1 and Windows 2003 Server • GPMC Rocks 

  19. GPMC Feature Summary • New UI for managing Group Policy • Reporting • Search • Resultant Set of Policy (RSoP) integration • Backup/Restore • Copy/Paste and Export/Import • Scripting of GPO operations

  20. Resultant Set Of Policy (RSoP) • Shows conflict resolution of policy settings • Example • Both GPO A and GPO B apply to same user • GPO A sets Wallpaper = Red Moon Desert • GPO B sets Wallpaper = Bliss • RSoP data tells you • Which setting ultimately “wins” • Which GPO set that winning setting • Precedence info (the “losing” GPOs) • Allows you to more easily plan and troubleshoot Group Policy deployments

  21. Show me… • GPMC User Interface • Backup/Restore of Policies • RSOP

  22. General GP Guidelines • Limit who can create and modify GPOs • Use Enforce/Block Inheritance and Deny sparingly • Consider loopback for some scenarios • Applies user settings based on the location of the computer (not just the user) • Example: Exchange admin logging on to an Exchange server – don’t want user assigned applications to be applied • Consider for closely managed environments such as labs, servers (Exchange, IIS, etc) and terminal servers

  23. Performance GP Considerations • Fewer GPOs per user/computer is better - but GPO contents are more important • Avoid cross-domain GPO linking • Use WMI Filters sparingly

  24. GP Deployment • Stage policy deployments prior to production deployment • Staging domain is easy to build using GPMC • Roll out major changes to Group Policy incrementally

  25. Best Practices • Plan carefully • Policy design can drive OU design • OU design can drive policy design • Test, test, test • Use GPMC

  26. Resources • Group Policy Web sites • www.microsoft.com/grouppolicy • www.microsoft.com/technet/grouppolicy • GPMC Web site www.microsoft.com/windowsserver2003/gpmc/ • Scripting resources • 32 sample scripts included with the product • %programfiles%\gpmc\scripts • GPMC SDK • %programfiles%\gpmc\scripts\gpmc.chm • Also in Platform SDK • Newsgroup • microsoft.public.windows.group_policy

  27. Questions

More Related