Module 7
Configure User and
Computer Environments
By Using Group Policy
Module Overview
• Configuring Group Policy Settings
• Configuring Scripts and Folder Redirection with
Group Policy
• Configuring Administrative Templates
• Deploying Software Using Group Policy
• Configuring Group Policy Preferences
• Introduction to Group Policy Troubleshooting
• Troubleshooting Group Policy Application
• Troubleshooting Group Policy Settings
What Are Group Policy Scripts?
You can use scripts to perform many tasks, such as clearing page
files or mapping drives, and clearing temp folders for users, etc.
Group Policy script settings can be used to assign:
• For computers
• For users

Startup scripts

Logon scripts

Shutdown scripts

Logoff scripts
What Is Folder Redirection?
Folder redirection allows folders
to be located on a network
server, but appear as if they are
located on the local drive
The folders that can be redirected are:
• My Documents (Documents in Windows® Vista)
• Application Data (AppData in Windows Vista)
• Desktop
• Start Menu
Extra folders that can be redirected
in Windows Vista are:
• Contacts
• Searches
• Downloads
• Links
• Favorites
Folder Redirection Configuration Options
• Use basic Folder Redirection when
all users save their files to the
same location
• With advanced Folder Redirection,
the server hosting the folder location
is based on group membership
• Target folder location options:
• Redirect to the users’
home directory
• Create a folder for each user
under the root path
• Redirect to the
following location
• Redirect to the local
userprofile location
Accounting
Users
Accounts
A-M
Accounts
N-Z
Accounting
Managers
Misty
Anne
What Are Administrative Templates?
Administrative Templates allow you to control both the
environment of the operating system and user experience
Administrative Templates
sections for computers are:
• Windows components
• System
• Network
• Printers
Administrative Templates
sections for users are:
• Windows components
• Start menu and taskbar
• Desktop
• Control panel
• Shared folders
• Network
• System
• Applications
Options for Deploying and Managing Software
Using Group Policy
1
2
1.0
Preparation
Deployment
4
3
2.0
Removal
Maintenance
How Software Distribution Works
Windows Installer
Windows Installer service
Fully automates the
software installation and
configuration process
Modifies or repairs an
existing application
installation
Benefits of
Using
Windows
Installer
Windows Installer package contains
Information about installing or
uninstalling an application
An .msi file and any external source
files
Summary information about the
application
A reference to an installation point
Custom
installations
Resilient
applications
Clean removal
Options for Installing Software
Assign software
during Computer
Configuration
Software
Distribution
Point
Assign software
during User
Configuration
?
Publish software
using document
activation
Publish software
using Add or
Remove
Programs
Options for Modifying the Software Distribution
Options:

Software can be categorized in the Add Programs applet

File extensions can be associated with particular applications

Software deployment can be customized using MST files
Published packages:

Advertised in Active Directory and available for users to
install with Add or Remove Programs in Control Panel
Assigned packages:

Application is installed automatically and will be
automatically reinstalled if removed
Maintaining Software Using Group Policy
Users can
use only the
upgraded version
2.0
Deploy next
version of the
application
Mandatory upgrade
2.0
1.0
Users can decide
when to upgrade
2.0
Optional upgrade
2.0
1.0
Selective upgrade
You can select
specific users for
an upgrade
What Are Group Policy Preferences?
Group Policy preferences expand the range of configurable
settings within a GPO

Are not enforced

Enable IT professionals to configure, deploy, and manage
operating system and application settings that were not
manageable using Group Policy
Group Policy Preferences Features
Common Tab
Used to configure additional
options that control the
behavior of a Group Policy
preference item
Targeting Features
Determines to which users
and computers a preference
item applies
Deploying Group Policy Preferences

Windows Server 2008 includes Group Policy preferences by
default as part of the GPMC

Group Policy preferences Client side extension (CSE) must
be deployed to any client computer to which you want to
deploy preferences
Scenarios for Group Policy Troubleshooting
Common scenarios that require troubleshooting:

Polices not applied

Policies are applied but settings are inconsistent
Preparing to Troubleshoot Group Policy
Basic troubleshooting steps:

Perform basic checks to test network connectivity: use
diagnostic tools such as netdiag or ping

Ensure that DNS is functioning by using NSlookup

Use Group Policy Results to see which polices are being
applied

Check Event Viewer entries

Check that the domain controller is functioning and
reachable: use diagnostic tools such as dcdiag, the set
command, or Kerbtray
Tools for Troubleshooting Group Policy
Group Policy troubleshooting tools:
 Group Policy reporting – RSoP
 GPResult
 Gpotool
• Gpupdate
• Dcgpofix
• GPOLogView
• Group Policy log files
• Group Policy Management Scripts
How Client Side Extension Processing Works
• Client side extensions are DLLs that process group
policy settings
• Some CSEs do not process if a slow link is detected
• Some CSEs are always applied and cannot be turned off
List of client side extensions:
• Security settings
• Administrative Templates
• Software installation
• Scripts
• Folder redirection
• Internet Explorer maintenance
Troubleshooting Group Policy Inheritance
Domain
Production
GPOs
Blocked inheritance prevents
high-level policies from applying
to entire OU subtrees
No GPO
settings
apply
Sales
Troubleshooting Group Policy Filtering
Domain
GPO
Production
WMI
filter
Group Policy filtering
may affect only
certain users or
computers in OUs
Sales
Mengph
Kimyo
Group
Read and
Apply
Allow
Group
Policy
Apply
Deny
Group
Policy
Troubleshooting Group Policy Replication
• Group Policy objects consist of Group Policy templates
and Group Policy containers
• Group Policy Templates (GPT) and GPOs replicate using
different mechanisms
• Replication issues can cause domain controllers to
have inconsistent versions of Group Policy
• The GPOTool can check for policy consistency
across all domain controllers
GPT
GPC
DC1
File Replication Service
AD DS Replication
GPT
GPC
GPO1
GPO1
Version 3
Version 2
DC2
Troubleshooting Group Policy Refresh
If the Group Policy is not refreshing as expected:
• Check refresh intervals for users and computers
• Verify that the user has logged off and on, or that the
computer has been restarted
• Check if there are cached credentials, because they may
delay the effect of Group Policy
• Check to see if the Loopback policy is enabled
Use GPUpdate to:
• Manually refresh updated Group Policy settings
• Force the refresh of all Group Policy settings
• Force a reboot or logoff, if required, to refresh
the settings
Troubleshooting Administrative Template
Policy Settings
When troubleshooting Administrative Templates,
consider that:

Administrative Templates are either true polices or preferences

Settings that are true policies are reversed when the
policy no longer applies

Settings that are preferences will tattoo the registry
and remain in effect until they are specifically reversed

The operating system and service pack level determine
if the computer can accept a policy setting
Troubleshooting Script Policy Settings
When troubleshooting script policy settings, consider
the following:

Validate the script

Ensure that users and computer have access to the script

Ensure that Group Policy is configured correctly

Ensure that the script is replicating properly

Use the Group Policy tools to ensure that Group Policy
is applied correctly