Managing Active Directory with Policies
1093
10. On the WMI Filters for Users page, select the All Linked Filters option button, and
click Next to continue.
11. On the WMI Filters for Computers page, select the All Linked Filters option button,
and click Next to continue.
12. On the Summary of Selections page, review the choices and if everything looks
correct, click Next to run the GPO modeling tool.
13. When the process completes, click Finish to return to the GPMC and review the
modeling results.
14. In the Settings pane, the summary of the computer and user policy processing will
be available for view. Review the information on this page and then click on the
Settings tab to review the final GPO settings that would be applied, as shown in
Figure 27.34.
27
FIGURE 27.34 Reviewing the GPO modeling resultant settings.
15. Close the GPMC and log off.
In situations when Group Policy is not delivering the desired results, GPO Results can be
run to read and display the Group Policy processing history. GPO Results are run against a
specific computer, but can also be used to collect user policy processing. To run GPO
Results to review the GPO processing history, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative server.
2. Open the Group Policy Management Console from the Administrative Tools menu.
3. In the tree pane, select the Group Policy Results node, right-click the node, and
select Group Policy Results Wizard.
1094
CHAPTER 27
Group Policy Management for Network Clients
4. On the Welcome page, click Next to continue.
5. On the Computer Selection page, choose to run the policy against another computer
and locate a Windows 7 system that a user has already logged on to. Also be sure to
uncheck the Do Not Display Policy Settings for the Selected Computer in the Results
check box, and click Next.
6. On the User Selection page, select the Display Policy Settings For option button, and
then select the Select a Specific User option button. Select a user from the list, and
click Next to continue. Only users who have previously logged on to the selected
computer will be listed and they will only be listed if the user running the tool is a
domain admin or has been granted the right to run Resultant Set of Policies
(Logging) for the particular users.
7. On the Summary of Selections page, review the choices and click Next to start the
GPO Results collection process.
8. When the process completes, click Finish to return to the GPMC.
9. When the process completes, the results will be displayed in the Settings pane on
the Summary, Settings, and Policy Events tabs. Review the results and close the
GPMC when finished.
Managing Group Policy from Administrative or Remote Workstations
It is very common for Windows system administrators to manage group policies from
their own administrative workstations. To manage a Windows Server 2008 R2 environment properly, domain group policy administration should be performed using a
Windows Server 2008 R2 or Windows 7 system with the Group Policy Management tools
and the Print Services tools installed. The main reason for this is that by using the latest
version of the tools possible, the administrator ensures that all possible features are available and that the most stable version of the tools are being used.
Group Policy management, aside from creating and managing policies, provides administrators with the ability to simulate policy processing for users and computers in specific
containers in Active Directory using the Group Policy Modeling node in the GPMC.
Furthermore, the previous application of Group Policy for users and computers can be
collected and reviewed in the Group Policy Management Console using the Group Policy
Results node in the GPMC. For an administrator, even a member of the Domain Admins
group, to perform remote Group Policy Modeling using the GPMC from a machine other
than a domain controller, the following requirements must be met:
 The administrator must be a member of the domain Distributed COM Users security group.
 The administrator must be delegated the Generate Resultant Set of Policy (Planning)
right in Active Directory, as shown in Figure 27.35. This right must be applied to the
domain, OU, container, or site that contains all of the computers and users the
administrator will run simulated GPO processing against.
 The administrator must have the right to read all the necessary group policies, and
this should be allowed by default.
Summary
1095
FIGURE 27.35 Delegating the Generate Resultant Set of Policy (Planning) right.
To perform remote Group Policy Results tasks using the GPMC from a machine other than
a domain controller, the following requirements must be met:
 The administrator must be a member of the remote computer’s local Distributed
COM Users security group.
 The administrator must be a member of the remote computer’s local Administrators
security group for legacy desktop platforms and the remote system must be accessible on the network.
 The Windows Firewall must be configured to allow the inbound Remote
 The administrator must be delegated the Generate Resultant Set of Policy (Logging)
right in Active Directory. This right must be applied to the domain, OU, container,
or site that contains all of the computers and users the administrator will run simulated GPO processing against.
 The administrator must have the right to read all the necessary group policies, and
this should be allowed by default.
Summary
Windows Server 2008 R2 Group Policy provides administrators with many options to standardize configuration and management of users and computer settings. Management policies can be fine tuned based on the function, location, and security needs of the users or
the security requirements of the organization. This chapter offers many suggestions and
examples of how Group Policy can be leveraged in any organization. Although group policies are very functional and can be a very attractive option for user and computer management, the planning and testing of group policies is essential in delivering the desired
27
Administration exception and the remote workstation must be on a network that is
defined within this exception.
1096
CHAPTER 27
Group Policy Management for Network Clients
configuration and security settings to users and computers in an Active Directory or
Windows workgroup environment.
Best Practices
The following are best practices from this chapter:
 The only changes that should be made to the default domain policy should be
modifying the password and account policy settings and nothing else.
 When the local or domain Administrator user account is a member of a group that
will be managed with domain group policy restricted groups, do not count on the
GPO to leave it in; instead, define it within the member policy setting of a
restricted group.
 When naming group policies, try to use naming conventions that will more easily
help identify the function of the policies for the organization.
 Assign or publish software to high-level Active Directory objects. Because Group
Policy settings apply by default to child containers, it is simpler to assign or publish
applications by linking a Group Policy Object to a parent organizational unit or
domain as long as each of the objects in the child containers requires the application.
 Assign or publish just once per Group Policy Object. When multiple packages are
included in a single policy, often only one package gets applied and they do not
necessarily get processed in order.
 When using folder redirection for user profile folders, allow the system to create the
folders and ensure that the share and root folder permissions are set up appropriately to allow this.
 Configure policies with application control policies to be processed by machines
running Windows 7 Enterprise and Ultimate operating systems and/or Window
Server 2008 R2 systems.
 Use fully qualified (UNC) paths, such as \\server.companyabc.com\share or DFS
links such as \\companyabc.com\share.
 Have systems administrators use standard user accounts to do their day-to-day tasks
and use User Account Control to allow for prompting of elevation when administrator privileges are required.
CHAPTER
28
File System Management
and Fault Tolerance
IN THIS CHAPTER
 Windows Server 2008 R2 File
System Overview/Technologies
 File System Access Services
and Technologies
 Windows Server 2008 R2 Disks
Computer networks were created to share data. The most
primitive form of sharing data on computer networks, of
course, is accessing files and folders stored on networked
systems or central file servers, such as Windows Server 2008
R2 file servers.
As data storage needs and computer services have evolved
in the past 20 or so years, many different methods have
become available to present, access, secure, and manage
data. As an example, data can be accessed through a web
browser; by accessing data stored on external storage media,
such as USB drives, floppy disks, CDs, and DVDs; and by
accessing data stored on any of the different types of media
for the many different operating systems, network storage
devices, and file systems available.
 Utilizing External Disk
Subsystems
 Managing Windows Server
2008 R2 Disks
 System File Reliability
 Adding the File Services Role
 Managing Data Access Using
Windows Server 2008 R2
Shares
 Volume-Based NTFS Quota
Management
 File Server Resource Manager
(FSRM)
 The Distributed File System
This chapter covers the file system features and services
 Planning a DFS Deployment
included with Windows Server 2008 R2. The goal of this
chapter is to introduce administrators to the Windows Server
2008 R2 file services and give them the tools they require to
deploy fault-tolerant and reliable enterprise file services for
their organizations using Windows Server 2008 R2.
 Installing DFS
Windows Server 2008 R2 File
System Overview/Technologies
Windows Server 2008 R2 provides many services that can
be leveraged to deploy a highly reliable, manageable, and
fault-tolerant file system infrastructure. This section of the
chapter provides an overview of these services.
 Managing and Troubleshooting
DFS
 Backing Up DFS
 Using the Volume Shadow
Copy Service