4. Managing the Desktop

1
4. Managing the Desktop

• Thomas Lee
• Chief Technologist QA plc

2
Agenda

• Definitions
• History
• Local/Group/System Policy
• Admin Pack

3
Definitions

• User Profiles
• User Data and Settings
• Outlook settings
• Local/Group/System Policy
• Allows administrative control of settings
• Local Policy
• Windows XP workstations
• Group Policy
• Windows 2000/.Net Domains
• System Policy
• NT4 Domains

4
History And Motivation

• Default user data
• Hard to deploy customized app
• Used empirical methods to find reg keys
• Mandatory user data
• Lots of settings with no policies
• Confusion about default policies
• Multiple user scenario
• Setup only writes user data for the user who
  installed the app
• Registry Tattooing

5
New Policy Architecture

• Office apps always write to their own areas -
  never to Policies hive
• Policy templates write to HKCU\Software\Policies
  hive
• Differences from System Polices in NT4/WIn9x
• Policies can be undone
• Policy reapplied at each app boot
• Policy reapplied without user logon
• Policy reapplied while user is logged on

6
Extending Policy with ADM files

• ADM files describe polices
• Template policies result in registry settings
• Registry settings automatically applied to user
  environment
• Applications that understand the policies can
  look for these settings

7
ADM files

• Reside in systemroot\inf
• Simple structure - user Extensible

CLASS MACHINE CATEGORY !!WindowsComponents
CATEGORY !!WindowsUpdateCat POLICY
!!ImmediateInstall_Title KEYNAME
"Software\Policies\Microsoft\Windows\WindowsUpdate
\AU" if version 4 SUPPORTED
!!SUPPORTED_WindowXPSP1 endif VALUENAME
"AutoInstallMinorUpdates" VALUEON NUMERIC
1 VALUEOFF NUMERIC 0 END
POLICY strings WindowsComponents"Windows
Components" WindowsUpdateCat"Windows
Update ImmediateInstall_Title"Allow Automatic
Updates immediate installation"
8
Active Directory Structure

• Domain
• Tree
• Forest
• Objects
• Attributes
• OU

9
Policy Inside AD

• Domain/OU/Site objects
• Have GPLINK property which points to
• Policy Container
• Contains all the policies for the domain which
  points to
• Sysvol on DCs
• Contain the actual policy

10
Policy in Two Parts

• Computer
• Only affects Computer objects in an OU
• User
• Only affects User objects in an OU
• Polices can affect one or both

11
What can Policy do?

• Enforce Security
• Deploy Software
• Enforce Settings

12
Disabling Features

• Disable menus and tool buttons
• Disabled items are gray in UI
• Tool tip is customizable
• Predefined are easy
• Any command bar item can be disabled.

13
Local Group Policy Application

• Secedit can be used to configure local group
  policy for
• Account and local policies
• Event log
• Restricted groups
• File system, registry, system services
• For administrative application template
  settings
• configure one machine manually
• Copy systemroot\system32\GroupPolicy to new
  machines

14
GPMC Feature Summary

• New UI for managing Group Policy
• Reporting
• Search
• Resultant Set of Policy (RSoP) integration
• Backup/Restore
• Copy/Paste and Import
• Scripting of GPO operations (not settings)

15
Managing GPO Scope and Inheritance

• GPO Scope is managed by
• Linking GPOs to an Active Directory Container
  (Sites, Domains and OUs)
• Adding Security Filters to a GPO
• Adding WMI Filters to a GPO
• Group Policy inheritance can be altered by
• Changing GPO link order
• Enforce (previously No Override)
• Block Inheritance

16
Admin Pack (adminpak.msi)

• Windows 2000 Admin Pack will not work with
  Windows XP?
• Windows 2003 Admin Pack does ?
• Requires XP SP1 (or see KB 329357)
• Get download from http//tinyurl.com/ab7q

17
Show me

• Local Policy
• ADM files
• Policy architecture inside AD
• Managing Scope

18
Group Policy Management Console

• Manages Active Directory Group Policy
• Free download
• Used in Windows 2000 and Windows 2003 domains
• Runs on Windows XP SP1 and Windows 2003 Server
• GPMC Rocks ?

19
GPMC Feature Summary

• New UI for managing Group Policy
• Reporting
• Search
• Resultant Set of Policy (RSoP) integration
• Backup/Restore
• Copy/Paste and Export/Import
• Scripting of GPO operations

20
Resultant Set Of Policy (RSoP)

• Shows conflict resolution of policy settings
• Example
• Both GPO A and GPO B apply to same user
• GPO A sets Wallpaper Red Moon Desert
• GPO B sets Wallpaper Bliss
• RSoP data tells you
• Which setting ultimately wins
• Which GPO set that winning setting
• Precedence info (the losing GPOs)
• Allows you to more easily plan and troubleshoot
  Group Policy deployments

21
Show me

• GPMC User Interface
• Backup/Restore of Policies
• RSOP

22
General GP Guidelines

• Limit who can create and modify GPOs
• Use Enforce/Block Inheritance and Deny sparingly
• Consider loopback for some scenarios
• Applies user settings based on the location of
  the computer (not just the user)
• Example Exchange admin logging on to an Exchange
  server dont want user assigned applications to
  be applied
• Consider for closely managed environments such as
  labs, servers (Exchange, IIS, etc) and terminal
  servers

23
Performance GP Considerations

• Fewer GPOs per user/computer is better - but GPO
  contents are more important
• Avoid cross-domain GPO linking
• Use WMI Filters sparingly

24
GP Deployment

• Stage policy deployments prior to production
  deployment
• Staging domain is easy to build using GPMC
• Roll out major changes to Group Policy
  incrementally

25
Best Practices

• Plan carefully
• Policy design can drive OU design
• OU design can drive policy design
• Test, test, test
• Use GPMC

26
Resources

• Group Policy Web sites
• www.microsoft.com/grouppolicy
• www.microsoft.com/technet/grouppolicy
• GPMC Web site www.microsoft.com/windowsserver2003/
  gpmc/
• Scripting resources
• 32 sample scripts included with the product
• programfiles\gpmc\scripts
• GPMC SDK
• programfiles\gpmc\scripts\gpmc.chm
• Also in Platform SDK
• Newsgroup
• microsoft.public.windows.group_policy

27
Questions