Chapter 7, Administering Microsoft Windows 2000 Server
Chapter 7, Lesson 1
Using the Microsoft Management Console
1. The MMC Environment
|1| A. Introduction to MMC
1. MMC is a common console framework for
management applications.
2. MMC provides a common environment for
snap-ins, the tools that support management functionality.
3. MMC allows you to perform a number of
tasks.
a. Perform most administrative tasks by using
only MMC.
b. Centralize administration.
c. Use most snap-ins for remote administration.
d. Build a customized console.
|2| B. The MMC window
1. The MMC window looks and feels like
Windows Explorer.
2. The components of an MMC console are
contained in the MMC window.
3. MMC can be configured to contain powerful
management tools.
|3| C. MMC consoles
1. An MMC console is a set of one or more
snap-ins.
2. Consoles are saved as files that use the
.msc extension.
3. An MMC console file contains the console
tree, which displays the hierarchical organization of multiple snap-ins contained
within the file.
4. Console window
a. The console window is an interface to an
MMC console file.
b. Each console window includes a command
bar, a console tree, and a detail pane.
c. The command bar contains both pull-down
menus and buttons.
(1) Action
(2) View
(3) Favorites
Note
Additional pull-down menu items will appear for some objects in the
console tree.
d. The console tree organizes snap-ins that
are part of an MMC console.
e. Each detail pane displays the results of
selecting a node in the console tree.
5. Types of MMC consoles
a. Customized MMC consoles
(1) You can combine one or more snap-ins to
create customized MMC consoles.
(2) You can save MMC consoles to use again,
distribute and share the consoles, or use the console from any computer.
(3) By default, Windows 2000 saves customized
MMC files in the My Administrative Tools folder.
b. Preconfigured MMC consoles
(1) Installed when Windows 2000 is installed
(2) Cannot be modified
(3) Contain only one snap-in that provides the
functionality to perform a related set of administrative tasks
(4) Function in user mode
(5) Which consoles are installed varies
depending on which components are installed.
2. Snap-Ins
|4| A. Introduction to snap-ins
1. Snap-ins are applications designed to
work in MMC.
2. Each snap-in represents one unit of
management functionality.
3. There are two types of snap-ins:
stand-alone and extension.
|5| B. Stand-alone snap-ins
1. Stand-alone snap-ins are usually referred
to simply as snap-ins.
2. Each snap-in provides one function or a
related set of functions.
|6| C. Extension snap-ins
1. Extension snap-ins are usually referred
to as extensions.
2. An extension provides additional
administrative functionality to another snap-in.
3. Extensions are designed to work with one
or more stand-alone snap-ins.
4. Some snap-ins can act as stand-alone
snap-ins or as extensions.
|7| 3. Console Options
A. Author mode
1. When you save an MMC console in author
mode, you enable full access to all MMC functionality.
2. An MMC console that has been saved in
author mode allows users to perform a variety of tasks.
a. Add or remove snap-ins
b. Create new windows
c. View all portions of the console tree
d. Save MMC consoles
B. User mode
1. Save an MMC console to user mode if you
will be distributing it.
2. You cannot modify a snap-in saved to user
mode.
3. There are three types of user mode, each
providing a different level of access and functionality.
a. Full Access
b. Limited Access, Multiple Windows
c. Limited Access, Single Window
Chapter 7, Lesson 2
Administering User Accounts
|8| 1. Windows 2000 User Accounts
|9| A. Domain user accounts
1. Allow users to log on to the domain and
gain access to resources anywhere on the network
2. Created in an OU in the Active Directory
store
3. Replicated to all domain controllers
|10| B. Local
user accounts
1. Allow users to log on to and gain access
to resources on the computer where they log in
2. Created in the computer’s security
database
3. Not replicated to domain controllers
|11| C. Built-in
user accounts
1. Administrator
a. Used to manage the overall computer and
domain configuration
b. Should be used only when performing
administrative tasks
c. Can use the runas command to run in the
context of a more privileged account
d. Can be renamed to provide greater security
2. Guest
a. Used to give occasional users resource
access
b. Disabled by default
2. Planning New User Accounts
|12| A. Naming
conventions
1. The naming convention establishes how users
are identified in the domain.
2. Several considerations should be taken
into account when determining naming conventions.
a. Unique user logon names
b. 20 characters maximum
c. Invalid characters
d. User logon names not case sensitive
e. Employees with duplicate names
f. Type of employee
g. Service account naming conventions
|13| B. Password
requirements
1. Always assign a password for the
Administrator account.
2. Determine whether the administrator or
the users will control passwords.
3. Use passwords that are hard to guess.
4. Passwords can be up to 128 characters; a
minimum length of eight characters is recommended.
5. Use both uppercase and lowercase letters,
numerals, and valid non-alphanumeric characters.
|14| C. Account
options
1. Logon hours
a. Set logon hours to control when a user can
log on to the domain.
b. By default, Windows 2000 permits access
for all hours on all days.
2. Computer from which users can log on
a. Determine the computers that users can log
on from.
b. By default, users can use any computer to
log on to the domain.
3. Account expiration
a. Determine whether a user account should
expire.
b. Set user accounts for temporary employees
to expire when their contract ends.
3. Creating User Accounts
|15| A. Creating
domain user accounts
1. Use the Active Directory Users And
Computers snap-in to create a new domain user account.
2. A domain user account is always created
on the first domain controller contacted by MMC.
3. Active Directory Users And Computers snap-in
a. You must select the OU in which to create
the new account.
b. User Logon Name defaults to the domain in
which you are creating the domain user account.
c. You can configure a number of options
when administering domain user accounts.
(1) First Name
(2) Last Name
(3) Full Name
(4) User Logon Name
(5) User Logon Name (pre–Windows 2000)
4. Setting password requirements
a. When creating a new account, you can enter
a password for the user.
b. You do not have to enter a password for
the user.
c. When you set a password, several options
are available.
(1) Password
(2) Confirm Password
(3) User Must Change Password At Next Logon
(4) User Cannot Change Password
(5) Password Never Expires
(6) Account Is Disabled
|16| B. Creating
local user accounts
1. Use the Local Users And Groups snap-in to
create local user accounts.
2. You can create local user accounts only
on computers running Windows 2000 Professional and on stand-alone or member
servers running Windows 2000 Server.
4. Modifying Properties of User Accounts
|17| A. Overview
of modifying properties
1. A set of default properties is associated
with each user account.
2. Properties defined for a domain user
account can be used to search for users in the Active Directory store.
3. Several properties should be configured
for each domain user account.
a. Personal properties, including General,
Address, Telephones, and Organization
b. Account
c. Logon Hours
d. Log On To
4. You can use the Active Directory Users
And Computers snap-in to modify a domain user account.
5. You can use the Local Users And Groups
snap-in to modify a local user account.
|18| B. The
Properties dialog box
1. Personal properties tabs
a. General
b. Address
c. Telephones
d. Organization
2. Account tab
a. Define the logon name and set account
options
b. Modify default properties and configure
additional ones
3. Profile tab
a. Set path to network share where user
profiles are to be stored
b. Assign a logon script and a home folder
4. Published Certificates tab
a. A certificate is a collection of data used
for authentication and secure exchange of information.
b. You can create a list of X.509
certificates for the user account.
5. Member Of tab
a. Groups are used to consolidate
administrative tasks.
b. You can document the groups that the user
belongs to.
6. Dial-In tab
a. You can control how a user can make a
dial-in connection.
b. You must configure several options to set
up security for a dial-up connection.
(1) Allow Access
(2) Deny Access
(3) Verify Caller-ID
(4) No Callback
(5) Set By Caller (Routing and Remote Access
Service only)
(6) Always Callback To
7. Object tab
a. Provides the fully qualified domain name
of the object
b. Provides additional information, such as
object class
8. Security tab
a. Used to set permissions on the user object
b. Allow or deny permissions
c. Configure advanced permissions
9. Terminal Services tabs
a. Environment tab
(1) Create the client working environment.
(2) Set the user account so that Terminal
Services can automatically connect to local client drivers and printers at
logon.
b. Sessions tab
(1) Limit the length of sessions.
(2) Specify what action to take when a session
has reached a limit.
c. Remote Control tab
(1) Configure Terminal Services’ remote control
setting.
(2) Monitor the actions of a client logged on
to a Terminal server.
d. Terminal Services Profile tab
(1) Assign a profile to a user to apply
Terminal sessions.
(2) Specify a path to a home directory to be
used for Terminal sessions.
|19| 5. Administering User Accounts
|20| A. Managing
user profiles
1. A user profile is a collection of folders
and data that stores your current desktop environment and application settings
as well as personal data.
2. Windows 2000 creates a local user profile
the first time you log on at a computer.
3. User profiles operate in a specific
manner.
4. Roaming user profiles
a. A roaming user profile is a profile that
is available to a user no matter where that user logs on to the domain.
b. The user always receives his or her
individual desktop settings and connections.
c. When a user logs on, Windows 2000 applies
the roaming user profile settings to that computer.
5. Creating customized roaming user profiles
a. You can customize and assign a
preconfigured roaming user profile that is assigned to all user accounts.
b. You can create a customized roaming user
profile by configuring the desktop environment for the user.
c. You can use customized RUPs for several
reasons.
(1) To provide users with the work environment
they need to perform their jobs and to remove connections and applications that
they do not require.
(2) To provide a standard desktop environment
for multiple users with similar job responsibilities.
(3) To simplify troubleshooting.
6. Using mandatory profiles
a. A mandatory profile is a read-only roaming
user profile.
b. You can assign one mandatory profile to
multiple users who require the same desktop settings.
c. A hidden file in the profile named
Ntuser.dat contains that section of the Windows 2000 system settings that
applies to the individual user account.
7. Setting up a roaming user profile
a. When you set up a roaming user profile on
a server, Windows 2000 copies the profile to the path on the server.
b. You should set up roaming user profiles on
a file server that you frequently back up.
c. To set up a roaming user profile, you
must create a shared folder on a server.
|21| 8. Assigning a customized roaming user
profile
a. You can customize a roaming user profile
and assign it to multiple users.
b. After you create a profile template, copy
the template to a roaming user profile folder on the server.
c. Use the Active Directory Users And
Computers snap-in to assign the profile to the appropriate users.
B. Modifying user accounts
1. Disabling, enabling, renaming, and
deleting user accounts
a. Disable a user account when a user will
not need an account for an extended period but will need it again.
b. Rename a user account when you want to
retain all rights, permissions, and group memberships and most properties.
c. Delete a user account when an employee
leaves the company and you are not going to rename the account.
d. The procedures for disabling, enabling,
renaming, and deleting user accounts are similar for domain and local accounts.
(1) For domain user accounts, use the Active
Directory Users And Computers snap-in.
(2) For local user accounts, use the Local
Users And Groups extension in the Computer Management snap-in.
2. Resetting passwords and unlocking user
accounts
a. Resetting passwords
(1) Use the Active Directory Users And
Computers snap-in to reset a password.
(2) You do not need to know the old password to
reset a password.
b. Unlocking user accounts
(1) A Windows 2000 group policy locks out a
user account when the user violates the policy.
(2) Use the Active Directory Users And
Computers snap-in to unlock the user account.
|22| C. Creating
home folders
1. A home folder provides a place for users
to store personal documents.
2. Storing all home folders on a file server
provides several advantages.
a. Users can gain access to their home
folders from any client computer on the network.
b. Backing up and administering user
documents are centralized.
c. Home folders are accessible from a client
computer running any Microsoft operating system.
3. To create a home folder on a network file
server, you must perform several tasks.
a. Creating and sharing a folder
b. Changing the Full Control permission
c. Providing the home folder path
4. You can further enhance the home folder
feature by redirecting the user’s My Documents pointer to the location of her
or his home directory.
Chapter 7, Lesson 3
Administering Group Accounts
|23| 1. Introduction to Groups
A. A group is a collection of user accounts.
B. Groups simplify administration of user
permissions.
C. Users can be members of more than one
group.
D. When you assign permissions, you give
users the capability to gain access to specific resources.
E. You can add user accounts, contacts,
computers, and other groups to groups.
2. Implementing Groups into a Domain
Note In
much of the Windows 2000 documentation, groups that are implemented in a domain
are usually referred to simply as groups, whereas other groups in Windows 2000
are specifically referred to as local groups or built-in groups. At the same
time, the term group is often used in a generic sense, referring to any
type of group in Windows 2000 (confusing?).
|24| A. Types
of groups
1. Security groups
a. Windows 2000 uses only security groups.
b. Security groups are used to assign
permissions to gain access to resources.
c. Security groups have all the capabilities
of distribution groups.
2. Distribution groups
a. Applications use distribution groups as
lists for functions unrelated to security.
b. Only programs that are designed to work
with Active Directory services can use distribution groups.
|25| B. Group
scopes
1. Domain local groups
a. Open membership
b. Access to resources in one domain
2. Global groups
a. Limited membership
b. Access to resources in any domain
3. Universal groups
a. Open membership
b. Access to resources in any domain
c. Available in native mode only
C. Group membership
|26| 1. Introduction to group membership
a. The group scope determines the membership
of the group.
b. Membership rules define which members a
group can contain.
(1) Domain local
(2) Global
(3) Universal
c. Domain local groups and global groups can
be converted to universal groups.
|27| 2. Group nesting
a. You can add groups to other groups to
reduce the number of times permissions need to be assigned.
b. You should create a hierarchy of groups
based on business needs.
c. Try to minimize the levels of nesting.
d. Nesting reduces the number of times you
assign permissions; however, tracking permissions becomes more complex.
e. Document group membership to keep track of
permission assignments.
f. Effective nesting in a multiple domain
environment will reduce network traffic between domains and simplify administration.
g. Consider the domain operation mode when
nesting groups.
(1) In mixed mode, only one type of nesting is
available: global groups from any domain can be members of domain local groups.
(2) In native mode, all group membership rules
are available and multiple levels of nesting are available.
|28| 3. Group strategies
a. Using global and domain local groups
(1) Identify users with common job
responsibilities and add the user accounts to a global group.
(2) Identify the resources or group of resources
users need access to, and then create a domain local group for those resources.
(3) Identify all global groups that share the
same access needs for resources, and make them members of the appropriate
domain local group.
(4) Assign the required permissions to the
domain local group.
(5) Place user accounts in global groups,
create a domain local group for a group of resources to be shared, place the
global groups in the domain local group, and then assign permissions to the
domain local group.
(6) Placing user accounts in global groups can
complicate administration when multiple domains are used.
b. Using universal groups
(1) Use universal groups to give users access
to resources that are located in more than one domain.
(2) Use universal groups only when their
membership is static.
(3) Add global groups from several domains to a
universal group, and then assign permissions for access to a resource to the
universal group.
3. Administrating Groups in the Domain
|29| A. Introduction
to groups
1. Determine the required group scope based
on how you want to use the group.
2. Avoid adding users to universal groups.
3. Determine whether you have the necessary
permissions to create a group in the appropriate domain.
4. Determine the name of the group.
5. Creating groups
a. Use the Active Directory Users And
Computers snap-in to create and delete groups.
b. Create groups in the Users OU or in an OU
that you have created specifically for groups.
c. You need to provide specific information
when creating a group.
(1) Group Name
(2) Group Name (pre–Windows 2000)
(3) Group Scope
(4) Group Type
|30| B. Administering
groups
1. Adding members to a group
a. Members can include user accounts,
contacts, other groups, and computers.
b. Use the Active Directory Users And
Computers snap-in to add members to a group.
2. Changing the group scope
a. You can change the scope of a group on the
General tab of the Properties dialog box for the group.
b. You can change the scope of a group only
in native-mode domains.
c. You can make specific changes to a group
scope.
(1) Changing a global group to a universal
group
(2) Changing a domain local group to a
universal group
3. Deleting a group
a. Each group has a unique, non-reusable
identifier called the security ID (SID).
b. When you delete a group, Windows 2000 does
not use the SID again, even if you create a group with the same name as the one
you deleted.
c. Deleting a group does not delete the user
accounts associated with it.
4. Administrating Groups on the Local Computer
|31| A. Overview
1. A local group can contain user accounts
on a computer and can be assigned to resources on that computer.
2. There are two types of local groups:
domain and non-domain.
3. Try to follow specific guidelines when using
local groups.
a. Domain local groups are created in the
Active Directory store and are used by all domain controllers within the
domain.
b. A domain local group can be assigned to
any resource running on domain controllers in the domain.
c. Non-domain local groups are created on
stand-alone servers, member servers, and computers running Windows 2000
Professional. These groups can be used only on the computer on which they are
created.
d. You can assign permissions to non-domain
local groups for access only to the resources on the computer on which the
groups are created.
4. Non-domain local groups can contain local
user accounts from the computer on which you create the local groups.
|32| B. Creating
local groups
1. Use the Local Users And Groups snap-in
(in the Computer Management snap-in) to create non-domain local groups.
2. You can configure several options when
creating local groups.
a. Group Name
b. Description
c. Add
d. Remove
e. Create
3. You can add members to a local group
while you create the group or after you create the local group.
5. Built-In Groups
|33| A. Built-in
global groups
1. Windows 2000 creates built-in global
groups to group common types of user accounts.
2. The groups are created in the Active
Directory store.
3. The Users OU contains the built-in global
groups.
4. Windows 2000 includes a number of
commonly used built-in global groups.
a. Domain Users
b. Domain Admins
c. Domain Guests
d. Enterprise
Admins
|34| B. Built-in
domain local groups
1. Built-in domain local groups provide
users with user rights and permissions to perform tasks on domain controllers
and in the Active Directory store.
2. Built-in domain local groups give
predefined rights to user accounts when you add user accounts or global groups
as members.
3. Windows 2000 includes a number of
commonly used built-in domain local groups.
a. Account Operators
b. Server Operators
c. Print Operators
d. Administrators
e. Guests
f. Backup Operators
g. Users
|35| C. Built-in
local groups
1. Built-in local groups give rights to
perform system tasks on a single computer.
2. Built-in local groups are located in the
Groups folder of the Computer Management snap-in.
3. Windows 2000 includes a number of
commonly used built-in local groups.
a. Users
b. Administrators
c. Guests
d. Backup Operators
e. Power Users
f. Replicator
|36| D. Built-in
system groups
1. Built-in system groups exist on all
computers running Windows 2000.
2. You do not see system groups when you
administer groups, but they are available for use when you assign rights to
resources.
3. Windows 2000 includes a number of
commonly used built-in system groups.
a. Everyone
b. Authenticated Users
c. Creator Owner
d. Network
e. Interactive
f. Anonymous Logon
g. Dialup
Chapter 7, Lesson 4
Administering Group Policies
1. Introduction to Group Policies
|37| A. Overview
1. Group policies are a set of configuration
settings that an administrator applies to one or more objects in the Active
Directory store.
a. Used to control the work environments for
users in a domain
b. Control the work environment of users with
accounts that are located in a specific OU
c. Can be set at the site level
2. A group policy consists of settings that
govern how an object and its child objects behave.
3. Group policies provide users with a fully
populated desktop environment.
4. Conflicts can exist between group
policies and local needs.
|38| B. Benefits
of group policies
1. You can lower your network’s total cost
of ownership (TCO) by using group policies.
2. Securing a user’s environment
a. You can prevent users from installing
software and accessing unauthorized programs or data.
b. You can prevent users from deleting files
that are important to the proper functioning of their applications or operating
systems.
3. Enhancing a user’s environment
a. Automatically delivering applications to a
user’s Start menu
b. Enabling application distribution
c. Delivering files or shortcuts to useful
places on the network or to a specific folder on a user’s computer
d. Automating the execution of tasks or
programs
e. Redirecting folders to network locations
|39| C. Types
of group policies
1. Software Settings
2. Scripts
3. Security Settings
4. Administrative Templates
5. Remote Installation Services (RIS)
6. Folder Redirection
|40| 2. Group Policy Structure
|41| A. Group
policy objects (GPOs)
1. A GPO contains group policy settings for
sites, domains, and OUs.
2. One or more GPOs can be applied to a
site, a domain, or an OU.
3. Group policy data that is small in size
and changes infrequently is stored in group policy containers (GPCs).
4. Group policy data that is large and can
change frequently is stored in the group policy template (GPT).
5. A local GPO exists on every Windows 2000
computer, and by default, only security settings are configured.
|42| B. Group
policy containers (GPCs)
1. A GPC is an Active Directory object that
stores GPO properties and includes sub-containers for computer and user group
policy information.
2. The GPC stores the Windows 2000 class
store information for application deployment.
|43| C. Group
policy templates (GPTs)
1. GPT structure
a. When a GPO is created, the corresponding
GPT folder structure is created.
b. The folder name given to the GPT is the
GUID of the GPO that was created.
2. GPT contents
a. The default contents of the GPT are the
User and Machine subfolders and a Gpt.ini file.
b. Certain subfolders are often contained in
the GPT structure.
3. Gpt.ini file
a. The root folder of each GPT contains a
file named Gpt.ini.
b. At least two entries can be included in
the file.
(1) Version=x, where x represents
the version number of the GPO
(2) Disabled=y, where y is
either 0 or 1 and refers only to the local GPO
4. Registry.pol file
a. The Registry.pol file in the User
subfolder is downloaded and applied to the registry when the user logs on.
b. The format of the Registry.pol file
differs from those created by using the System Policy Editor for Microsoft
Windows 95, Windows 98, and Windows NT.
3. Applying Group Policies
|44| A. Creating
a GPO
1. The first step in creating a group policy
is to create or open a GPO.
2. You can create a GPO for a domain or an
OU by using the Active Directory Users And Computers snap-in.
3. You can create a GPO for a site by using
the Active Directory Sites And Services snap-in.
|45| B. Using
the Group Policy snap-in
1. The Group Policy snap-in is the primary
tool used for defining and controlling how programs, network resources, and the
operating system behave for users and computers.
2. Once you create a GPO, you can use the
Group Policy snap-in to specify group policy settings for computers and user
accounts.
3. The Group Policy snap-in includes the
Computer Configuration node and the User Configuration node.
4. Each node displays three extensions.
a. Software Settings
b. Windows Settings
c. Administrative Templates
5. Using the Group Policy snap-in
a. Each instance of the Group Policy snap-in
is specific to a GPO.
b. You can create an MMC console that contains
a Group Policy snap-in for each GPO that you want to administer.
c. To create or edit a GPO, open the Group
Policy snap-in for a specific GPO from a site, a domain, or an OU.
d. You can edit the local GPO by using
Gpedit.msc.
|46| C. GPO
permissions
1. When you create a GPO, a set of groups is
added to the object and each of those groups is configured with a set of
properties.
2. You can specify which groups of users and
computers have Apply Group Policy access to the object.
3. A GPO contains default groups.
a. Authenticated Users
b. Creator Owner
c. Domain Admins
d. Enterprise
Admins
e. System
4. Administrators are authenticated users,
which means that they have the Apply Group Policy attribute set.
5. To edit a GPO, the user must have Read
and Write access to the object.
6. In most cases, you cannot use security
groups to apply or prevent from applying only some of the settings in a GPO.
7. To edit a GPO, you must be an
administrator, a Creator Owner, or a user with delegated access to the GPO.
8. You can modify the permissions on a GPO
in the properties of the site, domain, or OU.
9. Order of inheritance
a. Overview
(1) A group policy is passed down from parent
to child containers.
(2) If a parent OU has policy settings that are
not configured, the child does not inherit them.
(3) If a parent policy and a child policy are
compatible, the child inherits the parent policy and the child’s setting is
also applied.
(4) If a policy configured for a parent OU is
incompatible with the same policy configured for a child, the child does not
inherit the policy setting.
(5) You can use the Active Directory Users And
Computers snap-in to configure inheritance for domains and OUs.
b. You can block inheritance of policies at
the domain or OU level.
c. You can force all child policy containers
to inherit the parent’s policies, even if those policies are in conflict.
d. You can disable the GPO so that it is
removed from operation.
e. You cannot delete the default domain
policy.
|47| D. Support
for Windows 95, Windows 98, and Windows NT 4.0
1. The Group Policy snap-in does not provide
client support for Windows 95, Windows 98, or Windows NT
computers.
2. Windows NT is supported through .adm
files and Poledit.exe.
3. Windows 95 and Windows 98 clients
are supported through the Windows 9x System Policy Editor.
4. Administering Group Policies
|48| A. Managing
software settings
1. Overview
a. Use the Group Policy snap-in to centrally
manage software distribution.
b. Before using the Group Policy snap-in to
deploy software, Microsoft Windows Installer (.msi) packages must be acquired
for the applications.
2. Assigning and publishing applications
a. When you assign an application to a user,
the application is advertised to the user the next time the user logs on to the
workstation, and the application is installed the first time the user activates
the application.
b. When you assign an application to the
computer, the application is advertised and the installation is performed when
it is safe to do so.
c. When you publish an application to users,
the application does not appear installed on the users’ computers, but the
application is available to install.
d. Assigning and publishing applications
(1) To assign or publish an application, create
a shared folder and copy the application files and package files (.msi files)
to the share folders.
(2) Assign the appropriate permissions.
(3) Use the Group Policy snap-in to set up the
application.
(4) Applications follow a specific process when
they are employed.
|49| B. Managing
scripts
1. Overview
a. Windows 2000 group policy allows
considerable flexibility in assigning scripts.
b. Windows 2000 executes scripts in specific
ways.
(1) When you assign multiple logon and logoff
or startup and shutdown scripts, Windows 2000 executes the scripts from top to
bottom.
(2) When a computer is shut down, Windows 2000
processes first logoff scripts and then shutdown scripts.
c. Scripts are scheduled to run on specific
events.
2. Multiple scripts can be assigned to a
user or a computer.
3. You can use the Show Files button to open
a window that displays the contents of the scripts folder.
|50| C. Managing
security settings
1. Computer security policy covers areas of
policy, administrative rights, and user permissions.
2. Two types of security policies are
defined in Windows 2000.
a. Domain security policy
b. Computer security policy
3. The security infrastructure can be
separated into a number of configurable categories.
a. Account Policies
b. Local Policies
c. Event Log
d. Restricted Groups
e. System Services
f. Registry
g. File System
h. Public Key Policies
i. IP Security Policies on Active Directory
services
4. Security configurations are stored as
.inf files in a text format.
|51| D. Managing
administrative templates
1. The Administrative Templates extension in
the Group Policy snap-in uses an administrative template (.adm) file to specify
the registry settings that can be modified.
2. The administrative policies represent
registry-based group policy settings.
3. The .adm file is a Unicode text file.
4. Windows NT 4.0 registry settings
remain in effect until they are explicitly reversed.
|52| E. Managing
folder redirection
1. The Folder Redirection extension allows
you to redirect special folders in a user profile.
a. Application Data folder
b. Desktop folder
c. My Documents folder
d. My Documents\My Pictures folder
e. Start Menu folder
2. By redirecting the My Documents folder,
you can provide a number of advantages.
a. Ensure that users’ documents are available
when they roam
b. Reduce the time it takes to log on to and
log off the network
c. Store user data on the network
d. Make users’ network-based My Documents
folder available to users when they are disconnected from the corporate network
3. By default, the Folder Redirection
extension is not included with the Group Policy snap-in.