4. Managing the Desktop - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

4. Managing the Desktop

Description:

4. Managing the Desktop. Thomas Lee. Chief Technologist QA plc ... GPO A sets Wallpaper = Red Moon Desert. GPO B sets Wallpaper = Bliss. RSoP data tells you ... – PowerPoint PPT presentation

Number of Views:96
Avg rating:3.0/5.0
Slides: 28
Provided by: mikej3
Category:

less

Transcript and Presenter's Notes

Title: 4. Managing the Desktop


1
4. Managing the Desktop
  • Thomas Lee
  • Chief Technologist QA plc

2
Agenda
  • Definitions
  • History
  • Local/Group/System Policy
  • Admin Pack

3
Definitions
  • User Profiles
  • User Data and Settings
  • Outlook settings
  • Local/Group/System Policy
  • Allows administrative control of settings
  • Local Policy
  • Windows XP workstations
  • Group Policy
  • Windows 2000/.Net Domains
  • System Policy
  • NT4 Domains

4
History And Motivation
  • Default user data
  • Hard to deploy customized app
  • Used empirical methods to find reg keys
  • Mandatory user data
  • Lots of settings with no policies
  • Confusion about default policies
  • Multiple user scenario
  • Setup only writes user data for the user who
    installed the app
  • Registry Tattooing

5
New Policy Architecture
  • Office apps always write to their own areas -
    never to Policies hive
  • Policy templates write to HKCU\Software\Policies
    hive
  • Differences from System Polices in NT4/WIn9x
  • Policies can be undone
  • Policy reapplied at each app boot
  • Policy reapplied without user logon
  • Policy reapplied while user is logged on

6
Extending Policy with ADM files
  • ADM files describe polices
  • Template policies result in registry settings
  • Registry settings automatically applied to user
    environment
  • Applications that understand the policies can
    look for these settings

7
ADM files
  • Reside in systemroot\inf
  • Simple structure - user Extensible

CLASS MACHINE CATEGORY !!WindowsComponents
CATEGORY !!WindowsUpdateCat POLICY
!!ImmediateInstall_Title KEYNAME
"Software\Policies\Microsoft\Windows\WindowsUpdate
\AU" if version 4 SUPPORTED
!!SUPPORTED_WindowXPSP1 endif VALUENAME
"AutoInstallMinorUpdates" VALUEON NUMERIC
1 VALUEOFF NUMERIC 0 END
POLICY strings WindowsComponents"Windows
Components" WindowsUpdateCat"Windows
Update ImmediateInstall_Title"Allow Automatic
Updates immediate installation"
8
Active Directory Structure
  • Domain
  • Tree
  • Forest
  • Objects
  • Attributes
  • OU

9
Policy Inside AD
  • Domain/OU/Site objects
  • Have GPLINK property which points to
  • Policy Container
  • Contains all the policies for the domain which
    points to
  • Sysvol on DCs
  • Contain the actual policy

10
Policy in Two Parts
  • Computer
  • Only affects Computer objects in an OU
  • User
  • Only affects User objects in an OU
  • Polices can affect one or both

11
What can Policy do?
  • Enforce Security
  • Deploy Software
  • Enforce Settings

12
Disabling Features
  • Disable menus and tool buttons
  • Disabled items are gray in UI
  • Tool tip is customizable
  • Predefined are easy
  • Any command bar item can be disabled.

13
Local Group Policy Application
  • Secedit can be used to configure local group
    policy for
  • Account and local policies
  • Event log
  • Restricted groups
  • File system, registry, system services
  • For administrative application template
    settings
  • configure one machine manually
  • Copy systemroot\system32\GroupPolicy to new
    machines

14
GPMC Feature Summary
  • New UI for managing Group Policy
  • Reporting
  • Search
  • Resultant Set of Policy (RSoP) integration
  • Backup/Restore
  • Copy/Paste and Import
  • Scripting of GPO operations (not settings)

15
Managing GPO Scope and Inheritance
  • GPO Scope is managed by
  • Linking GPOs to an Active Directory Container
    (Sites, Domains and OUs)
  • Adding Security Filters to a GPO
  • Adding WMI Filters to a GPO
  • Group Policy inheritance can be altered by
  • Changing GPO link order
  • Enforce (previously No Override)
  • Block Inheritance

16
Admin Pack (adminpak.msi)
  • Windows 2000 Admin Pack will not work with
    Windows XP?
  • Windows 2003 Admin Pack does ?
  • Requires XP SP1 (or see KB 329357)
  • Get download from http//tinyurl.com/ab7q

17
Show me
  • Local Policy
  • ADM files
  • Policy architecture inside AD
  • Managing Scope

18
Group Policy Management Console
  • Manages Active Directory Group Policy
  • Free download
  • Used in Windows 2000 and Windows 2003 domains
  • Runs on Windows XP SP1 and Windows 2003 Server
  • GPMC Rocks ?

19
GPMC Feature Summary
  • New UI for managing Group Policy
  • Reporting
  • Search
  • Resultant Set of Policy (RSoP) integration
  • Backup/Restore
  • Copy/Paste and Export/Import
  • Scripting of GPO operations

20
Resultant Set Of Policy (RSoP)
  • Shows conflict resolution of policy settings
  • Example
  • Both GPO A and GPO B apply to same user
  • GPO A sets Wallpaper Red Moon Desert
  • GPO B sets Wallpaper Bliss
  • RSoP data tells you
  • Which setting ultimately wins
  • Which GPO set that winning setting
  • Precedence info (the losing GPOs)
  • Allows you to more easily plan and troubleshoot
    Group Policy deployments

21
Show me
  • GPMC User Interface
  • Backup/Restore of Policies
  • RSOP

22
General GP Guidelines
  • Limit who can create and modify GPOs
  • Use Enforce/Block Inheritance and Deny sparingly
  • Consider loopback for some scenarios
  • Applies user settings based on the location of
    the computer (not just the user)
  • Example Exchange admin logging on to an Exchange
    server dont want user assigned applications to
    be applied
  • Consider for closely managed environments such as
    labs, servers (Exchange, IIS, etc) and terminal
    servers

23
Performance GP Considerations
  • Fewer GPOs per user/computer is better - but GPO
    contents are more important
  • Avoid cross-domain GPO linking
  • Use WMI Filters sparingly

24
GP Deployment
  • Stage policy deployments prior to production
    deployment
  • Staging domain is easy to build using GPMC
  • Roll out major changes to Group Policy
    incrementally

25
Best Practices
  • Plan carefully
  • Policy design can drive OU design
  • OU design can drive policy design
  • Test, test, test
  • Use GPMC

26
Resources
  • Group Policy Web sites
  • www.microsoft.com/grouppolicy
  • www.microsoft.com/technet/grouppolicy
  • GPMC Web site www.microsoft.com/windowsserver2003/
    gpmc/
  • Scripting resources
  • 32 sample scripts included with the product
  • programfiles\gpmc\scripts
  • GPMC SDK
  • programfiles\gpmc\scripts\gpmc.chm
  • Also in Platform SDK
  • Newsgroup
  • microsoft.public.windows.group_policy

27
Questions
Write a Comment
User Comments (0)
About PowerShow.com