Deployment Assistance Programme
4. Managing the Desktop
Thomas Lee
Chief Technologist – QA plc
Agenda
•
•
•
•
Definitions
History
Local/Group/System Policy
Admin Pack
•
•
Definitions
User Profiles
– User Data and Settings…
– Outlook settings
Local/Group/System Policy
– Allows administrative control of settings
– Local Policy
Windows XP workstations
– Group Policy
Windows 2000/.Net Domains
– System Policy
NT4 Domains
•
•
•
•
History And Motivation
Default user data
– Hard to deploy customized app
– Used empirical methods to find reg keys
Mandatory user data
– Lots of settings with no policies
– Confusion about default policies
Multiple user scenario
– Setup only writes user data for the user who installed the app
Registry Tattooing
New Policy
Architecture
•
•
•
Office apps always write to their own areas
- never to Policies hive
Policy templates write to
HKCU\Software\Policies hive
Differences from System Polices in
NT4/WIn9x
– Policies can be undone
– Policy reapplied at each app boot
– Policy reapplied without user logon
– Policy reapplied while user is logged on
Extending Policy with ADM files
•
•
•
•
ADM files describe polices
Template policies result in registry settings
Registry settings automatically applied to user environment
Applications that understand the policies can look for these settings
ADM files
•
•
Reside in %systemroot%\inf
Simple structure - user Extensible
CLASS MACHINE
CATEGORY !!WindowsComponents
CATEGORY !!WindowsUpdateCat
POLICY !!ImmediateInstall_Title
KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
#if version >= 4
SUPPORTED !!SUPPORTED_WindowXPSP1
#endif
VALUENAME "AutoInstallMinorUpdates"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
[strings]
WindowsComponents="Windows Components"
WindowsUpdateCat="Windows Update“
ImmediateInstall_Title="Allow Automatic Updates immediate installation"
Active Directory Structure
•
•
•
•
•
•
Domain
Tree
Forest
Objects
Attributes
OU
Domain Tree
Domain
Domain
Domain
GC
Domain Domain
Objects
OU
Domain
Organizational Unit
OU
Domain
OU
Forest
Policy Inside AD
•
•
•
Domain/OU/Site objects
– Have GPLINK property which points to…
Policy Container
– Contains all the policies for the domain which points to…
Sysvol on DCs
– Contain the actual policy
Policy in Two Parts
•
•
•
Computer
– Only affects Computer objects in an OU
User
– Only affects User objects in an OU
Polices can affect one or both
What can Policy do?
•
•
•
Enforce Security
Deploy Software
Enforce Settings
•
•
•
•
•
Disabling Features
Disable menus and tool buttons
Disabled items are gray in UI
Tool tip is customizable
Predefined are easy
Any command bar item can be disabled.
Local Group Policy Application
•
• Secedit can be used to configure local group policy for:
– Account and local policies
– Event log
– Restricted groups
– File system, registry, system services
For administrative & application template settings:
– configure one machine manually
– Copy %systemroot % \system32\GroupPolicy to new machines
•
•
•
•
•
•
•
GPMC Feature Summary
New UI for managing Group Policy
Reporting
Search
Resultant Set of Policy (RSoP) integration
Backup/Restore
Copy/Paste and Import
Scripting of GPO operations (not settings)
Managing GPO Scope and Inheritance
•
•
GPO Scope is managed by
– Linking GPOs to an Active Directory Container
(Sites, Domains and OUs)
– Adding Security Filters to a GPO
– Adding WMI Filters to a GPO
Group Policy inheritance can be altered by
– Changing GPO link order
– Enforce (previously No Override)
– Block Inheritance
Admin Pack (adminpak.msi)
•
•
Windows 2000 Admin Pack will not work with Windows XP
Windows 2003 Admin Pack does
– Requires XP SP1 (or see KB 329357)
– Get download from: http://tinyurl.com/ab7q
Show me…
•
•
•
•
Local Policy
ADM files
Policy architecture inside AD
Managing Scope
Group Policy Management Console
•
•
•
•
•
Manages Active Directory Group Policy
Free download
Used in Windows 2000 and Windows 2003 domains
Runs on Windows XP SP1 and Windows
2003 Server
GPMC Rocks
•
•
•
•
•
•
•
GPMC Feature Summary
New UI for managing Group Policy
Reporting
Search
Resultant Set of Policy (RSoP) integration
Backup/Restore
Copy/Paste and Export/Import
Scripting of GPO operations
Resultant Set Of Policy (RSoP)
•
•
•
Shows conflict resolution of policy settings
Example
– Both GPO A and GPO B apply to same user
• GPO A sets Wallpaper = Red Moon Desert
• GPO B sets Wallpaper = Bliss
– RSoP data tells you
• Which setting ultimately “wins”
• Which GPO set that winning setting
• Precedence info (the “losing” GPOs)
Allows you to more easily plan and troubleshoot Group Policy deployments
Show me…
•
•
•
GPMC User Interface
Backup/Restore of Policies
RSOP
General GP Guidelines
•
•
•
Limit who can create and modify GPOs
Use Enforce/Block Inheritance and Deny sparingly
Consider loopback for some scenarios
– Applies user settings based on the location of the computer (not just the user)
– Example: Exchange admin logging on to an
Exchange server – don’t want user assigned applications to be applied
– Consider for closely managed environments such as labs, servers (Exchange, IIS, etc) and terminal servers
Performance GP Considerations
•
•
• Fewer GPOs per user/computer is better - but GPO contents are more important
Avoid cross-domain GPO linking
Use WMI Filters sparingly
GP Deployment
•
•
Stage policy deployments prior to production deployment
– Staging domain is easy to build using
GPMC
Roll out major changes to Group
Policy incrementally
Best Practices
•
•
•
Plan carefully
– Policy design can drive OU design
– OU design can drive policy design
Test, test, test
Use GPMC
Resources
•
•
•
•
Group Policy Web sites
– www.microsoft.com/grouppolicy
– www.microsoft.com/technet/grouppolicy
GPMC Web site www.microsoft.com/windowsserver2003/gpmc/
Scripting resources
– 32 sample scripts included with the product
• %programfiles%\gpmc\scripts
– GPMC SDK
• %programfiles%\gpmc\scripts\gpmc.chm
• Also in Platform SDK
Newsgroup
– microsoft.public.windows.group_policy
