Title: Administering Group Policy
1Administering Group Policy
- Group Policy Concepts
- Group Policy Implementation Planning
- Implementing Group Policy
- Managing Software Using Group Policy
- Managing Special Folders Using Group Policy
- Troubleshooting Group Policy
2Group Policy Concepts
- What Is Group Policy?
- Group Policy Objects
- Delegating Control of Group Policy
- The Group Policy Snap-In
- Group Policy Settings
- Computer and User Configuration Settings
- The MMC Snap-In Model
- Group Policy Snap-In Namespace
- How Group Policy Affects Startup and Logon
- How Group Policy Is Processed
- Group Policy Inheritance
- Using Security Groups to Filter Group Policy
3What Is Group Policy?
- A group policy is a collection of user and
computer configuration settings that can be
linked to computers, sites, domains, and OUs to
specify the behavior of users desktops. - Group policies can determine the programs that
are available to users, the programs that appear
on the users desktops, and Start menu options.
4Group Policy Objects
- GPOs are used to create a specific desktop
configuration for a particular group of users. - GPOs are collections of group policy settings.
- Each Windows 2000 computer has one local GPO and
is subject to any number of nonlocal Active
Directorybased GPOs. - Local GPO settings can be overridden by nonlocal
GPOs, so the local GPO is the least influential
if the computer is in an Active Directory
environment.
5Group Policy Objects (cont)
- In a nonnetworked environment, the local GPOs
settings are more important because they are not
overwritten by nonlocal GPOs. - Nonlocal GPOs are linked to Active Directory
objects and can be applied to either users or
computers. - To use nonlocal GPOs, a Microsoft Windows 2000
domain controller must be installed. - Nonlocal GPOs are applied hierarchically from the
least restrictive group (site) to the most
restrictive group (OU) and are cumulative.
6Delegating Control of Group Policy
- Determine which administrative groups can
administer GPOs by defining access permissions
for each GPO. - Assign Read and Write permissions to a GPO for an
administrative group the group delegates control
of the GPO.
7Group Policy Snap-In
8Group Policy Snap-In Overview
- The MMC snap-in is used to organize and manage
the many group policy settings in each GPO. - Depending on the action to perform, the Group
Policy snap-in can be opened in several ways.
9Group Policy Settings
- Contained in a GPO
- Determine the users desktop environment
- Two types Computer configuration settings and
user configuration settings
10Computer Configuration Settings
- Used to set group policies applied to computers,
regardless of who logs on - Applied when the OS initializes
- Include Software Settings, Windows Settings, and
Administrative Templates
11Users Configuration Settings
- Used to set group policies applied to users,
regardless of which computer the user logs on to - Applied when users log on to the computer
- Include Software Settings, Windows Settings, and
Administrative Templates
12Software Settings
13Windows Settings
14Scripts
- Two types of scripts startup/shutdown and
logon/logoff. - Startup/shutdown scripts run at computer startup
or shutdown. - Logon/logoff scripts run when a user logs on or
off the computer. - When multiple scripts are assigned to a user or
computer, Windows 2000 executes the scripts from
top to bottom. - The order of execution for multiple scripts can
be specified in the Properties dialog box.
15Scripts (cont)
- When a computer is shut down, Windows 2000 first
processes logoff scripts, followed by shutdown
scripts. - The default timeout value for processing scripts
is 10 minutes. - A software policy can be used to adjust the
timeout value if the logoff and shutdown scripts
require more than 10 minutes to process. - Administrators can use any ActiveX scripting
language they choose. - Scripting languages include VBScript, JScript,
Perl, and MS-DOS style batch files.
16Security Settings
- Security Settings allows a security administrator
to manually configure security levels assigned to
a local or nonlocal GPO. - The configuration can be done after, or instead
of, using a security template to set system
security.
17Additional User Configuration Group Policy
Settings
- Internet Explorer Maintenance Allows the
administration and customization of IE on Windows
2000 computers - Remote Installation Services Used to control the
behavior of remote OS installation optionally,
RIS can be used to provide customized packages
for non-Windows 2000 clients of Active Directory - Folder Redirection Allows for the redirection of
Windows 2000 special folders from their default
user profile location to an alternate location on
the network, where they can be centrally managed
18Administrative Templates
19Administrative Templates Overview
- More than 450 settings are available for
configuring the user environment. - Computer configurations are saved in the registry
in HKEY_LOCAL_MACHINE (HKLM). - User configurations are saved in the registry in
HKEY_CURRENT_USER (HKCU).
20Computer and User Configurations
- Administrative Templates contains all
registry-based group policy settings, including
settings for Windows Components, System, and
Network. - Windows Components Allows the administration of
the Windows 2000 components, including
NetMeeting, Internet Explorer, Windows Explorer,
MMC, Task Scheduler, and Windows Installer. - System Used to control logon and logoff
functions and group policy itself. - Network Allows the control of settings for
Offline Files and Network and Dial-Up Connections.
21Computer Configuration Only
- Administrative Templates contain additional group
policy settings for Printers. - System Settings contain Disk Quotas, and DNS
Client and Windows File Protection.
22User Configuration Only
- Administrative Templates contains additional
registry-based group policy settings. - Start Menu Taskbar settings Control a users
Start menu and taskbar - Desktop settings Control the appearance of a
users desktop - Control Panel settings Determine the Control
Panel options available to a user
23The MMC Snap-In Model
- Nodes of the Group Policy snap-in are MMC snap-in
extensions. - By default, all the available Group Policy
snap-in extensions are loaded when the Group
Policy snap-in is started. - The default behavior can be modified by using the
MMC method of creating custom consoles and by
using policy settings to control the behavior of
MMC itself. - The Administrative Templates node is used to
configure the policy settings. - Developers can create an MMC extension to the
Group Policy snap-in to provide additional
policies. - Snap-in extensions may be extended.
24Group Policy Snap-In Namespace
- The root node of the Group Policy snap-in is
displayed as the name of the GPO and the domain
to which it belongs. - Format GPO Name DomainName Policy.
- Example Default Domain Controllers Policy
server1. microsoft. com Policy.
25How Group Policy Affects Startup on Logon
- The network starts, and RPCSS and MUP are
started. - An ordered list of GPOs is obtained for the
computer. - Computer configurations settings are processed.
- Startup scripts run.
- The user presses CtrlAltDelete to log on.
- After the user is validated, the user profile is
loaded, governed by the group policy settings in
effect. - An ordered list of GPOs is obtained for the user.
- User configuration settings are processed.
- Logon scripts run.
- The OS user interface prescribed by group policy
appears.
26How Group Policy Is Processed
- Local GPO
- Each Windows 2000 computer has exactly one GPO
stored locally. - Site GPOs
- Any GPOs that have been linked to the site are
processed next, synchronously the administrator
specifies the order of GPOs linked to a site. - Domain GPOs
- Multiple domain-linked GPOs are processed
synchronously the administrator specifies the
order of GPOs linked to a domain. - OU GPOs
- GPOs linked to the OU highest in the Active
Directory hierarchy are processed first, followed
by GPOs linked to its child OU, and finally, the
GPOs linked to the OU that contains the user or
computer are processed.
27Group Policy and Active Directory
28Exceptions to the Processing Order
- A computer that is a member of a workgroup
processes only the local GPO. - No Override.
- Block Policy Inheritance.
- Loopback setting.
29Group Policy Inheritance
- Group policy is passed down from parent to child
containers. - If a separate group policy is assigned to a
parent container, that group policy applies to
all containers beneath the parent container,
including the user and computer objects in the
container. - If a group policy setting is specified for a
child container, the child containers group
policy setting overrides the setting inherited
from the parent container. - If a parent OU has policy settings that are not
configured, the child OU does not inherit them.
30Group Policy Inheritance (cont)
- Policy settings that are disabled are inherited
as disabled. - If a policy is configured for a parent OU, but
not for a child OU, the child inherits that
parents policy setting. - If a parent policy and a child policy are
compatible, the child inherits the parent policy,
and the childs setting is also applied. - Policies are inherited as long as they are
compatible. - If a policy configured for a parent OU is
incompatible with the same policy configured for
a child OU, the child does not inherit the policy
setting from the parent the setting in the child
is applied.
31Using Security Groups to Filter Group Policy
- Because more than one GPO can be linked to a
site, domain, or OU, GPOs associated with other
directory objects may need to be linked. - By setting the appropriate permissions for
security groups, group policy can be filtered to
influence only the computers and users specified.
32Group PolicyImplementation Planning
- Designing GPOs by Setting Type
- GPO Implementation Strategies
- Layered vs. Monolithic GPO Design
- Functional Roles vs. Team Design
- OU Delegation with Central or Distributed Control
33GPO Setting Types
34Single Policy Type
- Includes GPOs that deliver a single type of group
policy setting. - The goal is to separate each type of group policy
setting into a separate GPO. - Create a GPO for software management settings,
user documents and settings, software policies,
and so on. - Give Read/Write access only to the user or users
who need to administer a GPO. - Best suited for organizations in which
administrative responsibilities are delegated
among several individuals.
35Multiple Policy Type
- Includes GPOs that deliver multiple types of
group policy settings. - The goal is to include multiple types of group
policy settings in a single GPO. - Best suited for organizations in which
administrative responsibilities are centralized
and an administrator may need to perform many or
all types of group policy administration.
36Dedicated Policy Type
- Includes GPOs dedicated to either Computer
Configuration or User Configuration group
policies. - The goal is to include all User Configuration
group policy settings in one GPO and all Computer
Configuration group policy settings in a separate
GPO. - Increases the number of GPOs that must be
processed at logon lengthens logon time. - Aids in troubleshooting.
37GPO Implementation Strategies
- Planning an AD structure requires consideration
of how group policy will be implemented for the
organization. - Delegation of authority, separation of
administrative duties, central versus
decentralized administration, and design
flexibility are important factors. - Most organizations will combine several
strategies to create custom solutions.
38Layered vs. Monolithic Design
39Layered
- The goal is to include a specific policy setting
in as few GPOs as possible. - Create a base GPO to be applied to the domain
that contains policy settings for as many users
and computers in the domain as possible. - Create additional GPOs tailored to the common
requirements of each corporate group and apply
them to the appropriate OUs. - When a change is required, GPOs have to be
modified to enforce the change. - Administration is simplified at the expense of a
longer logon time. - Best suited for environments in which different
groups in the organization have common security
concerns and changes to group policy are frequent.
40Monolithic
- The goal is to use very few GPOs for any given
user or computer. - All the policy settings required for a given
site, domain, or OU should be implemented within
a single GPO. - If the site, domain, or OU has groups of users or
computers with different policy requirements,
consider subdividing the container into OUs and
applying separate GPOs to each OU rather than to
the parent. - Changes involve more administration than with the
layered approach because the settings may need to
be changed in multiple GPOs. - The logon time is shorter than it is with the
layered approach. - Best suited for environments in which users and
computers can be classified into a small number
of groups for policy assignment.
41Functional Roles vs. Team Design
42Functional Roles vs. Team Design Overview
- Active Directorys OU structure was designed to
facilitate ease of administration and delegation
of authority. - The OU structure may or may not represent the
functional roles within the organization. - When designing group policy for an organization
with a functional role OU structure, the group
policy should be designed by delegating control
to the OU levels. - If the OU architecture does not represent group
organization, then OU delegation of control
should be used, but groups should be used as a
filtering mechanism for applying group policy.
43Functional Roles Design
- The goal is to use an OU structure that reflects
the functional roles within the organization for
applying group policy. - A minimum number of GPOs is used, with each
tailored to a groups specific needs. - A GPO is created for each OU.
- Network administrators can set ACL permissions
for GPO administration either at the domain or OU
administrator level. - Best suited for organizations designed according
to functional roles groups of users organized
according to users occupations. - Each functional role requires specific group
policies.
44Team Design
- The goal is to use groups as a filtering
mechanism in applying group policy in an
organization that uses the virtual team concept. - Individuals within the organization form teams to
perform a task or project and each individual is
a member of multiple teams. - Each team has specific group policy requirements.
- Eliminates complexity by strategically applying
the GPOs at only one location. - Allows administrators to centrally administer the
GPOs and minimizes the GPO-to-OU assignments. - Best suited for organizations that need an
efficient and flexible method of managing group
policy in a dynamic environment with an OU
architecture that does not reflect the team
structure.
45Central vs. Distributed Control
46OU Delegation Overview
- Administration of OUs can be delegated.
- OU administrators may need to block group
policies that have been assigned to their OU at
higher organizational levels. - Certain policies may need to be enforced, and OU
administrators will not be allowed to block them. - Accomplished by using a central or distributed
control design
47Central Control Design
- Offers delegated administration as well as
centralized control. - Use the No Override option on OUs.
- Create a GPO to include only security settings
for a domain, and then set the No Override option
so that all child OUs are affected by the
security options specified at the domain level. - For all other types of policy, control of those
GPOs could be delegated to the specific OU
administrators. - Best suited for organizations that choose to
delegate administration of OUs, but would like to
enforce certain group policies throughout the
domain.
48Distributed Control Design
- Administrators of OUs are allowed to block group
policies from being applied to their OU, but
cant block group policies marked as No Override. - Create GPOs for each OU.
- Set ACL permissions allowing OU administrators
full control over GPOs. - Set the Block Policy Inheritance option for each
OU. - Best suited for organizations that choose to
minimize the number of domains, but do not want
to sacrifice autonomous administration of OUs. - Allows administrators to enforce certain group
policies throughout the domain.
49Implementing Group Policy
- Implementing Group Policy
- Creating a GPO
- Creating a GPO Console
- Delegating Administrative Control of a GPO
- Specifying Group Policy Settings
- Disabling Unused Group Policy Settings
- Indicating GPO Processing Exceptions
- Filtering GPO Scope
- Linking a GPO
- Modifying Group Policy
- Removing a GPO Link
- Deleting a GPO
- Editing a GPO and GPO Settings
- Practice Implementing a Group Policy
50Delegating Administrative Control of a GPO
- After a GPO is created, which groups of
administrators have access permissions to the GPO
must be determined. - The Default Domain Policy GPO cannot be deleted
by any administrator, by default. - Prevents the accidental deletion of this GPO,
which contains important required settings for
the domain - If working with a GPO from a pre-built console,
such as Active Directory Users and Computers, the
Delegation Of Control Wizard is not available for
use in delegating administrative control of a
GPO it only controls security of an object.
51Default GPO Permissions
- Authenticated Users Read, Apply Group Policy,
Special Permissions - CREATOR OWNER Special Permissions
- Domain Administrators Read, Write, Create All
Child Objects, Delete All Child Objects, Special
Permissions - Enterprise Administrators Read, Write, Create
All Child Objects, Delete All Child Objects,
Special Permissions - SYSTEM Read, Write, Create All Child Objects,
Delete All Child Objects, Special Permissions
52Disabling Unused Group Policy Settings
- If a GPO has only settings that are Not
Configured, then it is possible to avoid
processing those settings by disabling the node. - Disabling the node expedites startup and logon
for those users and computers subject to the GPO.
53Indicating GPO Processing Exceptions
- GPOs are processed according to the Active
Directory hierarchy. - The default order of processing group policy
settings may be changed by several actions.
54Modifying the Order of GPOs
55Filtering GPO Scope
- Policies in a GPO apply only to users who have
Read permission for that GPO. - The scope of a GPO is filtered by creating
security groups and then assigning Read
permission to the selected groups. - A policy is prevented from applying to a specific
group by denying that group Read permissions to
the GPO.
56Permissions for GPO Scopes
57Linking a GPO
- By default, a new GPO is linked to the site,
domain, or OU that was selected in the MMC when
it was created. - Settings apply to that site, domain, or OU.
- The Group Policy tab for the site, domain, or OU
properties is used to link a GPO to additional
sites, domains, or OUs.
58Add A Group Policy Object Link Dialog Box
59Removing, Deleting, and Editing GPOs
- Removing a GPO Link
- Removing a GPO link unlinks the GPO from the
specified site, domain, or OU. - The GPO remains in Active Directory until it is
deleted. - Deleting a GPO
- Deleting a GPO removes it from Active Directory.
- Any sites, domains, or OUs to which a GPO is
linked when it is deleted will no longer be
affected by it. - Editing a GPO
- The same procedures that are used for creating a
GPO and for specifying group policy settings are
used to edit a GPO or its settings.
60Managing Software Using Group Policy
- Software Management Tools
- Assigning Applications
- Publishing Applications
- How Software Installation Works
- Implementing Software Installation
- Planning and Preparing a Software Installation
- Setting Up an SDP
- Specifying Software Installation Defaults
- Deploying Software Applications
- Setting Automatic Installation Options
- Setting Up Application Categories
- Setting Software Application Properties
- Maintaining Software Applications
61Managing Software Using Group Policy Overview
- The Software Installation extension is a software
management feature of Windows 2000 that is an
administrators primary tool for managing
software within an organization. - Managing software using Software Installation
provides users with immediate access to the
software they need to perform their jobs, and
ensures that users have an easy and consistent
experience when working with software throughout
its life cycle. - Users no longer need to look for a network share,
use a CD-ROM, or install, fix, and upgrade
software themselves.
62Software Management Tools Overview
- The Software Installation extension of the Group
Policy snap-in Used by administrators to manage
software - Windows Installer Installs software packaged in
Windows Installer files - Add/Remove Programs in Control Panel Used by
users to manage software on their own computers
63The Software Installation Extension
- Primary tool for managing software within an
organization - Works in conjunction with group policy and Active
Directory - Centrally manages the installation of software on
a client computer by assigning applications to
users or computers or by publishing applications
for users - Assigns required or mandatory software to users
or to computers - Publishes software that users might find useful
to perform their jobs
64Application Assigned to User
- The application is advertised to the user the
next time he or she logs on to a workstation. - The application advertisement follows the user
regardless of which physical computer he or she
actually uses. - The application is installed the first time the
user activates the application on the computer,
either by selecting the application on the Start
menu or by activating a document associated with
the application.
65Application Assigned to the Computer
- The application is advertised and the
installation is performed when it is safe to do
so. - A safe time typically is when the computer
starts up, so that no competing processes are on
the computer.
66Publishing Applications
- When the application is published to users, the
application does not appear installed on the
users computers. - No shortcuts are visible on the desktop or Start
menu. - No changes are made to the local registry on the
users computers. - Advertisement attributes are stored in Active
Directory. - Information, such as the applications name and
file associations, is exposed to the users in the
Active Directory container. - After publication, the application is available
for user installation by using Add/Remove
Programs in Control Panel or by clicking a file
associated with the application.
67How Software Installation Works
- The Software Installation extension uses Windows
Installer technology to systematically maintain
software. - Windows Installer is a service that allows the OS
to manage the installation process.
68Windows Installers Three Key Parts
- An OS service that performs the installation,
modification, and removal of the software in
accordance with the information in the Windows
Installer - A database containing information that describes
the installed state of the application - An API that allows applications to interact with
Windows Installer to install or remove additional
features of the application after the initial
installation is complete
69Windows Installer Advantages
- Enables users to take advantage of self-repairing
applications. - Notes when a program file is missing and
immediately reinstalls the damaged or missing
files, thereby fixing the application. - Makes modifications to customize the installation
of a Windows Installer package at the time of
assignment or publication modifications are
saved with the .mst file extension.
70Windows Installer Package
- The Windows Installer package is a file that
contains explicit instructions on the
installation and removal of specific
applications. - The developer provides the Windows Installer
package .msi file and ships it with the
application. - If a Windows Installer package is not provided
with an application, it may need to be created or
the application may need to be repackaged, using
a third-party tool.
71Deploying Software with Software Installation Is
Limited to Only If
- Native Windows Installer package .msi files
Developed as a part of the application and take
full advantage of the Windows Installer - Repackaged application .msi files Allow
applications that do not have a native Windows
Installer package to be repackaged - An existing setup program (application .zap
file) Installs an application by using its
original SETUP.EXE program
72Other Files Encountered During Software
Installation
- Patch .msp files Used for bug fixes, service
packs, and similar files - Application assignment scripts .aas files
Contain instructions associated with the
assignment or publication of a package
73Customizing Windows Installer Packages
- Transforms can be used to customize Windows
Installer applications. - Customization is provided by allowing the
original package to be transformed using
authoring and repackaging tools. - Some applications provide wizards or templates
that permit a user to create modifications.
74Tasks for Implementing Software Installation
- Planning and preparing the software installation
- Setting up a software distribution point
- Specifying software installation defaults
- Deploying software applications
- Setting automatic installation options
- Setting up application categories
- Setting software application properties
- Maintaining software applications
75Planning and Preparing a Software Installation
Considerations
- Review the organizations software requirements
on the basis of the overall organizational
structure within Active Directory and available
GPOs. - Determine how to deploy the applications.
- Create a pilot to test how software will be
assigned or published to users or computers. - Prepare software using a format that allows the
administrator to manage it based on what the
organization requires. - Test all of the Windows Installer packages or
repackaged software.
76Planning and Preparing a Software Installation
Strategies and Considerations
- Create OUs based on software management needs.
- Deploy software close to the root in the Active
Directory tree. - Deploy multiple applications with a single GPO.
- Publish or assign one application only once in
the same GPO or in a series of GPOs that might
apply to a single user or computer.
77Planning and Preparing a Software
InstallationSoftware Licenses
- Licenses are required for software written by
independent software vendors and distributed
using SDPs. - The administrator is responsible for matching the
number of users who can access software to the
number of licenses on hand. - The administrator is responsible for verifying
that guidelines provided by each ISV are being
followed. - The Administrator should gather the package
formats for the software and perform any
necessary modifications to the packages.
78Setting Up an SDP
- Create the folders for the software on the file
server that will be the SDP and make the folders
network shares. - Replicate the software to the SDPs by placing or
copying the software, packages, modifications,
all necessary files, and components to a
distribution share(s) place all software in a
separate folder on the SDP. - Set the appropriate permissions on the folders so
that only administrators can change the files,
and users can only read the files from the SDP
folders and shares use group policy to manage
the software within the appropriate GPO.
79Specifying Software Installation Defaults
- A GPO can contain several settings that affect
how an application is installed, managed, and
removed. - The default settings for the new packages are
globally defined within the GPO in the General
tab of the Software Installation Properties
dialog box. - Some of the default settings can be changed later
by editing the package properties in the Software
Installation extension.
80General Tab of the Software Installation
Properties
81Deploying Software Installation Defaults
- Because software can be either assigned or
published, and targeted to either users or
computers, a workable combination can be
established to meet the software management
goals. - Modifications (.mst files) are customizations
applied to Windows Installer packages. - Modifications must be applied at the time of
assignment or publication, not at the time of
installation.
82Software Deployment Approaches
83Publishing Applications
- An application is published to make it available
to people managed by the GPO, should they want
the application. - Each person decides whether or not to install the
published application. - Applications can only be published to users.
84Deploying Applications with Modifications
- Modifications are associated with the Windows
Installer package at deployment time rather than
when the Windows Installer is actually using the
package to install or modify the application. - Modifications are applied to Windows Installer
packages by the administrator. - This order in which modifications are applied
must be determined before the application is
assigned or published.
85Setting Automatic Installation Options
- The application that is installed when users
select a file can be specified by the
administrator by selecting a file extension and
configuring a priority for installing
applications associated with the file extension,
using the File Extensions tab in the Software
Installation Properties dialog box. - The first application listed is the application
installed in association with the file extension. - File extension associations are managed on a
per-GPO basis. - Changing the priority order in a GPO affects only
those users who have that GPO applied to them.
86File Extensions Tab
87Setting Up Application Categories
- Organizing, assigning, and publishing
applications, from within Add/Remove Programs in
Control Panel, into logical categories makes it
easier for users to locate the appropriate
application. - Windows 2000 does not ship with any predefined
categories. - Categories are established per domain, not per
GPO. - Categories need to be defined only once for the
whole domain.
88Setting Software Application Properties
- Each application can be fine-tuned in several
ways - By editing installation options
- By specifying application categories to be used
- By setting permissions for the software
installation
89Editing Installation Options for Applications
- Default settings can be changed, even if they
have been globally defined within the GPO, by
editing the package properties. - Installation options affect how an application is
installed, managed, and removed.
90Deployment Tab
91Specifying Application Categories
- Applications must be associates with existing
categories. - Categories generally pertain to published
applications only, because assigned applications
do not appear in Add/Remove Programs.
92Categories Tab of the Properties Dialog Box
93Maintaining Software Applications Upgrading
Applications
- Several events trigger an upgrade.
- Upgrades typically incorporate major changes into
the software and normally have new version
numbers. - A substantial number of files change for an
upgrade. - The Software Installation extension is used to
establish the procedure to upgrade an existing
application to the current release.
94Add Upgrade Package Dialog Box
95Maintaining Software Applications Removing
Applications
- A version of a software application is no longer
supported. - Administrators can remove the software version
from Software Installation without forcing the
removal of the software from the computers of
users who are still using the software. - Users can continue to use the software
themselves. - No user is able to install the software version.
- A software application is no longer used.
- Administrators can force the removal of the
software. - The software is automatically deleted from a
computer, either the next time the computer is
turned on or the next time the user logs on. - Users cannot install or run the software.
96Managing Special Folders Using Group Policy
- Folder Redirection
- Default Special Folder Locations
- Setting Up Folder Redirection
- Policy Removal Considerations
97Windows 2000 Redirected Special Folders
- Application Data
- Desktop
- My Documents
- My Pictures
- Start Menu
98Redirecting the My Documents Folder Advantages
- The users documents are always available, even
if the user logs on to various network computers. - When roaming user profiles are used, only the
network path to the My Documents folder is part
of the roaming user profile, not the My Documents
folder itself. - Data stored on a shared network server can be
backed up as part of routine system
administration requires no action on the part of
the user. - The system administrator can use group policy to
set disk quotas, limiting the amount of space
used by users special folders. - Data specific to a user can be redirected to a
different hard disk on the users local computer
from the hard disk holding the OS files.
99Default Locations for Special Folders
100Setting Up Folder Redirection
- Redirect to a location according to security
group membership. - Redirect to one location for everyone in the
site, domain, or OU. - Redirect the My Pictures folder to follow the My
Documents folder redirection.
101Target Tab in the Properties Dialog Box
102Specify Group And Location Dialog Box
103Settings Tab of the Properties Dialog Box
104Policy Removal Considerations
105Troubleshooting Group Policy
- Troubleshooting Group Policy
- Group Policy Best Practices
106Troubleshooting Group Policy Overview
- Considering dependencies between components is an
important part of troubleshooting group policy
problems. - When trying to fix problems that appear in one
component, it is generally helpful to check
whether components, services, and resources on
which it relies are working correctly. - Event logs are useful for tracking down problems
caused by this type of hierarchical dependency.
107Symptom The user has Read access to a GPO but
cannot open it
- Cause An administrator must have both Read and
Write permissions for the GPO to open it in the
Group Policy snap-in - Solution Become a member of a security group
with Read and Write permission for the GPO
108Symptom User receives Failed To Open The Group
Policy Object message when trying to edit a GPO
- Cause A networking problem, specifically a
problem with the DNS configuration - Solution Make sure DNS is working properly
109Symptom Group policy is not being applied to
users and computers in a security group that
contains them, even though a GPO is linked to an
OU containing that security group
- Cause This is correct behavior group policy
affects only users and computers contained in
sites, domains, and OUs GPOs are not applied to
security groups - Solution Link GPOs to sites, domains, and OUs
only keep in mind that the location of a
security group in Active Directory is unrelated
to whether group policy applies to the users and
computers in that security group
110Symptom Group policy is not affecting users and
computers in a site, domain, or OU
- Cause
- Group policy settings can be prevented,
intentionally or inadvertently, from taking
effect on users and computers in several ways. - A GPO can be disabled from affecting users,
computers, or both. - A GPO also needs to be linked either directly to
an OU containing the users and computers, or to a
parent domain or OU so that the group policy
settings apply through inheritance. - Solution
- Make sure that the intended policy is not being
blocked. - Make sure no policy set at a higher level of
Active Directory has been set to No Override.
111Symptom Group policy is not affecting users and
computers in a site, domain, or OU (cont)
- Cause
- When multiple GPOs apply, they are processed in
this order local, site, domain, OU. - By default, settings applied later have
precedence. - Solution
- If block Policy Inheritance and No Override are
both used, No Override takes precedence. - Verify that the user or computer is not a member
of any security group for which the AGP
permission is set to Deny.
112Symptom Group policy is not affecting users and
computers in a site, domain, or OU (cont)
- Cause
- Group policy can be blocked at the level of any
OU, or enforced through a setting of No Override
applied to a particular GPO link. - The user or computer must belong to one or more
security groups with appropriate permissions set. - Solution
- Verify that the user or computer is a member of
at least one security group for which the AGP
permission is set to Allow. - Verify that the user or computer is a member of
at least one security group for which the Read
permission is set to Allow.
113Symptom Group policy is not affecting users and
computers in an Active Directory container
- Cause GPOs cannot be linked to Active Directory
containers other than sites, domains, and OUs - Solution Link a GPO to an OU that is a parent to
the Active Directory container then, by default,
those settings are applied to the users and
computers in the container through inheritance
114Symptom Group policy is not taking effect on the
local computer
- Cause Local policies are the weakest any
nonlocal GPO can overwrite them - Solution Check to see what GPOs are being
applied through Active Directory and whether
those GPOs have settings that are in conflict
with the local settings
115Symptom Published applications do not appear in
Add/Remove Programs in Control Panel
- Cause
- Group policy was not applied.
- Active Directory cannot be accessed.
- User does not have any published applications in
the GPOs that apply to him or her. - Client is running Terminal Server.
- Solution
- Investigate each possibility.
- Software Installation is not supported for
Terminal Server clients.
116Symptom Document activation of a published
application does not cause the application to
install
- Cause The administrator did not set auto-install
- Solution Ensure that Auto-Install This
Application By File Extension Activation is
checked in the Deployment tab in the
applications Properties sheet
117Symptom The user receives an error message such
as The Feature You Are Trying To Install Cannot
Be Found In The Source Directory
- Cause Network or permissions problems
- Solution
- Ensure that the network is working correctly.
- Ensure that the user has Read and AGP permissions
for the GPO. - Ensure that the user has Read permission for the
SDP. - Ensure that the user has Read permission for the
application.
118Symptom After removal of an application, the
shortcuts for the application still appear on
the users desktop
- Cause The user has created shortcuts, and
Windows Installer has no knowledge of them - Solution The user must remove the shortcuts
manually
119Symptom The user receives an error message such
as Another Installation Is Already In Progress
- Cause An uninstallation might be taking place in
the background with no user interface presented
to the user, or perhaps the user has
inadvertently triggered two installations
simultaneously - Solution The user can try again later
120Symptom The user opens an already installed
application, and the Windows Installer starts
- Cause An application might be undergoing
automatic repair, or a user-required feature is
being added - Solution No action is required
121Symptom The user receives error messages such
as Active Directory Will Not Allow The Package
To Be Deployed or Cannot Prepare Package For
Deployment
- Cause The package might be corrupted or there
might be a networking problem - Solution Investigate and take appropriate action
122General Group Policy Practices
- Disable unused parts of a GPO.
- Use the Block Policy Inheritance and No Override
features sparingly. - Minimize the number of GPOs associated with users
or computers in domains or OUs. - Filter policy based on security group membership.
- Use loopback only when necessary.
- Avoid cross-domain GPO assignments.
123Software Installation Practices
- Specify application categories for the
organization. - Make sure Windows Installer packages include
modifications before they are published or
assigned. - Assign or publish just once per GPO.
- Take advantage of authoring tools.
- Repackage existing software.
- Use SMS and Dfs.
- Assign or publish close to the root in the Active
Directory hierarchy. - Use Software Installation properties for widely
scoped control. - Use Windows Installer package properties for fine
control.
124Folder Redirection Practices
- Incorporate username into fully qualified UNC
paths. - Have My Pictures follow My Documents.
- Consider the effects of policy removal.
- Accept defaults.