|1| Chapter 12, Administering Group Policy
|2| Chapter 12, Lesson 1
Group Policy Concepts
|3| 1. What
Is Group Policy?
A. A group policy is a collection of user and
computer configuration settings that can be linked to computers, sites,
domains, and organizational units (OUs) to specify the behavior of users’
desktops.
B. Group policies can be used to determine
the programs that are available to users, the programs that appear on the
users’ desktops, and Start menu options.
|4| 2. Group
Policy Objects (GPOs)
A. Used to create a specific desktop
configuration for a particular group of users
B. Collections of group policy settings
C. Each Windows 2000 computer has one local
GPO and is subject to any number of nonlocal Active Directory–based GPOs.
D. Local GPO settings can be overridden by
nonlocal GPOs, so the local GPO is the least influential if the computer is in
an Active Directory environment.
|5| E. In a nonnetworked environment, the local
GPO’s settings are more important because they are not overwritten by nonlocal
GPOs.
F. Nonlocal GPOs are linked to Active
Directory objects and can be applied to either users or computers.
G. To use nonlocal GPOs, a Microsoft Windows
2000 domain controller must be installed.
H. Nonlocal GPOs are applied hierarchically
from the least restrictive group (site) to the most restrictive group (OU) and
are cumulative.
|6| 3. Delegating
Control of Group Policy
A. Determine which administrative groups can
administer GPOs by defining access permissions for each GPO.
B. Assign Read and Write permissions to a GPO
for an administrative group; the group delegates control of the GPO.
|7| 4. Group
Policy Snap-In
|8| A. Overview
1. The Microsoft Management Console (MMC)
snap-in is used to organize and manage the many group policy settings in each
GPO.
2. Depending on the action to perform, the
Group Policy snap-in can be opened in several ways.
B. Ways
to open the Group Policy snap-in
1. To open the local Group Policy snap-in
a. Open Microsoft Management Console
b. On the MMC’s menu bar, click Console and
then click Add/Remove Snap-In
c. In the Add/Remove Snap-In dialog box, on
the Standalone tab, click Add
d. In the Add Standalone Snap-In dialog box,
click Group Policy and then click Add
e. In the Select Group Policy Object dialog
box, ensure that Local Computer appears in the Group Policy Object box
f. Click finish and then click Close on the
Add Standalone Snap-In dialog box
g. In the Add/Remove Snap-In dialog box,
click OK
h. The Group Policy snap-in for the local
computer is now available.
2. To open the Group Policy snap-in from
Active Directory Sites and Services
a. Open Active Directory Sites and Services
b. In the console tree, right-click the site
to set group policy for, and then click Properties
c. Click the Group Policy tab, click an
entry in the Group Policy Object Links list to select an existing GPO, and then
click Edit
d. The Group Policy snap-in for the site is
now available.
3. To open the Group Policy snap-in from
Active Directory Users and Computers
a. Open Active Directory Users and Computers
b. In the console tree, right-click the
domain or OU to set group policy for, and then click Properties
c. Click the Group Policy tab, click an
entry in the Group Policy Object Links list to select an existing GPO, and then
click Edit
d. The Group Policy snap-in for the domain or
OU is now available.
C. Applying Group Policy
1. To a local computer (local GPO)
a. Open the local GPO stored on the local
computer
b.
Set the group
policy setting in the Group Policy snap-in
Note Local
security settings are available only by selecting Local Security Policy from
the Administrative Tools menu.
2. To another computer (local GPO)
a. Open the local GPO stored on the Windows
2000 network computer
b. Must be an administrator of the network
computer
3. To a site
a. Open a GPO
b. Link a GPO to the intended site
4. To a domain
a. Open a GPO
b. Link a GPO to the intended domain
5. To an organizational unit
a. Open a GPO
b.
Link a GPO to
the intended OU
Note A
GPO also can be linked to an OU higher in the Active Directory hierarchy so
that the OU can inherit group policy settings.
6. To any existing GPO or set of GPOs
a. Create and save custom MMCs
|9| 5. Group
Policy Settings
A. Contained in a GPO
B. Determine the user’s desktop environment.
C. Two types: Computer Configuration settings
and User Configuration settings
6. Computer and User Configuration Settings
A. Overview
|10| 1. Computer Configuration settings
a. Used to set group policies applied to
computers, regardless of who logs on
b. Applied when the OS initializes
c. Include Software Settings, Windows
Settings, and Administrative Templates
|11| 2. User Configuration settings
a. Used to set group policies applied to
users, regardless of which computer the user logs on to
b. Applied when users log on to the computer
c.
Include Software
Settings, Windows Settings, and Administrative Templates
Note Although
some settings are user interface settings, they can be applied to computers
using computer configuration settings.
|12| B. Software Settings
1. Contain only Software Installation
settings by default for both computer and user configurations
2. Help specify how applications are
installed and maintained within the organization, and provide a place for
independent software vendors to add settings
3. An application is managed within a GPO
that, in turn, is associated with a particular Active Directory container.
4. Applications can be managed in either
assigned or published mode.
a. An application is assigned to a computer
to enable computers or people managed by the GPO to have the application.
b. An application is published to make it
available to people managed by the GPO.
c. An application can’t be published to
computers.
|13| C. Windows Settings
|14| 1. Scripts
a. Two types of scripts:
(1) Startup/shutdown scripts run at computer
startup or shutdown.
(2) Logon/logoff scripts run when a user logs
on or off the computer.
b. When multiple scripts are assigned to a
user or computer, Windows 2000 executes the scripts from top to bottom.
c. The order of execution for multiple
scripts can be specified in the Properties dialog box.
|15| d. When a computer is shut down, Windows 2000
first processes logoff scripts, followed by shutdown scripts.
e. The default timeout value for processing
scripts is 10 minutes.
(1) A software policy can be used to adjust the
timeout value if the logoff and shutdown scripts require more than 10 minutes
to process.
f. Administrators can use any ActiveX scripting
language they choose.
g. Scripting languages include VBScript,
JScript, Perl, and MS-DOS–style batch files.
|16| 2. Security Settings
a. Allows a security administrator to
manually configure security levels assigned to a local or nonlocal GPO
b. The configuration can be done after, or
instead of, using a security template to set system security.
|17| 3. Additional User Configuration group
policy settings
a. Internet Explorer (IE) Maintenance: Allows
the administration and customization of IE on Windows 2000 computers
b.
Remote
Installation Services (RIS): Used to control the behavior of remote OS
installation; optionally, can be used to provide customized packages for non–Windows
2000 clients of Active Directory
Note Group
policy requires a genuine Windows 2000 client, not merely a pre–Windows 2000
client of Active Directory.
c. Folder Redirection: Allows for the
redirection of Windows 2000 special folders from their default user profile
location to an alternate location on the network, where they can be centrally
managed
|18| D. Administrative Templates
|19| 1. Overview
a. More than 450 settings are available for
configuring the user environment.
b. Computer configurations are saved in the
registry in HKEY_LOCAL_MACHINE (HKLM).
c. User configurations are saved in the
registry in HKEY_CURRENT_USER (HKCU).
|20| 2. Computer Configurationand User
Configuration
a. Administrative Templates contains all
registry-based group policy settings.
(1) Windows Components: Allows administration
of the Windows 2000 components, including NetMeeting, Internet Explorer,
Windows Explorer, MMC, Task Scheduler, and Windows Installer
(2) System: Used to control logon and logoff
functions and group policy itself
(3) Network: Allows the control of settings for
Offline Files and Network and Dial-Up Connections
|21| 3. Computer Configuration only
a. Administrative Templates contains
additional group policy settings for Printers.
b. System Settings contains Disk Quotas, and
DNS Client and Windows File Protection.
|22| 4. User Configuration only
a. Administrative Templates contains
additional registry-based group policy settings.
(1) Start Menu & Taskbar settings: Control
a user’s Start menu and taskbar
(2) Desktop settings: Control the appearance of
a user’s desktop
(3) Control Panel settings: Determine the
Control Panel options available to a user
Note To
display Administrative Templates settings, click the Administrative Templates
node, click View, and then click either Show Policies Only to show all
settings, or Show Configured Policies Only to show only those settings that
have been configured.
|23| 7. The
MMC Snap-In Model
A. Nodes of the Group Policy snap-in are MMC
snap-in extensions.
B. By default, all the available Group Policy
snap-in extensions are loaded when the Group Policy snap-in is started.
C. The default behavior can be modified by
using the MMC method of creating custom consoles and by using policy settings
to control the behavior of MMC itself.
D. The Administrative Templates node is used
to configure the policy settings.
E. Developers can create an MMC extension to
the Group Policy snap-in to provide additional policies.
F. Snap-in extensions may be extended.
|24| 8. Group
Policy Snap-In Namespace
A. The root node of the Group Policy snap-in
is displayed as the name of the GPO and the domain to which it belongs.
B. Format: GPO Name [DomainName] Policy
C. Example: Default Domain Controllers Policy
[server1. microsoft. com] Policy
|25| 9. How
Group Policy Affects Startup and Logon
A. The network starts and Remote Procedure
Call System Service (RPCSS) and Multiple Universal Naming Convention Provider
(MUP) are started.
B. An ordered list of GPOs is obtained for
the computer, the contents of which may depend on the following factors:
1. Whether the computer is part of a Windows
2000 domain and therefore subject to group policy through Active Directory
2. The location of the computer in Active
Directory
3. If the list of GPOs has not changed, then
no processing is done; a group policy setting can be used to change this
behavior.
C. Computer configuration settings are
processed.
1. Occurs synchronously by default
2. Occurs in the following order: local GPO,
site GPOs, domain GPOs, OU GPOs, and so on
3. No user interface is displayed during
processing.
D. Startup scripts run.
1. Hidden and synchronous by default
2. Each script must complete or time out
before the next one starts.
3. Default timeout is 10 minutes; several
group policy setting can be used to modify this behavior.
E. The user presses Ctrl+Alt+Delete to log
on.
F. After the user is validated, the user
profile is loaded, governed by the group policy settings in effect.
G. An ordered list of GPOs is obtained for
the user, the contents of which may depend on the following factors:
1. Whether the user is part of a Windows
2000 domain and therefore subject to group policy through Active Directory
2. Whether loopback is enabled and the state
of the loopback policy setting
3. The location of the user in Active
Directory
4. If the list of GPOs to be applied has not
changed, then no processing is done; a policy setting can be used to change
this behavior.
H. User configuration settings are processed.
1. Occurs synchronously by default
2. Occurs in the following order: local GPOs,
site GPOs, domain GPOs, OU GPOs, and so on
3. No user interface is displayed while user
policies are being processed.
I. Logon scripts run.
1. Run hidden and asynchronously by default,
unlike Windows NT 40 scripts
2. User object script runs last.
J. The OS user interface prescribed by group
policy appears.
|26| 10. How
Group Policy Is Processed
A. Processing order
1. Local GPO: Each Windows 2000 computer has
exactly one GPO stored locally
2. Site GPOs: Any GPOs that have been linked
to the site are processed next, synchronously; the administrator specifies the
order of GPOs linked to a site
3. Domain GPOs: Multiple domain-linked GPOs
are processed synchronously; the administrator specifies the order of GPOs
linked to a domain
4. OU GPOs: GPOs linked to the OU highest in
the Active Directory hierarchy are processed first, followed by GPOs linked to
its child OU, and, finally, the GPOs linked to the OU that contains the user or
computer are processed
|27| a. At the level of each OU level in the Active
Directory hierarchy, one, many, or no GPOs can be linked.
b. If several group policies are linked to an
OU, then they are processed synchronously in an order specified by the
administrator.
|28| B. Exceptions to the processing order
1. A computer that is a member of a
workgroup processes only the local GPO.
2. No Override
a. Any GPO linked to a site, domain, or OU
can be set to No Override with respect to that site, domain, or OU so that none
of its policy settings can be overridden.
b. When more than one GPO has been set to No
Override, the one highest in the Active Directory hierarchy takes precedence.
c. No Override is applied to the GPO link.
3. Block Policy Inheritance
a. Any site, domain, or OU can be selectively
marked as Block Policy Inheritance except GPO links set to No Override, which
are always applied and cannot be blocked.
b. Applied directly to the site, domain, or
OU; it isn’t applied to GPOs or GPO links
c. Deflects all group policy settings that
reach the site, domain, or OU from above, no matter from what GPOs those
settings originate
4. Loopback setting
a. An advanced group policy setting that is
useful on computers in certain closely managed environments, such as kiosks,
laboratories, classrooms, and reception areas
b. Provides alternatives to the default
method of obtaining the ordered list of GPOs whose user configuration settings
affect a user
c. By default, a user’s settings come from a
GPO list that depends on the user’s location in Active Directory.
d. The ordered list goes from site-linked to
domain-linked to OU-linked GPOs, with inheritance determined by the location of
the user in Active Directory and in an order specified by the administrator at
each level.
e. Can be Not Configured, Enabled, or
Disabled, as can any other group policy setting
f. In the Enabled state, two modes are
available
(1) Replace: The GPO list for the user is
replaced in its entirety by the GPO list already obtained for the computer at
computer startup; the computer’s GPOs replace the user GPOs normally applied to
the user.
(2) Merge: The GPO list is concatenated; the
GPO list obtained for the computer at computer startup is appended to the GPO
list obtained for the user at logon; it has precedence if it conflicts with
setting in the user’s list.
|29| 11. Group
Policy Inheritance
A. Group policy is passed down from parent to
child containers.
B. If a separate group policy is assigned to
a parent container, that group policy applies to all containers beneath the
parent container, including the user and computer objects in the container.
C. If a group policy setting is specified for
a child container, the child container’s group policy setting overrides the
setting inherited from the parent container.
D. If a parent OU has policy settings that
are not configured, the child OU does not inherit them.
|30| E. Policy settings that are disabled are
inherited as disabled.
F. If a policy is configured for a parent OU,
but not for a child OU, the child inherits that parent’s policy setting.
G. If a parent policy and a child policy are
compatible, the child inherits the parent policy and the child’s setting is
also applied.
H. Policies are inherited as long as they are
compatible.
I. If a policy configured for a parent OU
is incompatible with the same policy configured for a child OU, the child does
not inherit the policy setting from the parent; the setting in the child is
applied.
|31| 12. Using
Security Groups to Filter Group Policy
A. Because more than one GPO can be linked to
a site, domain, or OU, GPOs associated with other directory objects may need to
be linked.
B. By setting the appropriate permissions for
security groups, group policy can be filtered to influence only the computers
and users specified.
|32| Chapter 12, Lesson 2
Group Policy Implementation Planning
1. Overview
A. Create a plan to manage group policies.
B. Plan GPO settings and GPO implementation
methods to provide the most efficient group policy management for
organizations.
|33| 2. Designing
GPOs by Setting Type
|34| A. Single Policy Type
1. Includes GPOs that deliver a single type
of group policy setting
2. The goal is to separate each type of
group policy setting into a separate GPO.
a. Create a GPO for software management
settings, user documents and settings, software policies, and so on.
b. Give Read/Write access only to the user or
users who need to administer a GPO.
3. Best suited for organizations in which
administrative responsibilities are delegated among several individuals
|35| B. Multiple Policy Type
1. Includes GPOs that deliver multiple types
of group policy settings
2. The goal is to include multiple types of
group policy settings in a single GPO.
3. Best suited for organizations in which
administrative responsibilities are centralized and an administrator may need
to perform many or all types of group policy administration
|36| C. Dedicated Policy Type
1. Includes GPOs dedicated to either
Computer Configuration or User Configuration group policies
2. The goal is to include all User
Configuration group policy settings in one GPO, and all Computer Configuration
group policy settings in a separate GPO.
3. Increases the number of GPOs that must be
processed at logon; lengthens logon time
4. Aids in troubleshooting
|37| 3. GPO
Implementation Strategies
A. Planning an Active Directory structure
requires consideration of how group policy will be implemented for the
organization.
B. Delegation of authority, separation of
administrative duties, central versus decentralized administration, and design flexibility
are important factors.
C. Most organizations will combine several
strategies to create custom solutions.
|38| 4. Layered
vs. Monolithic GPO Design
|39| A. Layered
1. The goal is to include a specific policy
setting in as few GPOs as possible.
a. Create a base GPO to be applied to the
domain that contains policy settings for as many users and computers in the
domain as possible.
b. Create additional GPOs tailored to the
common requirements of each corporate group and apply them to the appropriate
OUs.
2. When a change is required, only one or a
few GPOs have to be modified to enforce the change.
3. Administration is simplified at the
expense of a longer logon time.
4. Best suited for environments in which
different groups in the organization have common security concerns and changes
to group policy are frequent
|40| B. Monolithic
1. The goal is to use very few GPOs for any
given user or computer.
2. All the policy settings required for a
given site, domain, or OU should be implemented within a single GPO.
3. If the site, domain, or OU has groups of
users or computers with different policy requirements, consider subdividing the
container into OUs and applying separate GPOs to each OU rather than to the
parent.
4. Changes involve more administration than
with the layered approach because the settings may need to be changed in
multiple GPOs.
5. The logon time is shorter than it is with
the layered approach.
6. Best suited for environments in which
users and computers can be classified into a small number of groups for policy
assignment
|41| 5. Functional
Roles vs. Team Design
|42| A. Overview
1. Active Directory’s OU structure was
designed to facilitate ease of administration and delegation of authority.
2. The OU structure may or may not represent
the functional roles within the organization.
3. When designing group policy for an
organization with a functional role OU structure, the group policy should be
designed by delegating control to the OU levels.
4. If the OU architecture does not represent
group organization, then OU delegation of control should be used, but groups
should be used as a filtering mechanism for applying group policy.
|43| B. Functional roles design
1. The goal is to use an OU structure that
reflects the functional roles within the organization for applying group
policy.
2. A minimum number of GPOs is used, with
each tailored to a group’s specific needs.
a. A GPO is created for each OU.
b. Network administrators can set ACL
permissions for GPO administration either at the domain or OU administrator
level.
3. Best suited for organizations designed
according to functional roles—groups of users organized according to users’
occupations
4. Each functional role requires specific
group policies.
|44| C. Team design
1. The goal is to use groups as a filtering
mechanism in applying group policy in an organization that uses the virtual
team concept.
a. GPOs are created for each virtual team.
b. Users can exist in only one OU at a time,
so a single GPO is created at the top of the hierarchy that filters down to
each OU.
2. Individuals within the organization form
teams to perform a task or project, and each individual is a member of multiple
teams.
3. Each team has specific group policy
requirements.
4. Eliminates complexity by strategically
applying the GPOs at only one location
5. Allows administrators to centrally
administer the GPOs and minimizes the GPO-to-OU assignments
6. Best suited for organizations that need
an efficient and flexible method of managing group policy in a dynamic
environment with an OU architecture that does not reflect the team structure
|45| 6. OU
Delegation with Central or Distributed Control
|46| A. Overview
1. Administration of OUs can be delegated.
2. OU administrators may need to block group
policies that have been assigned to their OU at higher organizational levels.
3. Certain policies may need to be enforced,
and OU administrators will not be allowed to block them.
a. Accomplished by using a central or
distributed control design
|47| B. Central control design
1. Offers delegated administration as well
as centralized control
a. Use the No Override option on OUs.
b. Create a GPO to include only security
settings for a domain, and then set the No Override option so that all child
OUs are affected by the security options specified at the domain level.
c. For all other types of policy, control of
those GPOs could be delegated to the specific OU administrators.
2. Best suited for organizations that choose
to delegate the administration of OUs but would like to enforce certain group
policies throughout the domain
|48| C. Distributed control design
1. Administrators of OUs are allowed to
block group policies from being applied to their OU but cannot block group
policies that are marked as No Override.
a. Create GPOs for each OU.
b. Set ACL permissions allowing OU
administrators full control over GPOs.
c. Set the Block Policy Inheritance option
for each OU.
2. Best suited for organizations that choose
to minimize the number of domains but do not want to sacrifice autonomous
administration of OUs
3. Allows administrators to enforce certain
group policies throughout the domain
|49| Chapter 12, Lesson 3
Implementing Group Policy
1. Tasks for Implementing Group Policy
A. Creating a GPO
B. Creating a console for the GPO
C. Delegating administrative control of the
GPO
D. Specifying group policy settings for the
GPO
E. Disabling unused group policy settings
F. Indicating any GPO processing exceptions
G. Filtering the scope of the GPO
H. Linking the GPO to a site, domain, or OU
2. To Create a GPO
A. Determine the type of GPO to create
1. To create a GPO linked to a domain or an
OU, open Active Directory Users and Computers.
2. To create a GPO linked to a site, open
Active Directory Sites and Services.
B. Right-click the site, domain, or OU for
which to create the GPO, click Properties, and select the Group Policy tab
C. Click New and then type the GPO name to be
used
D. By default, the new GPO is linked to the
site, domain, or OU that was selected in the MMC when it was created, and its
settings apply to that site, domain, or OU
E. Click Close
3. To Create a GPO Console
A. Click Start and then point to Run
B. In the Run dialog box, type mmc in the Open box and click OK
C. In the new MMC console, from the Console
menu, click Add/Remove Snap-In.
D. In the Add/Remove Snap-In dialog box,
click Add.
E. In the Add Standalone Snap-In dialog box,
select Group Policy, and then click Add.
F. In the Select Group Policy Object page, click
Browse to find the GPO for which to create a snap-in
G. In the Browse For A Group Policy Object
dialog box, click the All tab, click the GPO name, and then click OK
H. In the Select Group Policy Object page,
click Finish, and then click Close in the Add Standalone Snap-In dialog box
I. Click OK in the Add/Remove Snap-In
dialog box
J. On the Console menu, click Save As
K. In the Save As dialog box, type the GPO
name in the File Name box and click Save. The GPO is now available on the
Administrative Tools menu
4. Delegating Administrative Control of a GPO
|50| A. Overview
1. After a GPO is created, it is important
to determine which groups of administrators have access permissions to the GPO.
2. The Default Domain Policy GPO cannot be
deleted by any administrator, by default.
a. Prevents the accidental deletion of this
GPO, which contains important required settings for the domain
3. If working with a GPO from a prebuilt
console such as Active Directory Users and Computers, the Delegation Of Control
Wizard is not available for use in delegating administrative control of a GPO;
it only controls security of an object.
|51| B. Default GPO permissions for security
groups
1. Authenticated Users: Read, Apply Group
Policy, Special Permissions
2. CREATOR OWNER: Special Permissions
3. Domain Administrators: Read, Write,
Create All Child Objects, Delete All Child Objects, Special Permissions
4. Enterprise
Administrators: Read, Write, Create All Child Objects, Delete All Child
Objects, Special Permissions
5. SYSTEM: Read, Write, Create All Child
Objects, Delete All Child Objects, Special Permissions
C. To delegate administrative control of a
GPO
1. Access the Group Policy snap-in for the
GPO
2. Right-click the root node of the console
and click Properties
3. Click the Security tab and then click the
security group for which to allow or deny administrative access to the GPO
4. If the list of security groups for which
to allow or deny administrative access to the GPO needs to be changed, add or
remove security groups using Add and Remove
5. To provide administrative control of all
aspects of the GPO, set both the Read and Write permissions to Allow
6. A user or administrator who has Read
access but not Write access to a GPO cannot use the Group Policy snap-in to see
the settings that it contains; extensions to the Group Policy snap-in require
Write access to open a GPO
7. Click OK
5. To Specify Group Policy Settings
A. Access the Group Policy snap-in for the
GPO
B. In the console tree, expand the item that
represents the particular policy to be set
C. In the details pane, right-click the
policy to be set and then click Properties
D. Click Enabled to apply the policy to users
or computers subject to this GPO and then click OK
1. Not Configured indicates that no change
will be made to the registry regarding this setting.
2. Disabled indicates that the registry will
indicate that the policy does not apply to users or computers that are subject
to this GPO.
6. Disabling Unused Group Policy Settings
|52| A. Overview
1. If a GPO has only settings that are Not
Configured, then it is possible to avoid processing those settings by disabling
the node.
2. Disabling the node expedites startup and
logon for those users and computers subject to the GPO.
B. To disable the Computer Configuration or
User Configuration settings for a GPO
1. Access the Group Policy snap-in for the
GPO
2. Right-click the root node of the console
and click Properties
3. In the General tab in the Properties
dialog box:
a. To disable the Computer Configuration
settings, click the Disable Computer Configuration Settings check box.
b. To disable the User Configuration
settings, click the Disable User Configuration Settings check box.
4. Click OK
7. Indicating GPO Processing Exceptions
|53| A. Overview
1. GPOs are processed according to the
Active Directory hierarchy.
a. Local GPO
b. Site GPOs
c. Domain GPOs
d. OU GPOs
2. The default order of processing group
policy settings may be changed by the following:
a. Modifying the order of GPOs for an object
b. Specifying the Block Policy Inheritance
option
c. Specifying the No Override option
d. Enabling the Loopback setting
B. To modify the order of GPOs for an object
1. Open Active Directory Users and Computers
to set the order of GPOs for a domain or OU, or open Active Directory Sites and
Services to modify the order of GPOs for a site
2. In the console tree, right-click the
site, domain, or OU for which to modify the GPO order, click Properties, and
then click the Group Policy tab
|54| 3. In the Group Policy Object Links list,
select the GPO and click the Up or Down button to change the priority for a GPO
for this site, domain, or OU
4. Windows 2000 processes GPOs from the top
of the list to the bottom of the list.
C. To specify the Block Policy Inheritance
option
1. Open Active Directory Users and Computers
to specify the Block Policy Inheritance option for a domain or OU, or open
Active Directory Sites and Services to specify the Block Policy Inheritance
option for a site
2. In the console tree, right-click the
site, domain, or OU for which to specify the Block Policy Inheritance option,
click Properties, and then click the Group Policy tab
3. Select the Block Policy Inheritance check
box to specify that all GPOs linked to higher-level sites, domains, or OUs
should be blocked from linking to this site, domain, or OU
a. GPOs that use the No Override option
cannot be blocked.
D. To specify the No Override option
1. Open Active Directory Users and Computers
to specify the No Override option for a domain or OU, or open Active Directory
Sites and Services to specify the No Override option for a site
2. In the console, right-click the site,
domain, or OU to which the GPO is linked, click Properties, and then click the
Group Policy tab
3. Select the GPO, click Options, and then
select the No Override check box in the Options dialog box to specify that
other GPOs should be prevented from overriding settings in this GPO
4. Click OK
E. To enable the Loopback setting
1. Access the Group Policy snap-in for the
GPO
2. In the console tree, expand Computer
Configuration, Administrative Templates, System, and Group Policy
3. In the details pane, double-click User
Group Policy Loopback Processing Mode
4. In the User Group Policy Loopback
Processing Mode Properties dialog box, click Enabled
5. Select one of the following modes in the
Mode list:
a. Replace: Replaces the GPO list for the
user with the GPO list already obtained for the computer at computer startup
b. Merge: Appends the GPO list obtained for
the user at logon with the GPO list already obtained for the computer at
computer startup
6. Click OK
8. Filtering GPO Scope
|55| A. Overview
1. Policies in a GPO apply only to users who
have Read permission for that GPO.
2. The scope of a GPO is filtered by
creating security groups and then assigning Read permission to the selected
groups.
3. A policy is prevented from applying to a
specific group by denying that group Read permissions to the GPO.
B. To filter the scope of a GPO
1. Access the Group Policy snap-in for the
GPO
2. Right-click the root node of the console
and then click Properties
3. Click the Security tab and then click the
security group through which to filter this GPO
4. If the list of security groups through
which to filter this GPO needs to be changed, add or remove security groups
using Add and Remove
5. Set the permissions
|56| C. Permissions for GPO scopes
1. GPO scope: Members of this security group
should have this GPO applied to them
a. Permissions: Set Apply Group Policy (AGP)
to Allow, and set Read to Allow
b. Result: This GPO applies to members of
this security group unless they are members of at least one other security
group that has AGP set to Deny, or Read set to Deny, or both
2. GPO scope: Members of this security group
are exempt from this GPO.
a. Permissions: Set AGP to Deny, and set Read
to Deny
b. Result: This GPO never applies to members
of this security group regardless of the permissions those members have in
other security groups
3. GPO scope: Membership in this security
group is irrelevant to whether the GPO should be applied
a. Permissions: Set AGP to neither Allow nor
Deny and set Read to neither Allow nor Deny
b. Results: This GPO applies to members of
this security group only if they have both AGP and Read set to Allow as members
of at least one other security group; also must not have AGP or Read set to
Deny as members of any other security group
9. Linking a GPO
|57| A. Overview
1. By default, a new GPO is linked to the
site, domain, or OU that was selected in the MMC when it was created.
2. The new GPO’s settings apply to that
site, domain, or OU.
3. The Group Policy tab for the site,
domain, or OU properties is used to link a GPO to additional sites, domains, or
OUs.
B. To link a GPO to a site, domain, or OU
1. Open Active Directory Users and Computers
to link a GPO to a domain or OU, or open Active Directory Sites and Services to
link a GPO to a site
2. In the console, right-click the site,
domain, or OU to which the GPO should be linked
3. Click Properties, and then click the
Group Policy tab
4. If the GPO already appears in the Group
Policy Object Links list, then click Cancel; if it doesn’t appear in the list,
then click Add
|58| 5. In the Add A Group Policy Object Link
dialog box, click the All tab, click the desired GPO, and then click OK
6. In the Properties dialog box for the
site, domain, or OU, click OK
10. Modifying Group Policy
A. Removing a GPO link
B. Deleting a GPO
C. Editing a GPO and GPO settings
|59| 11. Removing
a GPO Link
A. Overview
1. Removing a GPO link unlinks the GPO from
the specified site, domain, or OU.
2. The GPO remains in Active Directory until
it is deleted.
B. To remove a GPO link
1. Open Active Directory Users and Computers
to unlink a GPO from a domain or OU, or open Active Directory Sites and
Services to unlink a GPO from a site
2. In the console, right-click the site,
domain, or OU from which the GPO should be unlinked
3. Click Properties and then click the Group
Policy tab
4. In the Group Policy tab, select the GPO
to unlink and then click Delete
5. In the Delete dialog box, click Remove
The Link From The List
6. The GPO remains in Active Directory but
is no longer linked.
12. Deleting a GPO
A. Overview
1. Deleting a GPO removes it from Active
Directory.
2. Any sites, domains, or OUs to which a GPO
is linked when it is deleted will no longer be affected by it.
B. To delete a GPO
1. Open Active Directory Users and Computers
to delete a GPO from a domain or OU, or open Active Directory Sites and
Services to delete a GPO from a site
2. In the console, right-click the site,
domain, or OU from which the GPO should be deleted
3. Click Properties and then click the Group
Policy tab
4. In the Group Policy tab, select the GPO
to delete, and then click Delete
5. In the Delete dialog box, click Remove
The Link And Delete The Group Policy Object Permanently and then click OK
6. The GPO is removed from Active Directory.
13. Editing a GPO
A. The same procedures that are used for
creating a GPO and for specifying group policy settings are used to edit a GPO
or its settings.
|60| Chapter 12, Lesson 4
Managing Software Using Group Policy
|61| 1. Overview
A. The Software Installation extension is a
software management feature of Windows 2000 that is an administrator’s primary
tool for managing software within an organization.
B. Managing software using Software
Installation provides users with immediate access to the software needed to
perform their jobs and ensures that users have an easy and consistent
experience when working with software throughout its life cycle.
C. Users no longer need to look for a network
share, use a CD-ROM, or install, fix, and upgrade software themselves.
2. Software Management Tools
|62| A. Overview
1. The Software Installation extension of
the Group Policy snap-in: Used by administrators to manage software
2. Windows Installer: Installs software
packaged in Windows Installer files.
3. Add/Remove Programs in Control Panel:
Used by users to manage software on their own computers
|63| B. The Software Installation extension
1. Overview
a. The primary tool for managing software
within an organization
b. Works in conjunction with group policy and
Active Directory
c. Centrally manages the installation of
software on a client computer by assigning applications to users or computers
or by publishing applications for users
d. Assigns required or mandatory software to
users or to computers
e. Publishes software that users might find
useful to perform their jobs
2. Establishes a group policy-based software
management system that allows:
a. Initial deployment of software
b. Mandatory and nonmandatory upgrades,
patches, and quick fixes for software
c. Removal of software
3. Assigning Applications
|64| A. Application assigned to a user
1. The application is advertised to the user
the next time he or she logs on to a workstation.
2. The application advertisement follows the
user regardless of which physical computer he or she actually uses.
3. The application is installed the first
time the user activates the application on the computer either by selecting the
application on the Start menu or by activating a document associated with the
application.
|65| B. Application assigned to the computer
1. The application is advertised and the
installation is performed when it is safe to do so.
2. A safe time typically is when the
computer starts up so that no competing processes are on the computer.
|66| 4. Publishing
Applications
A. When the application is published to
users, the application does not appear installed on the users’ computers.
B. No shortcuts are visible on the desktop or
Start menu.
C. No changes are made to the local registry
on the users’ computers.
D. Advertisement attributes are stored in
Active Directory.
E. Information, such as the application’s
name and file associations, is exposed to the users in the Active Directory
container.
F. After publication, the application is
available for user installation by using Add/Remove Programs in Control Panel
or by clicking a file associated with the application.
5. How Software Installation Works
|67| A. Overview
1. The Software Installation extension uses
Windows Installer technology to systematically maintain software.
2. Windows Installer is a service that
allows the OS to manage the installation process.
|68| B. Windows Installer’s three key parts
1. An OS service that performs the
installation, modification, and removal of the software in accordance with the
information in Windows Installer
2. A database containing information that
describes the installed state of the application
3. An API that allows applications to
interact with Windows Installer to install or remove additional features of the
application after the initial installation is complete
|69| C. Windows Installer’s advantages
1. Enables users to take advantage of
self-repairing applications
2. Notes when a program file is missing and
immediately reinstalls the damaged or missing files, thereby fixing the
application
3. Makes modifications to customize the
installation of a Windows Installer package at the time of assignment or
publication; modifications are saved with the .mst file extension.
|70| D. Windows Installer package
1. The Windows Installer package is a file
that contains explicit instructions on the installation and removal of specific
applications.
2. The developer provides the Windows
Installer package .msi file and ships it with the application.
3. If a Windows Installer package is not
provided with an application, it may need to be created or the application may
need to be repackaged using a third-party tool.
|71| E. Deploying software with Software
Installation is limited to certain file types
1. Native Windows Installer package .msi
files: Developed as a part of the application and take full advantage of the
Windows Installer
2. Repackaged application .msi files: Allow
applications that do not have a native Windows Installer package to be
repackaged
3. An existing setup program (application
.zap file): Installs an application by using its original SETUP.EXE program
|72| F. Other files encountered during Software
Installation
1. Patch .msp files: Used for bug fixes,
service packs, and similar files
2.
Application
assignment scripts (.aas files): Contain instructions associated with the
assignment or publication of a package
|73| G. Customizing Windows Installer packages
1. Modifications, also called transforms,
can be used to customize Windows Installer applications.
2. Customization is provided by allowing the
original package to be transformed using authoring and repackaging tools.
3. Some applications provide wizards or
templates that permit a user to create modifications.
|74| 6. Tasks
for Implementing Software Installation
A. Planning and preparing the software
installation
B. Setting up a software distribution point
C. Specifying Software Installation defaults
D. Deploying software applications
E. Setting automatic installation options
F. Setting up application categories
G. Setting software application properties
H. Maintaining software applications
7. Planning and Preparing a Software
Installation
|75| A. Considerations
1. Review the organization’s software
requirements on the basis of the overall organizational structure within Active
Directory and available GPOs.
2. Determine how to deploy the applications.
3. Create a pilot to test how software will
be assigned or published to users or computers.
4. Prepare software using a format that
allows the administrator to manage it based on what the organization requires.
5. Test all of the Windows Installer
packages or repackaged software.
|76| B. Strategies and considerations
1. Create OUs based on software management
needs
a. Allows the administrator to target
applications to the appropriate set of users
b. Group policy security settings are not
required to target the appropriate set of users.
2. Deploy software close to the root in the
Active Directory tree
a. Makes it easy to provide all users in an
organization with access to an application
b. Reduces administration by deploying a
single GPO rather than having to re-create that object in multiple containers
deep in the Active Directory tree
3. Deploy multiple applications with a
single GPO
a. Reduces administration by creating and
managing a single GPO rather than multiple GPOs
b. Provides a faster logon process because a
single GPO deploying 10 applications processes faster than 10 GPOs each
deploying one application
c. Appropriate in organizations where users
share the same core set of applications
4. Publish or assign one application only
once in the same GPO or in a series of GPOs that might apply to a single user
or computer
b.
Makes it easier
to determine which instance of the application applies to the user or computer
|77| C. Software licenses
1. Licenses are required for software
written by independent software vendors (ISVs) and distributed using software
distribution points (SDPs).
2. The administrator is responsible for
matching the number of users who can access software to the number of licenses
on hand.
3. The administrator is responsible for
verifying that guidelines provided by each independent software vendor are
being followed.
4. The administrator should gather the
package formats for the software and perform any necessary modifications to the
packages.
|78| 8. To
Set Up an SDP
A. Create the folders for the software on the
file server that will be the SDP and make the folders network shares
B. Replicate the software to the SDPs by
placing or copying the software, packages, modifications, all necessary files,
and components to a distribution share(s); place all software in a separate
folder on the SDP
B.
Set the
appropriate permissions on the folders so that only administrators can change
the files and users can only read the files from the SDP folders and shares;
use group policy to manage the software within the appropriate GPO
Note Some
software supports special commands to facilitate the creation of an SDP. Other
software might have other ways to expand any compressed files from the
distribution media and transfer the files to the appropriate location.
9. Specifying Software Installation Defaults
|79| A. Overview
1. A GPO can contain several settings that
affect how an application is installed, managed, and removed.
2. The default settings for the new packages
are globally defined within the GPO in the General tab of the Software
Installation Properties dialog box.
3. Some of the default settings can be
changed later by editing the package properties in the Software Installation
extension.
B. To specify software installation defaults
1. Open the Group Policy snap-in and then,
in Computer or User Configuration, open Software Settings
2. Right-click the Software Installation
node and click Properties
|80| 3. In the General tab of the Software
Installation Properties dialog box, type the path to the default SDP for
packages (.msi files) in the Default Package Location box
4. In the New Packages section, select one
of the following:
a. Display The Deploy Software Dialog Box:
Specifies that when adding a new package, the Deploy Software dialog box will
display, allowing the administrator to assign, publish, or configure package
properties
b. Publish: Specifies that when a new package
is added, by default, it should be published with standard package properties;
packages can be published only to users, not to computers
c. Assign: Specifies cify that when a new
package is added, by default, it should be assigned with standard package
properties; packages can be assigned to users and computers
d. Advanced Published Or Assigned: Specifies
that when adding a new package, the Configure Package Properties form should
appear
5. In the Installation User Interface
Options section, select one of the following:
a. Basic: Provides only a basic display of
the installation process
b. Maximum: Provides all installation
messages and screens during the package installation
6. Check the Uninstall The Applications When
They Fall Out Of The Scope Of Management check box to specify that the package
should be removed when the GPO no longer applies to users or computers
7. Click OK
10. Deploying Software Installation Defaults
|81| A. Overview
1. Because software can be either assigned
or published, and targeted to either users or computers, a workable combination
can be established to meet the software management goals.
2. Modifications, or .mst files, are
customizations applied to Windows Installer packages.
3. Modifications must be applied at the time
of assignment or publication, not at the time of installation.
|82| B. Software deployment approaches
1. After deployment, the software is
available for installation after:
a. Publish (user only): Next logon
b. Assign (user): Next logon
c. Assign (computer): Next time the computer
starts
2. Typically, the user installs the software
from:
a. Publish (user only): Add/Remove Programs
in Control Panel
b. Assign (user): Start menu or Desktop
shortcut
c. Assign (computer): Software automatically
installs when the computer reboots.
3. If the software is not installed and the
user opens a file associated with the software, does the software install?
a. Publish (user only): Yes, if auto-install
is turned on
b. Assign (user): Yes
c. Assign (computer): Does not apply; the
software is already installed.
4. Can the user remove the software using
Add/Remove Programs in Control Panel?
a. Publish (user only): Yes, and the user can
choose to install it again from Add/Remove Programs in Control Panel
b. Assign (user): Yes, and the software is
available for installation again from the typical install points
c. Assign (computer): No, only the local
administrator can remove the software; a user can run a repair on the software
5. Supported installation files:
a. Publish (user only): Windows Installer
packages, .zap files
b. Assign (user): Windows Installer packages
c. Assign (computer): Windows Installer
packages
C. To assign applications
1. Open the Group Policy snap-in and then,
in Computer or User Configuration, open Software Settings
2. Right-click the Software Installation
node, click New, and click Package. The File Name list in the Open dialog box
shows those Windows Installer packages located at the SDP specified as the
default; if located elsewhere, the SDP for the package can be found by browsing
for it
3. In the File Name list in the Open dialog
box, select the Windows Installer package to be assigned and then click Open
4. In the Deploy Software dialog box, click
Assigned, and then click OK. If this is an application under the Computer
Configuration node of the Group Policy snap-in, the Published choice appears
dimmed because packages can only be assigned to computers, not published
|83| D. Publishing applications
1. Overview
a. An application is published to make it
available to people managed by the GPO, should they want the application.
b. Each person decides whether or not to
install the published application.
c. Applications can only be published to
users.
2. To publish applications
a. Open the Group Policy snap-in and then, in
User Configuration, open Software Settings
b. Right-click the Software Installation
node, click New, and then click Package. The File Name list in the Open dialog
box shows those packages located at the SDP specified as the default; if
located elsewhere, the SDP for the package can be found by browsing for it
c. In the File Name list in the Open dialog
box, select the Windows Installer package to be published and then click Open
d. In the Deploy Software dialog box, click
Published and then click OK
e. The application is available for users to
install either by using Add/Remove Programs in Control Panel or by opening a
file with a file name extension that has been associated with the application.
|84| E. Deploying applications with modifications
1. Overview
a. Modifications are associated with the
Windows Installer package at deployment time rather than when the Windows
Installer is actually using the package to install or modify the application.
b. Modifications (.mst files) are applied to
Windows Installer packages (.msi files) in an order specified by the
administrator.
c. The order in which modifications are
applied must be determined before the application is assigned or published.
2. To add or remove modifications for
applications
a. Open the Group Policy snap-in and then, in
Computer or User Configuration, open Software Settings
b. Right-click the Software Installation
node, click New, and then click Package
c. In the File Name list in the Open dialog
box, select the Windows Installer package to be published and then click Open
d. In the Deploy Software dialog box, click
Advanced Published Or Assigned and then click OK
e. In the Properties dialog box for the
package, click the Modifications tab
(1) To add modifications, click Add. In the
Open dialog box, browse to find the modification file (. mst) and then click
Open; can add multiple modifications.
(2) To remove modifications, click the
modification to remove and then click Remove; repeat until each unwanted modification
has been removed.
(3) To set the order of modifications, select a
modification and then click Move Up or Move Down; modifications are applied
according to the order specified in the list.
b.
Ensure the
modifications are configured exactly as needed and then click OK
Note Do
not click OK until you have finished configuring the modifications. When you
click OK, the package is assigned or published immediately. If the
modifications are not properly configured, you will have to uninstall the package
or upgrade the package with a correctly configured version.
11. Setting Automatic Installation Options
|85| A. Overview
1. The application that is installed when
users select a file can be specified by the administrator by selecting a file
extension and configuring a priority for installing applications associated
with the file extension by using the File Extensions tab in the Software
Installation Properties dialog box.
2. The first application listed is the
application installed in association with the file extension.
3. File extension associations are managed
on a per-GPO basis.
4. Changing the priority order in a GPO
affects only those users who have that GPO applied to them.
B. To set automatic installation options
based on file name extension
1. Open the Group Policy snap-in and then,
in Computer or User Configuration, open Software Settings
2. Right-click the Software Installation
node and then click Properties
|86| 3. In the File Extensions tab of the
Software Installation Properties dialog box, select the file extension for
which to specify an automatic software installation from the Select File
Extension list
4. In the Application Precedence list box,
move the application with the highest precedence by default to the top of the
list using the Up or Down buttons. The application at the top of the list is
automatically installed if a document with the selected file name extension is
invoked before the application has been installed
5. Click OK
12. Setting Up Application Categories
|87| A. Overview
1. Organizing, assigning, and publishing
applications from within Add/Remove Programs in Control Panel into logical
categories makes it easier for users to locate the appropriate application.
2. Windows 2000 does not ship with any
predefined categories.
3. Categories are established per domain,
not per GPO.
4. Categories need to be defined only once
for the whole domain.
B. To set up categories for applications to
be managed
1. Open the Group Policy snap-in and then,
in Computer or User Configuration, open Software Settings
2. Right-click the Software Installation
node and then click Properties
3. In the Categories tab of the Software
Installation Properties dialog box, click Add
4. In the Enter New Category dialog box,
type the name of the application category in the Category box and click OK
5. On the software Installation Properties
dialog box, click OK
13. Setting Software Application Properties
|88| A. Overview
1. Each application can be fine-tuned in
several ways
a. By editing installation options
b. By specifying application categories to be
used
c. By setting permissions for the software
installation
|89| B. Editing installation options for
applications
1. Overview
a. Default settings can be changed, even if
they have been globally defined within the GPO, by editing the package
properties.
b. Installation options affect how an
application is installed, managed, and removed.
2. To edit installation options for
applications
a. Open the Group Policy snap-in and then, in
Computer or User Configuration, open Software Settings
b. Click the Software Installation node
c. In the details pane, right-click the
application for which to edit installation options and then click Properties
|90| d. In the Deployment tab of the Properties dialog
box for the application, select one of the following in the Deployment Type
area:
(1) Published: Enables users in the selected
site, domain, or OU to install the application using either Add/Remove Programs
in Control Panel or the application installation by file activation
(2) Assign: Enables users in the selected site,
domain, or OU to receive this application the next time they log on
e. In the Deployment Options area, select one
of the following:
(1) Auto-Install This Application By File Extension
Activation: To use the application precedence for the file name extension as
determined in the File Extensions tab of the Software Installation Properties
dialog box
(2) Uninstall This Application When It Falls
Out Of The Scope Of Management: To remove the application at logon (users) or
startup (computers) if the users or computers move to a site, domain, or OU for
which the application is not deployed
(3) Do Not Display This Package In The
Add/Remove Programs Control Panel: To specify that this package should not be
displayed in Add/Remove Programs in Control Panel
f. In the Installation User Interface
Options area, select one of the following:
(1) Basic: To provide only a basic display to
users during the install process
(2) Maximum: To provide all installation
messages and screens to users during the package installation
g. Click Advanced to display the Advanced
Deployment Options dialog box. In the Advanced Deployment Options area, select
either of the following check boxes:
(1) Ignore Language When Deploying This
Package: To specify whether to deploy the package even if it is in a different
language
(2) Remove Previous Installs Of This Product
From: If Product Was Not Installed By Group Policy-Based Software Installation:
To specify whether to remove previous installations of this product from users
or computers if the product was not installed by group policy–based Software
Installation
h. Click OK
i. On the Properties dialog box, click OK
|91| C. Specifying Application Categories
1. Overview
a. Applications must be associated with
existing categories.
b. Categories generally pertain to published
applications only because assigned applications do not appear in Add/Remove
Programs.
2. To specify application categories for
Add/Remove Programs in Control Panel
a. Open the Group Policy snap-in and then, in
Computer or User Configuration, open Software Settings
b. Click the Software Installation node
c. In the details pane, right-click the
application to specify application categories and then click Properties
|92| d. In the Categories tab of the Properties
dialog box for the application, click the categories to specify from the
Available Categories list and then click Select
e. Repeat step 4 to specify additional
categories. Click OK when finished selecting categories
D. To set permissions for software
installation
1. Open the Group Policy snap-in and then,
in Computer or User Configuration, open Software Settings
2. Click the Software Installation node
3. In the details pane, right-click the
application for which to specify software installation permissions and then
click Properties
4. In the Security tab of the application’s
Properties dialog box, click the security group on which to set permissions
a. Administrators who manage the application
installation should have the Full Control permission set to Allow. Users who
use the software assigned or published by the application should have the Read
permission set to Allow.
5. Click OK
14. Maintaining Software Applications
|93| A. Upgrading applications
1. Overview
a. Several events trigger an upgrade,
including:
(1) A new version release with new and improved
features
(2) A choice by the organization to use a
different vendor’s application
b. Upgrades typically incorporate major
changes into the software and normally have new version numbers.
c. A substantial number of files change for
an upgrade.
d. The Software Installation extension is
used to establish the procedure to upgrade an existing application to the
current release.
2. To upgrade applications
a. Open the Group Policy snap-in and then, in
Computer or User Configuration, open Software Settings
b. Click the Software Installation node
c. In the details pane, right-click the
Windows Installer package that will function as the upgrade and then click
Properties; this package will have been previously assigned or published
d. In the Upgrades tab of the application’s
Properties dialog box, click Add to create or add to the list of packages that
are to be upgraded by the current package
|94| e. In the Add Upgrade Package dialog box,
specify either Current Group Policy Object or A Specific GPO as the source of
the package to be upgraded. If A Specific GPO is chosen, click Browse, click
the GPO desired, and then, in the Browse For A Group Policy Object dialog box,
click OK
(1) A list of all the other packages assigned
to be published within the selected GPO appears under the heading Package To
Upgrade.
(2) Depending on the GPO, this list may have
zero or more entries.
f. Click the package to upgrade
g. Click either Uninstall The Existing
Package, Then Install The Upgrade Package, or Package Can Upgrade Over The
Existing Package, and then click OK
(1) Typically, the uninstall option is for
replacing an application with a completely different one.
(2) The upgrade option is for installing a
newer version of the same product while retaining the user’s application
preferences, document type associations, and so on.
h. On the Upgrades tab in the Properties
dialog box, enable the Required Upgrade For Existing Packages check box if the
upgrade is to be mandatory, and then click OK
(1) If this is an upgrade under the Computer
Configuration node of the Group Policy snap-in, the check box appears dimmed
and selected.
(2) Packages can only be assigned to computers,
not published.
|95| B. Removing applications
1. A version of a software application is no
longer supported
a. Administrators can remove the software
version from Software Installation without forcing the removal of the software
from the computers of users who are still using the software.
b. Users can continue to use the software
themselves.
c. No user is able to install the software
version.
2. A software application is no longer used.
a. Administrators can force the removal of
the software.
b. The software is automatically deleted from
a computer either the next time the computer is turned on or the next time the
user logs on.
c.
Users cannot
install or run the software.
Note When
you originally deploy the software, if you want the application to be removed
when a GPO no longer applies, select the Uninstall This Application When It
Falls Out Of The Scope Of Management option.
3. Removing applications
a. Open the Group Policy snap-in and then, in
Computer or User Configuration, open Software Settings
b. Click the Software Installation node
c. In the details pane, right-click the
application to remove, click All Tasks, and then click Remove
4. In the Remove Software dialog box, select
one of the following removal options:
a. Immediately Uninstall The Software From
Users And Computers: Select to specify that the application be removed the next
time a user logs on or restarts the computer
b. Allow Users To Continue To Use The
Software, But Prevent New Installations: Select to specify that users can
continue to use the application if they have already installed it. If they
remove the application or have never installed it, they will not be able to
install it
c. Click OK
|96| Chapter 12, Lesson 5
Managing Special Folders Using Group Policy
1. Folder Redirection
A. The Folder Redirection extension is used
to redirect certain Windows 2000 special folders to network locations.
B. The Folder Redirection extension is
located under User Configuration, Windows Settings in the Group Policy snap-in.
|97| C. Special folders that can be redirected in
Windows 2000
1. Application Data
2. Desktop
3. My Documents
4. My Pictures
5. Start Menu
|98| D. Advantages of redirecting the My Documents
folder
1. The user’s documents are always
available, even if the user logs on to various network computers.
2. When roaming user profiles are used, only
the network path to the My Documents folder is part of the roaming user
profile, not the My Documents folder itself.
3. Data stored on a shared network server
can be backed up as part of routine system administration; requires no action
on the part of the user.
4. The system administrator can use group
policy to set disk quotas, limiting the amount of space used by users’ special
folders.
5. Data specific to a user can be redirected
to a different hard disk on the user’s local computer from the hard disk
holding the OS files.
|99| 2. Default
Locations for Special Folders
A. Windows 2000 new installation (no previous
OS)
1. C:\Documents and Settings
a. Where C:\ is the name of your system drive
b. Example: C:\Documents and Settings
B. Windows 2000 upgrade of Windows NT 4.0 or
NT 3.51
1. systemroot\Profiles
a. Example: C:\WinNT\Profiles
C. Windows 2000 Upgrade of Windows 95 or 98
(user profiles disabled)
1. C:\Documents and Settings
a. Where C:\ is the name of your system drive
b. Example: C:\Documents and Settings
D. Windows 2000 Upgrade of Windows 95 or 98
(user profiles enabled)
1. systemroot\Profiles
a. Example: C:\Windows\System\Profiles
|100| 3. Setting
Up Folder Redirection
A. Overview
1. Redirect to a location according to
security group membership.
2. Redirect to one location for everyone in
the site, domain, or OU.
3. Redirect the My Pictures folder to follow
the My Documents folder redirection.
Note The
default (My Pictures following My Documents) is recommended unless a specific
reason exists for separating My Pictures and My Documents. If they are
separated, a shortcut takes the place of the My Pictures folder in My
Documents.
B. To redirect to a location according to
security group membership
1. Open a GPO linked to the site, domain, or
OU containing the users whose special folders are to be redirected to a network
location
2. In User Configuration, open Windows
Settings and then double-click the Folder Redirection node to show the folder
to be redirected.
3. Right-click the folder and then click
Properties
|101| 4. In the Target tab in the Properties
dialog box for the folder, in the Setting list, select Advanced-Specify
Locations For Various User Groups and then click Add.
|102| 5. In the Specify Group And Location dialog
box, in the Security Group Membership box, click Browse.
6. In the Select Group dialog box, click the
security group for which to redirect the folder and then click OK.
7. In the Specify Group And Location dialog
box, in the Target Folder Location box, click Browse.
8. On the Browse For Folder dialog box,
select the redirect location for this security group and then click OK.
a. If using a driver letter, this must
represent a valid path on the user’s local computer.
b. Entering a full UNC path is recommended.
c. Can incorporate %username% into the UNC
path to provide individual subfolder locations
9. In the Specify Group And Location dialog
box, click OK.
10. To redirect folders for members of other
security groups, repeat steps 4 through 9 until all the groups have been
entered.
|103| 11. In the Properties dialog box for the
folder, click the Settings tab, and then set each of the following options:
a. Grant
The User Exclusive Rights To (special
folder right): To allow the user and the local system full rights to the
folder; no one else, not even administrators, has any rights; enabled by
default.
b. Move The Contents Of (user’s current special folder) To The New Location: To redirect the
contents of the folder to the new location; enabled by default
12. Choose one of the following options in the
Policy Removal area:
a. Leave The Folder In The New Location When
Policy Is Removed: To leave the folder in its new location even though the GPO
no longer applies; enabled by default
b. Redirect The Folder Back To The Local User
Profile Location When Policy Is Removed: To move the folder back to its local
user profile location when the GPO no longer applies
13. Choose one of the following options in the
My Pictures Preferences area (available for the My Documents folder only):
a. Make My Pictures A Subfolder Of My
Documents: To redirect My Pictures automatically to remain a subfolder of My
Documents
b. Do Not Specify Administrative Policy For
My Pictures: To remove My Pictures as a subfolder of My Documents and have the
user profile determine the location of My Pictures
2.
Click OK
Note The
My Pictures folder can be made to follow the My Documents folder by setting the
folder redirection properties for My Pictures.
C. To redirect special folders to one
location for everyone in the site, domain, or OU
1. Open a GPO linked to the site, domain, or
OU containing the users whose special folders are to be redirected to a network
location
2. In User Configuration, open Windows
Settings and then double-click the Folder Redirection node to show the folder
to redirect
3. Right-click the folder desired and click
Properties
4. In the Target tab in the Properties
dialog box for the folder, in the Setting list, select Basic-Redirect
Everyone’s Folder To The Same Location and then click Browse
5. On the Browse For Folder dialog box,
select the redirect location for this GPO
a. If using a driver letter, this must
represent a valid path on the user’s local computer.
b. Entering the full UNC path is recommended.
c. Can incorporate %username% into the UNC
path to provide individual subfolder locations
6. In the Browse For dialog box, click OK.
7. In the Properties dialog box for the
folder, click the Settings tab, and then set each of the following options:
a. Grant The User Exclusive Rights To (special folder type): To allow the user
and the local system full rights to the folder; no one else, not even
administrators, has any rights; enabled by default.
b. Move The Contents Of (user’s current special folder) To The New Location: To redirect the
contents of the folder to the new location; enabled by default
8. Choose one of the following options in
the Policy Removal area:
a. Leave The Folder In The New Location When
Policy Is Removed: To leave the folder in its new location even though the GPO
no longer applies; enabled by default
b. Redirect The Folder Back To The Local User
Profile Location When Policy Is Removed: To move the folder back to its local
user profile location when the GPO no longer applies
9. Choose one of the following options in
the My Pictures Preferences area (available for the My Documents folder only):
a. Make My Pictures A Subfolder Of My
Documents: To redirect My Pictures automatically to remain a subfolder of My
Documents
b. Do Not Specify Administrative Policy For
My Pictures: To remove My Pictures as a subfolder of My Documents and have the
user profile determine the location of My Pictures
10. Click OK
D. To direct the My Pictures folder to follow
the redirection of the My Documents folder
1. Open a GPO linked to the site, domain, or
OU containing the users whose My Pictures folders are to be directed
2. In User Configuration, open Windows
Settings and then double-click the Folder Redirection node
3. Right-click My Pictures and click
Properties
4. In the My Pictures Properties dialog box,
in the Setting list, select Follow The My Documents Folder and then click OK
|104| 4. Policy
Removal Considerations
A. When the Move The Contents Of (special folder type) To The New Location
Setting is enabled
1. Policy Removal option: Redirect The
Folder Back To The User Profile Location When Policy Is Removed
a. The special folder returns to its user
profile location.
b. The contents are copied, not moved, back
to the user profile location.
c. The contents are not deleted from the
redirected location.
d. The user continues to have access to the
contents, but only on the local computer.
B. When the Move The Contents Of (special folder type) To The New Location
Setting is Disabled
1. Policy Removal option: Redirect The
Folder Back To The User Profile Location When Policy Is Removed
a. The special folder returns to its user
profile location.
b.
The contents are
not copied or moved to the user profile location.
Caution If
the contents of a folder are not copied to the user profile location, the user
can no longer see them.
C. When the Move The Contents Of (special folder type) To The New Location
Setting is either Enabled or Disabled
1. Policy Removal option: Leave The Folder
In The New Location When Policy Is Removed
a. The special folder remains at its
redirected location.
b. The contents remain at the redirected
location.
c. The user continues to have access to the
contents at the redirected folder.
|105| Chapter 12, Lesson 6
Troubleshooting Group Policy
|106| 1. Overview
A. Considering dependencies between
components is an important part of troubleshooting group policy problems.
B. When trying to fix problems that appear in
one component, it is generally helpful to check whether components, services,
and resources on which it relies are working correctly.
C. Event logs are useful for tracking down
problems caused by this type of hierarchical dependency.
2. Group Policy Snap-In Problems and Solutions
|107| A. Symptom: The user cannot open a GPO even
though he or she has Read access to it
1. Cause: A user must have both Read and
Write permissions for the GPO to open it in the Group Policy snap-in
2. Solution: Become a member of a security
group with Read and Write permission for the GPO
|108| B. Symptom: When the user tries to edit a
GPO, the “Failed To Open The Group Policy Object” message appears
1. Cause: A networking problem, specifically
a problem with the DNS configuration
2. Solution: Make sure DNS is working
properly
3. Group Policy Settings Problems and Solutions
|109| A. Symptom: Group policy is not being applied
to users and computers in a security group that contains those users and
computers, even though a GPO is linked to an OU containing that security group
1. Cause: This is correct behavior; group
policy affects only users and computers contained in sites, domains, and OUs;
GPOs are not applied to security groups
2. Solution: Link GPOs to sites, domains,
and OUs only; keep in mind that the location of a security group in Active
Directory is unrelated to whether group policy applies to the users and
computers in that security group.
|110–112| B. Symptom: Group policy is not affecting
users and computers in a site, domain, or OU
1. Cause:
a. Group policy settings can be prevented,
intentionally or inadvertently, from taking effect on users and computers in
several ways.
b. A GPO can be disabled from affecting
users, computers, or both.
c. A GPO also needs to be linked either
directly to an OU containing the users and computers, or to a parent domain or
OU so that the group policy settings apply through inheritance.
d. When multiple GPOs apply, they are
processed in this order: local, site, domain, OU.
e. By default, settings applied later have
precedence.
f. Group policy can be blocked at the level
of any OU, or enforced through a setting of No Override applied to a particular
GPO link.
g. The user or computer must belong to one or
more security groups with appropriate permissions set.
2. Solution:
a. Make sure that the intended policy is not
being blocked.
b. Make sure that no policy set at a higher
level of Active Directory has been set to No Override.
c. If block Policy Inheritance and No
Override are both used, No Override takes precedence.
d. Verify that the user or computer is not a
member of any security group for which the AGP permission is set to Deny.
e. Verify that the user or computer is a
member of at least one security group for which the AGP permission is set to
Allow.
f. Verify that the user or computer is a
member of at least one security group for which the Read permission is set to
Allow.
|113| C. Symptom: Group policy is not affecting
users and computers in an Active Directory container
1. Cause: GPOs cannot be linked to Active
Directory containers other than sites, domains, and OUs
2. Solution: Link a GPO to an OU that is a
parent to the Active Directory container; then, by default, those settings are
applied to the users and computers in the container through inheritance
|114| D. Symptom: Group policy is not taking effect
on the local computer
1. Cause: Local policies are the weakest;
any nonlocal GPO can overwrite them
2. Solution: Check to see what GPOs are
being applied through Active Directory and whether those GPOs have settings
that are in conflict with the local settings
4. Software Installation Extension Problems and
Solutions
|115| A. Symptom: Published applications do not
appear in Add/Remove Programs in Control Panel
1. Cause:
a. Group policy was not applied.
b. Active Directory cannot be accessed.
c. The user does not have any published
applications in the GPOs that apply to him or her.
d. The client is running Terminal Server.
2. Solution:
a. Investigate each possibility.
b. Note that Software Installation is not
supported for Terminal Server clients.
|116| B. Symptom: Document activation of a
published application does not cause the application to install
1. Cause: The administrator did not set
auto-install
2. Solution: Ensure that Auto-Install This
Application By File Extension Activation is checked in the Deployment tab in
the application’s Properties sheet
|117| C. Symptom: The user receives an error
message such as “The Feature You Are Trying To Install Cannot Be Found In The
Source Directory”
1. Cause: Network or permissions problems
2. Solution:
a. Ensure that the network is working
correctly.
b. Ensure that the user has Read and AGP
permission for the GPO.
c. Ensure that the user has Read permission
for the SDP.
d. Ensure that the user has Read permission
for the application.
|118| D. Symptom: After removal of an application,
the shortcuts for the application still appear on the user’s desktop
1. Cause: The user has created shortcuts and
Windows Installer has no knowledge of them
2. Solution: The user must remove the
shortcuts manually
|119| E. Symptom: The user receives an error
message such as “Another Installation Is Already In Progress”
1. Cause: An uninstallation might be taking
place in the background with no user interface presented to the user, or
perhaps the user has inadvertently triggered two installations simultaneously
2. Solution: The user can try again later
|120| F. Symptom: The user opens an already
installed application and the Windows Installer starts
1. Cause: An application might be undergoing
automatic repair, or a user-required feature is being added
2. Solution: No action is required
|121| G. Symptom: The user receives error messages
such as “Active Directory Will Not Allow The Package To Be Deployed” or “Cannot
Prepare Package For Deployment”
1. Cause: The package might be corrupted or
there might be a networking problem
2. Solution: Investigate and take
appropriate action
5. Group Policy Best Practices
|122| A. General group policy practices
1. Disable unused parts of a GPO.
a. If a GPO has only settings that are Not
Configured, under the User Configuration or Computer Configuration node of the
console, avoid processing those settings by disabling the node.
b. Disabling unused parts of a GPO expedites
startup and logon for those users and computers subject to the GPO.
2. Use the Block Policy Inheritance and No
Override features sparingly.
a. Routine use of these features makes it
difficult to troubleshoot group policy.
3. Minimize the number of GPOs associated
with users or computers in domains or OUs.
a. The more GPOs applied to a user, the
longer it takes to start up and log on.
4. Filter policy based on security group
membership.
a. Users who do not have permissions
directing that a particular GPO be applied to them can avoid the associated
logon delay because the GPO will not be processed for those users.
5. Use loopback only when necessary.
a. Use loopback only if the desktop
configuration needs to be the same regardless of who logs on.
6. Avoid cross-domain GPO assignments.
a. The processing of GPOs will slow logon and
startup if group policy is obtained from another domain.
|123| B. Software installation practices
1. Specify application categories for the
organization.
a. Using categories makes it easier for users
to find an application in Add/Remove Programs in Control Panel.
2. Make sure Windows Installer packages
include modifications before they are published or assigned.
a. Modifications are applied to packages at
the time of assignment or publication.
b. Make sure that the Modifications tab of
the Package Properties dialog box is set up as intended before clicking OK.
c. If you neglect to check the Modifications
tab and assign or publish a modified package before completely configuring it,
either remove the software and republish or reassign it, or upgrade the
software with a completely modified version.
3. Assign or publish just once per GPO.
a. The Windows Installer package should be
assigned or published no more than once in the same GPO.
4. Take advantage of authoring tools.
a. Developers familiar with the files,
registry entries, and other requirements for an application to work properly
can author native Windows Installer packages using tools available from various
software vendors.
5. Repackage existing software.
a. Use commercially available tools to create
Windows Installer packages for software that does not include natively authored
.msi files.
b. Software Installer packages work by
comparing a computer’s state before and after installation.
c. Install onto a computer free of other
application software for best results.
6. Use SMS and Dfs
a. SMS and the Windows 2000 Dfs are helpful
in managing the SDPs.
7. Assign or publish close to the root in
the Active Directory hierarchy.
a. Because group policy settings apply by
default to child Active Directory containers, it is efficient to assign or
publish by linking a GPO to a parent OU or domain.
b. Use security descriptors (ACEs) on the GPO
for finer control over who receives the software.
8. Use Software Installation properties for
widely scoped control
a. Spares administrative keystrokes when
assigning or publishing a large number of packages with similar properties in a
single GPO
9. Use Windows Installer package properties
for fine control.
a. Use the package properties for assigning
or publishing a single package
|124| C. Folder Redirection practices
1. Incorporating %username% into fully
qualified UNC paths: Allows users to have their own folders.
2. Have My Pictures follow My Documents:
Unless a compelling reason exists not to, such as file share scalability
3. Consider the effects of policy removal:
Keep in mind the behavior Folder Redirection policies will have upon policy
removal
4. Accept defaults: Accept the default
Folder Redirection settings