Administering%20Group%20Policy

1
Administering Group Policy

• Group Policy Concepts
• Group Policy Implementation Planning
• Implementing Group Policy
• Managing Software Using Group Policy
• Managing Special Folders Using Group Policy
• Troubleshooting Group Policy

2
Group Policy Concepts

• What Is Group Policy?
• Group Policy Objects
• Delegating Control of Group Policy
• The Group Policy Snap-In
• Group Policy Settings
• Computer and User Configuration Settings
• The MMC Snap-In Model
• Group Policy Snap-In Namespace
• How Group Policy Affects Startup and Logon
• How Group Policy Is Processed
• Group Policy Inheritance
• Using Security Groups to Filter Group Policy

3
What Is Group Policy?

• A group policy is a collection of user and
  computer configuration settings that can be
  linked to computers, sites, domains, and OUs to
  specify the behavior of users desktops.
• Group policies can determine the programs that
  are available to users, the programs that appear
  on the users desktops, and Start menu options.

4
Group Policy Objects

• GPOs are used to create a specific desktop
  configuration for a particular group of users.
• GPOs are collections of group policy settings.
• Each Windows 2000 computer has one local GPO and
  is subject to any number of nonlocal Active
  Directorybased GPOs.
• Local GPO settings can be overridden by nonlocal
  GPOs, so the local GPO is the least influential
  if the computer is in an Active Directory
  environment.

5
Group Policy Objects (cont)

• In a nonnetworked environment, the local GPOs
  settings are more important because they are not
  overwritten by nonlocal GPOs.
• Nonlocal GPOs are linked to Active Directory
  objects and can be applied to either users or
  computers.
• To use nonlocal GPOs, a Microsoft Windows 2000
  domain controller must be installed.
• Nonlocal GPOs are applied hierarchically from the
  least restrictive group (site) to the most
  restrictive group (OU) and are cumulative.

6
Delegating Control of Group Policy

• Determine which administrative groups can
  administer GPOs by defining access permissions
  for each GPO.
• Assign Read and Write permissions to a GPO for an
  administrative group the group delegates control
  of the GPO.

7
Group Policy Snap-In
8
Group Policy Snap-In Overview

• The MMC snap-in is used to organize and manage
  the many group policy settings in each GPO.
• Depending on the action to perform, the Group
  Policy snap-in can be opened in several ways.

9
Group Policy Settings

• Contained in a GPO
• Determine the users desktop environment
• Two types Computer configuration settings and
  user configuration settings

10
Computer Configuration Settings

• Used to set group policies applied to computers,
  regardless of who logs on
• Applied when the OS initializes
• Include Software Settings, Windows Settings, and
  Administrative Templates

11
Users Configuration Settings

• Used to set group policies applied to users,
  regardless of which computer the user logs on to
• Applied when users log on to the computer
• Include Software Settings, Windows Settings, and
  Administrative Templates

12
Software Settings
13
Windows Settings
14
Scripts

• Two types of scripts startup/shutdown and
  logon/logoff.
• Startup/shutdown scripts run at computer startup
  or shutdown.
• Logon/logoff scripts run when a user logs on or
  off the computer.
• When multiple scripts are assigned to a user or
  computer, Windows 2000 executes the scripts from
  top to bottom.
• The order of execution for multiple scripts can
  be specified in the Properties dialog box.

15
Scripts (cont)

• When a computer is shut down, Windows 2000 first
  processes logoff scripts, followed by shutdown
  scripts.
• The default timeout value for processing scripts
  is 10 minutes.
• A software policy can be used to adjust the
  timeout value if the logoff and shutdown scripts
  require more than 10 minutes to process.
• Administrators can use any ActiveX scripting
  language they choose.
• Scripting languages include VBScript, JScript,
  Perl, and MS-DOS style batch files.

16
Security Settings

• Security Settings allows a security administrator
  to manually configure security levels assigned to
  a local or nonlocal GPO.
• The configuration can be done after, or instead
  of, using a security template to set system
  security.

17
Additional User Configuration Group Policy
Settings

• Internet Explorer Maintenance Allows the
  administration and customization of IE on Windows
  2000 computers
• Remote Installation Services Used to control the
  behavior of remote OS installation optionally,
  RIS can be used to provide customized packages
  for non-Windows 2000 clients of Active Directory
• Folder Redirection Allows for the redirection of
  Windows 2000 special folders from their default
  user profile location to an alternate location on
  the network, where they can be centrally managed

18
Administrative Templates
19
Administrative Templates Overview

• More than 450 settings are available for
  configuring the user environment.
• Computer configurations are saved in the registry
  in HKEY_LOCAL_MACHINE (HKLM).
• User configurations are saved in the registry in
  HKEY_CURRENT_USER (HKCU).

20
Computer and User Configurations

• Administrative Templates contains all
  registry-based group policy settings, including
  settings for Windows Components, System, and
  Network.
• Windows Components Allows the administration of
  the Windows 2000 components, including
  NetMeeting, Internet Explorer, Windows Explorer,
  MMC, Task Scheduler, and Windows Installer.
• System Used to control logon and logoff
  functions and group policy itself.
• Network Allows the control of settings for
  Offline Files and Network and Dial-Up Connections.

21
Computer Configuration Only

• Administrative Templates contain additional group
  policy settings for Printers.
• System Settings contain Disk Quotas, and DNS
  Client and Windows File Protection.

22
User Configuration Only

• Administrative Templates contains additional
  registry-based group policy settings.
• Start Menu Taskbar settings Control a users
  Start menu and taskbar
• Desktop settings Control the appearance of a
  users desktop
• Control Panel settings Determine the Control
  Panel options available to a user

23
The MMC Snap-In Model

• Nodes of the Group Policy snap-in are MMC snap-in
  extensions.
• By default, all the available Group Policy
  snap-in extensions are loaded when the Group
  Policy snap-in is started.
• The default behavior can be modified by using the
  MMC method of creating custom consoles and by
  using policy settings to control the behavior of
  MMC itself.
• The Administrative Templates node is used to
  configure the policy settings.
• Developers can create an MMC extension to the
  Group Policy snap-in to provide additional
  policies.
• Snap-in extensions may be extended.

24
Group Policy Snap-In Namespace

• The root node of the Group Policy snap-in is
  displayed as the name of the GPO and the domain
  to which it belongs.
• Format GPO Name DomainName Policy.
• Example Default Domain Controllers Policy
  server1. microsoft. com Policy.

25
How Group Policy Affects Startup on Logon

• The network starts, and RPCSS and MUP are
  started.
• An ordered list of GPOs is obtained for the
  computer.
• Computer configurations settings are processed.
• Startup scripts run.
• The user presses CtrlAltDelete to log on.
• After the user is validated, the user profile is
  loaded, governed by the group policy settings in
  effect.
• An ordered list of GPOs is obtained for the user.
• User configuration settings are processed.
• Logon scripts run.
• The OS user interface prescribed by group policy
  appears.

26
How Group Policy Is Processed

• Local GPO
• Each Windows 2000 computer has exactly one GPO
  stored locally.
• Site GPOs
• Any GPOs that have been linked to the site are
  processed next, synchronously the administrator
  specifies the order of GPOs linked to a site.
• Domain GPOs
• Multiple domain-linked GPOs are processed
  synchronously the administrator specifies the
  order of GPOs linked to a domain.
• OU GPOs
• GPOs linked to the OU highest in the Active
  Directory hierarchy are processed first, followed
  by GPOs linked to its child OU, and finally, the
  GPOs linked to the OU that contains the user or
  computer are processed.

27
Group Policy and Active Directory
28
Exceptions to the Processing Order

• A computer that is a member of a workgroup
  processes only the local GPO.
• No Override.
• Block Policy Inheritance.
• Loopback setting.

29
Group Policy Inheritance

• Group policy is passed down from parent to child
  containers.
• If a separate group policy is assigned to a
  parent container, that group policy applies to
  all containers beneath the parent container,
  including the user and computer objects in the
  container.
• If a group policy setting is specified for a
  child container, the child containers group
  policy setting overrides the setting inherited
  from the parent container.
• If a parent OU has policy settings that are not
  configured, the child OU does not inherit them.

30
Group Policy Inheritance (cont)

• Policy settings that are disabled are inherited
  as disabled.
• If a policy is configured for a parent OU, but
  not for a child OU, the child inherits that
  parents policy setting.
• If a parent policy and a child policy are
  compatible, the child inherits the parent policy,
  and the childs setting is also applied.
• Policies are inherited as long as they are
  compatible.
• If a policy configured for a parent OU is
  incompatible with the same policy configured for
  a child OU, the child does not inherit the policy
  setting from the parent the setting in the child
  is applied.

31
Using Security Groups to Filter Group Policy

• Because more than one GPO can be linked to a
  site, domain, or OU, GPOs associated with other
  directory objects may need to be linked.
• By setting the appropriate permissions for
  security groups, group policy can be filtered to
  influence only the computers and users specified.

32
Group PolicyImplementation Planning

• Designing GPOs by Setting Type
• GPO Implementation Strategies
• Layered vs. Monolithic GPO Design
• Functional Roles vs. Team Design
• OU Delegation with Central or Distributed Control

33
GPO Setting Types
34
Single Policy Type

• Includes GPOs that deliver a single type of group
  policy setting.
• The goal is to separate each type of group policy
  setting into a separate GPO.
• Create a GPO for software management settings,
  user documents and settings, software policies,
  and so on.
• Give Read/Write access only to the user or users
  who need to administer a GPO.
• Best suited for organizations in which
  administrative responsibilities are delegated
  among several individuals.

35
Multiple Policy Type

• Includes GPOs that deliver multiple types of
  group policy settings.
• The goal is to include multiple types of group
  policy settings in a single GPO.
• Best suited for organizations in which
  administrative responsibilities are centralized
  and an administrator may need to perform many or
  all types of group policy administration.

36
Dedicated Policy Type

• Includes GPOs dedicated to either Computer
  Configuration or User Configuration group
  policies.
• The goal is to include all User Configuration
  group policy settings in one GPO and all Computer
  Configuration group policy settings in a separate
  GPO.
• Increases the number of GPOs that must be
  processed at logon lengthens logon time.
• Aids in troubleshooting.

37
GPO Implementation Strategies

• Planning an AD structure requires consideration
  of how group policy will be implemented for the
  organization.
• Delegation of authority, separation of
  administrative duties, central versus
  decentralized administration, and design
  flexibility are important factors.
• Most organizations will combine several
  strategies to create custom solutions.

38
Layered vs. Monolithic Design
39
Layered

• The goal is to include a specific policy setting
  in as few GPOs as possible.
• Create a base GPO to be applied to the domain
  that contains policy settings for as many users
  and computers in the domain as possible.
• Create additional GPOs tailored to the common
  requirements of each corporate group and apply
  them to the appropriate OUs.
• When a change is required, GPOs have to be
  modified to enforce the change.
• Administration is simplified at the expense of a
  longer logon time.
• Best suited for environments in which different
  groups in the organization have common security
  concerns and changes to group policy are frequent.

40
Monolithic

• The goal is to use very few GPOs for any given
  user or computer.
• All the policy settings required for a given
  site, domain, or OU should be implemented within
  a single GPO.
• If the site, domain, or OU has groups of users or
  computers with different policy requirements,
  consider subdividing the container into OUs and
  applying separate GPOs to each OU rather than to
  the parent.
• Changes involve more administration than with the
  layered approach because the settings may need to
  be changed in multiple GPOs.
• The logon time is shorter than it is with the
  layered approach.
• Best suited for environments in which users and
  computers can be classified into a small number
  of groups for policy assignment.

41
Functional Roles vs. Team Design
42
Functional Roles vs. Team Design Overview

• Active Directorys OU structure was designed to
  facilitate ease of administration and delegation
  of authority.
• The OU structure may or may not represent the
  functional roles within the organization.
• When designing group policy for an organization
  with a functional role OU structure, the group
  policy should be designed by delegating control
  to the OU levels.
• If the OU architecture does not represent group
  organization, then OU delegation of control
  should be used, but groups should be used as a
  filtering mechanism for applying group policy.

43
Functional Roles Design

• The goal is to use an OU structure that reflects
  the functional roles within the organization for
  applying group policy.
• A minimum number of GPOs is used, with each
  tailored to a groups specific needs.
• A GPO is created for each OU.
• Network administrators can set ACL permissions
  for GPO administration either at the domain or OU
  administrator level.
• Best suited for organizations designed according
  to functional roles groups of users organized
  according to users occupations.
• Each functional role requires specific group
  policies.

44
Team Design

• The goal is to use groups as a filtering
  mechanism in applying group policy in an
  organization that uses the virtual team concept.
• Individuals within the organization form teams to
  perform a task or project and each individual is
  a member of multiple teams.
• Each team has specific group policy requirements.
• Eliminates complexity by strategically applying
  the GPOs at only one location.
• Allows administrators to centrally administer the
  GPOs and minimizes the GPO-to-OU assignments.
• Best suited for organizations that need an
  efficient and flexible method of managing group
  policy in a dynamic environment with an OU
  architecture that does not reflect the team
  structure.

45
Central vs. Distributed Control
46
OU Delegation Overview

• Administration of OUs can be delegated.
• OU administrators may need to block group
  policies that have been assigned to their OU at
  higher organizational levels.
• Certain policies may need to be enforced, and OU
  administrators will not be allowed to block them.
• Accomplished by using a central or distributed
  control design

47
Central Control Design

• Offers delegated administration as well as
  centralized control.
• Use the No Override option on OUs.
• Create a GPO to include only security settings
  for a domain, and then set the No Override option
  so that all child OUs are affected by the
  security options specified at the domain level.
• For all other types of policy, control of those
  GPOs could be delegated to the specific OU
  administrators.
• Best suited for organizations that choose to
  delegate administration of OUs, but would like to
  enforce certain group policies throughout the
  domain.

48
Distributed Control Design

• Administrators of OUs are allowed to block group
  policies from being applied to their OU, but
  cant block group policies marked as No Override.
• Create GPOs for each OU.
• Set ACL permissions allowing OU administrators
  full control over GPOs.
• Set the Block Policy Inheritance option for each
  OU.
• Best suited for organizations that choose to
  minimize the number of domains, but do not want
  to sacrifice autonomous administration of OUs.
• Allows administrators to enforce certain group
  policies throughout the domain.

49
Implementing Group Policy

• Implementing Group Policy
• Creating a GPO
• Creating a GPO Console
• Delegating Administrative Control of a GPO
• Specifying Group Policy Settings
• Disabling Unused Group Policy Settings
• Indicating GPO Processing Exceptions
• Filtering GPO Scope
• Linking a GPO
• Modifying Group Policy
• Removing a GPO Link
• Deleting a GPO
• Editing a GPO and GPO Settings
• Practice Implementing a Group Policy

50
Delegating Administrative Control of a GPO

• After a GPO is created, which groups of
  administrators have access permissions to the GPO
  must be determined.
• The Default Domain Policy GPO cannot be deleted
  by any administrator, by default.
• Prevents the accidental deletion of this GPO,
  which contains important required settings for
  the domain
• If working with a GPO from a pre-built console,
  such as Active Directory Users and Computers, the
  Delegation Of Control Wizard is not available for
  use in delegating administrative control of a
  GPO it only controls security of an object.

51
Default GPO Permissions

• Authenticated Users Read, Apply Group Policy,
  Special Permissions
• CREATOR OWNER Special Permissions
• Domain Administrators Read, Write, Create All
  Child Objects, Delete All Child Objects, Special
  Permissions
• Enterprise Administrators Read, Write, Create
  All Child Objects, Delete All Child Objects,
  Special Permissions
• SYSTEM Read, Write, Create All Child Objects,
  Delete All Child Objects, Special Permissions

52
Disabling Unused Group Policy Settings

• If a GPO has only settings that are Not
  Configured, then it is possible to avoid
  processing those settings by disabling the node.
• Disabling the node expedites startup and logon
  for those users and computers subject to the GPO.

53
Indicating GPO Processing Exceptions

• GPOs are processed according to the Active
  Directory hierarchy.
• The default order of processing group policy
  settings may be changed by several actions.

54
Modifying the Order of GPOs
55
Filtering GPO Scope

• Policies in a GPO apply only to users who have
  Read permission for that GPO.
• The scope of a GPO is filtered by creating
  security groups and then assigning Read
  permission to the selected groups.
• A policy is prevented from applying to a specific
  group by denying that group Read permissions to
  the GPO.

56
Permissions for GPO Scopes
57
Linking a GPO

• By default, a new GPO is linked to the site,
  domain, or OU that was selected in the MMC when
  it was created.
• Settings apply to that site, domain, or OU.
• The Group Policy tab for the site, domain, or OU
  properties is used to link a GPO to additional
  sites, domains, or OUs.

58
Add A Group Policy Object Link Dialog Box
59
Removing, Deleting, and Editing GPOs

• Removing a GPO Link
• Removing a GPO link unlinks the GPO from the
  specified site, domain, or OU.
• The GPO remains in Active Directory until it is
  deleted.
• Deleting a GPO
• Deleting a GPO removes it from Active Directory.
• Any sites, domains, or OUs to which a GPO is
  linked when it is deleted will no longer be
  affected by it.
• Editing a GPO
• The same procedures that are used for creating a
  GPO and for specifying group policy settings are
  used to edit a GPO or its settings.

60
Managing Software Using Group Policy

• Software Management Tools
• Assigning Applications
• Publishing Applications
• How Software Installation Works
• Implementing Software Installation
• Planning and Preparing a Software Installation
• Setting Up an SDP
• Specifying Software Installation Defaults
• Deploying Software Applications
• Setting Automatic Installation Options
• Setting Up Application Categories
• Setting Software Application Properties
• Maintaining Software Applications

61
Managing Software Using Group Policy Overview

• The Software Installation extension is a software
  management feature of Windows 2000 that is an
  administrators primary tool for managing
  software within an organization.
• Managing software using Software Installation
  provides users with immediate access to the
  software they need to perform their jobs, and
  ensures that users have an easy and consistent
  experience when working with software throughout
  its life cycle.
• Users no longer need to look for a network share,
  use a CD-ROM, or install, fix, and upgrade
  software themselves.

62
Software Management Tools Overview

• The Software Installation extension of the Group
  Policy snap-in Used by administrators to manage
  software
• Windows Installer Installs software packaged in
  Windows Installer files
• Add/Remove Programs in Control Panel Used by
  users to manage software on their own computers

63
The Software Installation Extension

• Primary tool for managing software within an
  organization
• Works in conjunction with group policy and Active
  Directory
• Centrally manages the installation of software on
  a client computer by assigning applications to
  users or computers or by publishing applications
  for users
• Assigns required or mandatory software to users
  or to computers
• Publishes software that users might find useful
  to perform their jobs

64
Application Assigned to User

• The application is advertised to the user the
  next time he or she logs on to a workstation.
• The application advertisement follows the user
  regardless of which physical computer he or she
  actually uses.
• The application is installed the first time the
  user activates the application on the computer,
  either by selecting the application on the Start
  menu or by activating a document associated with
  the application.

65
Application Assigned to the Computer

• The application is advertised and the
  installation is performed when it is safe to do
  so.
• A safe time typically is when the computer
  starts up, so that no competing processes are on
  the computer.

66
Publishing Applications

• When the application is published to users, the
  application does not appear installed on the
  users computers.
• No shortcuts are visible on the desktop or Start
  menu.
• No changes are made to the local registry on the
  users computers.
• Advertisement attributes are stored in Active
  Directory.
• Information, such as the applications name and
  file associations, is exposed to the users in the
  Active Directory container.
• After publication, the application is available
  for user installation by using Add/Remove
  Programs in Control Panel or by clicking a file
  associated with the application.

67
How Software Installation Works

• The Software Installation extension uses Windows
  Installer technology to systematically maintain
  software.
• Windows Installer is a service that allows the OS
  to manage the installation process.

68
Windows Installers Three Key Parts

• An OS service that performs the installation,
  modification, and removal of the software in
  accordance with the information in the Windows
  Installer
• A database containing information that describes
  the installed state of the application
• An API that allows applications to interact with
  Windows Installer to install or remove additional
  features of the application after the initial
  installation is complete

69
Windows Installer Advantages

• Enables users to take advantage of self-repairing
  applications.
• Notes when a program file is missing and
  immediately reinstalls the damaged or missing
  files, thereby fixing the application.
• Makes modifications to customize the installation
  of a Windows Installer package at the time of
  assignment or publication modifications are
  saved with the .mst file extension.

70
Windows Installer Package

• The Windows Installer package is a file that
  contains explicit instructions on the
  installation and removal of specific
  applications.
• The developer provides the Windows Installer
  package .msi file and ships it with the
  application.
• If a Windows Installer package is not provided
  with an application, it may need to be created or
  the application may need to be repackaged, using
  a third-party tool.

71
Deploying Software with Software Installation Is
Limited to Only If

• Native Windows Installer package .msi files
  Developed as a part of the application and take
  full advantage of the Windows Installer
• Repackaged application .msi files Allow
  applications that do not have a native Windows
  Installer package to be repackaged
• An existing setup program (application .zap
  file) Installs an application by using its
  original SETUP.EXE program

72
Other Files Encountered During Software
Installation

• Patch .msp files Used for bug fixes, service
  packs, and similar files
• Application assignment scripts .aas files
  Contain instructions associated with the
  assignment or publication of a package

73
Customizing Windows Installer Packages

• Transforms can be used to customize Windows
  Installer applications.
• Customization is provided by allowing the
  original package to be transformed using
  authoring and repackaging tools.
• Some applications provide wizards or templates
  that permit a user to create modifications.

74
Tasks for Implementing Software Installation

• Planning and preparing the software installation
• Setting up a software distribution point
• Specifying software installation defaults
• Deploying software applications
• Setting automatic installation options
• Setting up application categories
• Setting software application properties
• Maintaining software applications

75
Planning and Preparing a Software Installation
Considerations

• Review the organizations software requirements
  on the basis of the overall organizational
  structure within Active Directory and available
  GPOs.
• Determine how to deploy the applications.
• Create a pilot to test how software will be
  assigned or published to users or computers.
• Prepare software using a format that allows the
  administrator to manage it based on what the
  organization requires.
• Test all of the Windows Installer packages or
  repackaged software.

76
Planning and Preparing a Software Installation
Strategies and Considerations

• Create OUs based on software management needs.
• Deploy software close to the root in the Active
  Directory tree.
• Deploy multiple applications with a single GPO.
• Publish or assign one application only once in
  the same GPO or in a series of GPOs that might
  apply to a single user or computer.

77
Planning and Preparing a Software
InstallationSoftware Licenses

• Licenses are required for software written by
  independent software vendors and distributed
  using SDPs.
• The administrator is responsible for matching the
  number of users who can access software to the
  number of licenses on hand.
• The administrator is responsible for verifying
  that guidelines provided by each ISV are being
  followed.
• The Administrator should gather the package
  formats for the software and perform any
  necessary modifications to the packages.

78
Setting Up an SDP

• Create the folders for the software on the file
  server that will be the SDP and make the folders
  network shares.
• Replicate the software to the SDPs by placing or
  copying the software, packages, modifications,
  all necessary files, and components to a
  distribution share(s) place all software in a
  separate folder on the SDP.
• Set the appropriate permissions on the folders so
  that only administrators can change the files,
  and users can only read the files from the SDP
  folders and shares use group policy to manage
  the software within the appropriate GPO.

79
Specifying Software Installation Defaults

• A GPO can contain several settings that affect
  how an application is installed, managed, and
  removed.
• The default settings for the new packages are
  globally defined within the GPO in the General
  tab of the Software Installation Properties
  dialog box.
• Some of the default settings can be changed later
  by editing the package properties in the Software
  Installation extension.

80
General Tab of the Software Installation
Properties
81
Deploying Software Installation Defaults

• Because software can be either assigned or
  published, and targeted to either users or
  computers, a workable combination can be
  established to meet the software management
  goals.
• Modifications (.mst files) are customizations
  applied to Windows Installer packages.
• Modifications must be applied at the time of
  assignment or publication, not at the time of
  installation.

82
Software Deployment Approaches
83
Publishing Applications

• An application is published to make it available
  to people managed by the GPO, should they want
  the application.
• Each person decides whether or not to install the
  published application.
• Applications can only be published to users.

84
Deploying Applications with Modifications

• Modifications are associated with the Windows
  Installer package at deployment time rather than
  when the Windows Installer is actually using the
  package to install or modify the application.
• Modifications are applied to Windows Installer
  packages by the administrator.
• This order in which modifications are applied
  must be determined before the application is
  assigned or published.

85
Setting Automatic Installation Options

• The application that is installed when users
  select a file can be specified by the
  administrator by selecting a file extension and
  configuring a priority for installing
  applications associated with the file extension,
  using the File Extensions tab in the Software
  Installation Properties dialog box.
• The first application listed is the application
  installed in association with the file extension.
• File extension associations are managed on a
  per-GPO basis.
• Changing the priority order in a GPO affects only
  those users who have that GPO applied to them.

86
File Extensions Tab
87
Setting Up Application Categories

• Organizing, assigning, and publishing
  applications, from within Add/Remove Programs in
  Control Panel, into logical categories makes it
  easier for users to locate the appropriate
  application.
• Windows 2000 does not ship with any predefined
  categories.
• Categories are established per domain, not per
  GPO.
• Categories need to be defined only once for the
  whole domain.

88
Setting Software Application Properties

• Each application can be fine-tuned in several
  ways
• By editing installation options
• By specifying application categories to be used
• By setting permissions for the software
  installation

89
Editing Installation Options for Applications

• Default settings can be changed, even if they
  have been globally defined within the GPO, by
  editing the package properties.
• Installation options affect how an application is
  installed, managed, and removed.

90
Deployment Tab
91
Specifying Application Categories

• Applications must be associates with existing
  categories.
• Categories generally pertain to published
  applications only, because assigned applications
  do not appear in Add/Remove Programs.

92
Categories Tab of the Properties Dialog Box
93
Maintaining Software Applications Upgrading
Applications

• Several events trigger an upgrade.
• Upgrades typically incorporate major changes into
  the software and normally have new version
  numbers.
• A substantial number of files change for an
  upgrade.
• The Software Installation extension is used to
  establish the procedure to upgrade an existing
  application to the current release.

94
Add Upgrade Package Dialog Box
95
Maintaining Software Applications Removing
Applications

• A version of a software application is no longer
  supported.
• Administrators can remove the software version
  from Software Installation without forcing the
  removal of the software from the computers of
  users who are still using the software.
• Users can continue to use the software
  themselves.
• No user is able to install the software version.
• A software application is no longer used.
• Administrators can force the removal of the
  software.
• The software is automatically deleted from a
  computer, either the next time the computer is
  turned on or the next time the user logs on.
• Users cannot install or run the software.

96
Managing Special Folders Using Group Policy

• Folder Redirection
• Default Special Folder Locations
• Setting Up Folder Redirection
• Policy Removal Considerations

97
Windows 2000 Redirected Special Folders

• Application Data
• Desktop
• My Documents
• My Pictures
• Start Menu

98
Redirecting the My Documents Folder Advantages

• The users documents are always available, even
  if the user logs on to various network computers.
• When roaming user profiles are used, only the
  network path to the My Documents folder is part
  of the roaming user profile, not the My Documents
  folder itself.
• Data stored on a shared network server can be
  backed up as part of routine system
  administration requires no action on the part of
  the user.
• The system administrator can use group policy to
  set disk quotas, limiting the amount of space
  used by users special folders.
• Data specific to a user can be redirected to a
  different hard disk on the users local computer
  from the hard disk holding the OS files.

99
Default Locations for Special Folders
100
Setting Up Folder Redirection

• Redirect to a location according to security
  group membership.
• Redirect to one location for everyone in the
  site, domain, or OU.
• Redirect the My Pictures folder to follow the My
  Documents folder redirection.

101
Target Tab in the Properties Dialog Box
102
Specify Group And Location Dialog Box
103
Settings Tab of the Properties Dialog Box
104
Policy Removal Considerations
105
Troubleshooting Group Policy

• Troubleshooting Group Policy
• Group Policy Best Practices

106
Troubleshooting Group Policy Overview

• Considering dependencies between components is an
  important part of troubleshooting group policy
  problems.
• When trying to fix problems that appear in one
  component, it is generally helpful to check
  whether components, services, and resources on
  which it relies are working correctly.
• Event logs are useful for tracking down problems
  caused by this type of hierarchical dependency.

107
Symptom The user has Read access to a GPO but
cannot open it

• Cause An administrator must have both Read and
  Write permissions for the GPO to open it in the
  Group Policy snap-in
• Solution Become a member of a security group
  with Read and Write permission for the GPO

108
Symptom User receives Failed To Open The Group
Policy Object message when trying to edit a GPO

• Cause A networking problem, specifically a
  problem with the DNS configuration
• Solution Make sure DNS is working properly

109
Symptom Group policy is not being applied to
users and computers in a security group that
contains them, even though a GPO is linked to an
OU containing that security group

• Cause This is correct behavior group policy
  affects only users and computers contained in
  sites, domains, and OUs GPOs are not applied to
  security groups
• Solution Link GPOs to sites, domains, and OUs
  only keep in mind that the location of a
  security group in Active Directory is unrelated
  to whether group policy applies to the users and
  computers in that security group

110
Symptom Group policy is not affecting users and
computers in a site, domain, or OU

• Cause
• Group policy settings can be prevented,
  intentionally or inadvertently, from taking
  effect on users and computers in several ways.
• A GPO can be disabled from affecting users,
  computers, or both.
• A GPO also needs to be linked either directly to
  an OU containing the users and computers, or to a
  parent domain or OU so that the group policy
  settings apply through inheritance.
• Solution
• Make sure that the intended policy is not being
  blocked.
• Make sure no policy set at a higher level of
  Active Directory has been set to No Override.

111
Symptom Group policy is not affecting users and
computers in a site, domain, or OU (cont)

• Cause
• When multiple GPOs apply, they are processed in
  this order local, site, domain, OU.
• By default, settings applied later have
  precedence.
• Solution
• If block Policy Inheritance and No Override are
  both used, No Override takes precedence.
• Verify that the user or computer is not a member
  of any security group for which the AGP
  permission is set to Deny.

112
Symptom Group policy is not affecting users and
computers in a site, domain, or OU (cont)

• Cause
• Group policy can be blocked at the level of any
  OU, or enforced through a setting of No Override
  applied to a particular GPO link.
• The user or computer must belong to one or more
  security groups with appropriate permissions set.
• Solution
• Verify that the user or computer is a member of
  at least one security group for which the AGP
  permission is set to Allow.
• Verify that the user or computer is a member of
  at least one security group for which the Read
  permission is set to Allow.

113
Symptom Group policy is not affecting users and
computers in an Active Directory container

• Cause GPOs cannot be linked to Active Directory
  containers other than sites, domains, and OUs
• Solution Link a GPO to an OU that is a parent to
  the Active Directory container then, by default,
  those settings are applied to the users and
  computers in the container through inheritance

114
Symptom Group policy is not taking effect on the
local computer

• Cause Local policies are the weakest any
  nonlocal GPO can overwrite them
• Solution Check to see what GPOs are being
  applied through Active Directory and whether
  those GPOs have settings that are in conflict
  with the local settings

115
Symptom Published applications do not appear in
Add/Remove Programs in Control Panel

• Cause
• Group policy was not applied.
• Active Directory cannot be accessed.
• User does not have any published applications in
  the GPOs that apply to him or her.
• Client is running Terminal Server.
• Solution
• Investigate each possibility.
• Software Installation is not supported for
  Terminal Server clients.

116
Symptom Document activation of a published
application does not cause the application to
install

• Cause The administrator did not set auto-install
• Solution Ensure that Auto-Install This
  Application By File Extension Activation is
  checked in the Deployment tab in the
  applications Properties sheet

117
Symptom The user receives an error message such
as The Feature You Are Trying To Install Cannot
Be Found In The Source Directory

• Cause Network or permissions problems
• Solution
• Ensure that the network is working correctly.
• Ensure that the user has Read and AGP permissions
  for the GPO.
• Ensure that the user has Read permission for the
  SDP.
• Ensure that the user has Read permission for the
  application.

118
Symptom After removal of an application, the
shortcuts for the application still appear on
the users desktop

• Cause The user has created shortcuts, and
  Windows Installer has no knowledge of them
• Solution The user must remove the shortcuts
  manually

119
Symptom The user receives an error message such
as Another Installation Is Already In Progress

• Cause An uninstallation might be taking place in
  the background with no user interface presented
  to the user, or perhaps the user has
  inadvertently triggered two installations
  simultaneously
• Solution The user can try again later

120
Symptom The user opens an already installed
application, and the Windows Installer starts

• Cause An application might be undergoing
  automatic repair, or a user-required feature is
  being added
• Solution No action is required

121
Symptom The user receives error messages such
as Active Directory Will Not Allow The Package
To Be Deployed or Cannot Prepare Package For
Deployment

• Cause The package might be corrupted or there
  might be a networking problem
• Solution Investigate and take appropriate action

122
General Group Policy Practices

• Disable unused parts of a GPO.
• Use the Block Policy Inheritance and No Override
  features sparingly.
• Minimize the number of GPOs associated with users
  or computers in domains or OUs.
• Filter policy based on security group membership.
• Use loopback only when necessary.
• Avoid cross-domain GPO assignments.

123
Software Installation Practices

• Specify application categories for the
  organization.
• Make sure Windows Installer packages include
  modifications before they are published or
  assigned.
• Assign or publish just once per GPO.
• Take advantage of authoring tools.
• Repackage existing software.
• Use SMS and Dfs.
• Assign or publish close to the root in the Active
  Directory hierarchy.
• Use Software Installation properties for widely
  scoped control.
• Use Windows Installer package properties for fine
  control.

124
Folder Redirection Practices

• Incorporate username into fully qualified UNC
  paths.
• Have My Pictures follow My Documents.
• Consider the effects of policy removal.
• Accept defaults.