Deployment Assistance Programme


4. Managing the Desktop

Thomas Lee Chief Technologist – QA plc


• • • • Definitions History Local/Group/System Policy Admin Pack

• •


User Profiles – User Data and Settings… – Outlook settings Local/Group/System Policy – Allows administrative control of settings – Local Policy  Windows XP workstations – Group Policy  Windows 2000/.Net Domains – System Policy  NT4 Domains

• • • •

History And Motivation

Default user data – Hard to deploy customized app – Used empirical methods to find reg keys Mandatory user data – Lots of settings with no policies – Confusion about default policies Multiple user scenario – Setup only writes user data for the user who installed the app Registry Tattooing

New Policy

Architecture • • • Office apps always write to their own areas - never to Policies hive Policy templates write to HKCU\Software\Policies hive Differences from System Polices in NT4/WIn9x – Policies can be undone – Policy reapplied at each app boot – Policy reapplied without user logon – Policy reapplied while user is logged on

Extending Policy with ADM files

• • • • ADM files describe polices Template policies result in registry settings Registry settings automatically applied to user environment Applications that understand the policies can look for these settings

ADM files

• • Reside in %systemroot%\inf Simple structure - user Extensible


CATEGORY !!WindowsUpdateCat

POLICY !!ImmediateInstall_Title

KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU" #if version >= 4 SUPPORTED !!SUPPORTED_WindowXPSP1

#endif VALUENAME "AutoInstallMinorUpdates" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY [strings] WindowsComponents="Windows Components" WindowsUpdateCat="Windows Update“ ImmediateInstall_Title="Allow Automatic Updates immediate installation"

Active Directory Structure

• • • • • • Domain Tree Forest Objects Attributes OU

Domain Tree Domain Domain Domain GC Domain Domain Objects OU Domain Organizational Unit OU Domain OU Forest

Policy Inside AD

• • • Domain/OU/Site objects – Have GPLINK property which points to… Policy Container – Contains all the policies for the domain which points to… Sysvol on DCs – Contain the actual policy

Policy in Two Parts

• • • Computer – Only affects Computer objects in an OU User – Only affects User objects in an OU Polices can affect one or both

What can Policy do?

• • • Enforce Security Deploy Software Enforce Settings

• • • • •

Disabling Features

Disable menus and tool buttons Disabled items are gray in UI Tool tip is customizable Predefined are easy Any command bar item can be disabled.

Local Group Policy Application

• • Secedit can be used to configure local group policy for: – Account and local policies – Event log – Restricted groups – File system, registry, system services For administrative & application template settings: – configure one machine manually – Copy %systemroot % \system32\GroupPolicy to new machines

• • • • • • •

GPMC Feature Summary

New UI for managing Group Policy Reporting Search Resultant Set of Policy (RSoP) integration Backup/Restore Copy/Paste and Import Scripting of GPO operations (not settings)

Managing GPO Scope and Inheritance

• • GPO Scope is managed by – Linking GPOs to an Active Directory Container (Sites, Domains and OUs) – Adding Security Filters to a GPO – Adding WMI Filters to a GPO Group Policy inheritance can be altered by – Changing GPO link order – Enforce (previously No Override) – Block Inheritance

Admin Pack (adminpak.msi)

• • Windows 2000 Admin Pack will not work with Windows XP  Windows 2003 Admin Pack does  – Requires XP SP1 (or see KB 329357) – Get download from:

Show me…

• • • • Local Policy ADM files Policy architecture inside AD Managing Scope

Group Policy Management Console

• • • • • Manages Active Directory Group Policy Free download Used in Windows 2000 and Windows 2003 domains Runs on Windows XP SP1 and Windows 2003 Server GPMC Rocks 

• • • • • • •

GPMC Feature Summary

New UI for managing Group Policy Reporting Search Resultant Set of Policy (RSoP) integration Backup/Restore Copy/Paste and Export/Import Scripting of GPO operations

Resultant Set Of Policy (RSoP)

• • • Shows conflict resolution of policy settings Example – Both GPO A and GPO B apply to same user • GPO A sets Wallpaper = Red Moon Desert • GPO B sets Wallpaper = Bliss – RSoP data tells you • Which setting ultimately “wins” • Which GPO set that winning setting • Precedence info (the “losing” GPOs) Allows you to more easily plan and troubleshoot Group Policy deployments

Show me…

• • • GPMC User Interface Backup/Restore of Policies RSOP

General GP Guidelines

• • • Limit who can create and modify GPOs Use Enforce/Block Inheritance and Deny sparingly Consider loopback for some scenarios – Applies user settings based on the location of the computer (not just the user) – Example: Exchange admin logging on to an Exchange server – don’t want user assigned applications to be applied – Consider for closely managed environments such as labs, servers (Exchange, IIS, etc) and terminal servers

Performance GP Considerations

• • • Fewer GPOs per user/computer is better - but GPO contents are more important Avoid cross-domain GPO linking Use WMI Filters sparingly

GP Deployment

• • Stage policy deployments prior to production deployment – Staging domain is easy to build using GPMC Roll out major changes to Group Policy incrementally

Best Practices

• • • Plan carefully – Policy design can drive OU design – OU design can drive policy design Test, test, test Use GPMC


• • • • Group Policy Web sites – – GPMC Web site Scripting resources – 32 sample scripts included with the product • %programfiles%\gpmc\scripts – GPMC SDK • %programfiles%\gpmc\scripts\gpmc.chm

• Also in Platform SDK Newsgroup –