Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft® Desktop Deployment Assistance Program 5. Managing the Desktop Joe Liptrot.

Published byCory Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "Microsoft® Desktop Deployment Assistance Program 5. Managing the Desktop Joe Liptrot."— Presentation transcript:

1 Microsoft® Desktop Deployment Assistance Program 5. Managing the Desktop Joe Liptrot

2 Slide deck download URL: http://www.microsoft.com/uk/technet/learning

3 Agenda DefinitionsHistory Local/Group/System Policy

4 Definitions User Profiles User Data and Settings… Outlook settings Local/Group/System Policy Allows administrative control of settings Local Policy  Windows XP workstations Group Policy  Windows 2000/.Net Domains System Policy  NT4 Domains

5 History And Motivation Default user data Hard to deploy customized app Used empirical methods to find reg keys Mandatory user data Lots of settings with no policies Confusion about default policies Multiple user scenario Setup only writes user data for the user who installed the app Registry Tattooing

6 New Policy Architecture Office apps always write to their own areas - never to Policies hive Policy templates write to HKCU\Software\Policies hive Differences from System Polices in NT4/WIn9x Policies can be undone Policy reapplied at each app boot Policy reapplied without user logon Policy reapplied while user is logged on

7 Extending Policy with ADM files ADM files describe polices Template policies result in registry settings Registry settings automatically applied to user environment Applications that understand the policies can look for these settings

8 ADM files Reside in %systemroot%\inf Simple structure - user Extensible CLASS MACHINE CATEGORY !!WindowsComponents CATEGORY !!WindowsUpdateCat CATEGORY !!WindowsUpdateCat POLICY !!ImmediateInstall_Title POLICY !!ImmediateInstall_Title KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU" #if version >= 4 SUPPORTED !!SUPPORTED_WindowXPSP1 SUPPORTED !!SUPPORTED_WindowXPSP1#endif VALUENAME "AutoInstallMinorUpdates" VALUEON NUMERIC 1 VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 VALUEOFF NUMERIC 0 END POLICY END POLICY[strings] WindowsComponents="Windows Components" WindowsUpdateCat="Windows Update“ ImmediateInstall_Title="Allow Automatic Updates immediate installation"

9 Active Directory Structure DomainTreeForestObjectsAttributesOU Domain OU Domain Tree Domain Forest Organizational Unit Objects GC

10 Policy Inside AD Domain/OU/Site objects Have GPLINK property which points to… Policy Container Contains all the policies for the domain which points to… Sysvol on DCs Contain the actual policy

11 Policy in Two Parts Computer Only affects Computer objects in an OU User Only affects User objects in an OU Polices can affect one or both

12 What can Policy do? Enforce Security Deploy Software Enforce Settings

13 Disabling Features Disable menus and tool buttons Disabled items are gray in UI Tool tip is customizable Predefined are easy Any command bar item can be disabled.

14 Local Group Policy Application Secedit can be used to configure local group policy for: Account and local policies Event log Restricted groups File system, registry, system services For administrative & application template settings: configure one machine manually Copy %systemroot % \system32\GroupPolicy to new machines

15 GPMC Feature Summary New UI for managing Group Policy ReportingSearch Resultant Set of Policy (RSoP) integration Backup/Restore Copy/Paste and Import Scripting of GPO operations (not settings)

16 Managing GPO Scope and Inheritance GPO Scope is managed by Linking GPOs to an Active Directory Container (Sites, Domains and OUs) Adding Security Filters to a GPO Adding WMI Filters to a GPO Group Policy inheritance can be altered by Changing GPO link order Enforce (previously No Override) Block Inheritance

17 Resultant Set Of Policy (RSoP) Shows conflict resolution of policy settings Example Both GPO A and GPO B apply to same user GPO A sets Wallpaper = Red Moon Desert GPO B sets Wallpaper = Bliss RSoP data tells you Which setting ultimately “wins” Which GPO set that winning setting Precedence info (the “losing” GPOs) Allows you to more easily plan and troubleshoot Group Policy deployments

18 GPMC User Interface Backup/Restore of Policies RSOP

19 Demo GPMC User Interface Backup/Restore of Policies RSOP

20 General GP Guidelines Limit who can create and modify GPOs Use Enforce/Block Inheritance and Deny sparingly Consider loopback for some scenarios Applies user settings based on the location of the computer (not just the user) Example: Exchange admin logging on to an Exchange server – don’t want user assigned applications to be applied Consider for closely managed environments such as labs, servers (Exchange, IIS, etc) and terminal servers

21 Performance GP Considerations Fewer GPOs per user/computer is better - but GPO contents are more important Avoid cross-domain GPO linking Use WMI Filters sparingly

22 GP Deployment Stage policy deployments prior to production deployment Staging domain is easy to build using GPMC Roll out major changes to Group Policy incrementally

23 Best Practices Plan carefully Policy design can drive OU design OU design can drive policy design Test, test, test Use GPMC

24 Managing and Configuring Windows XP SP2

25 Administering SP2 Management and Configuration Enterprise administration WF exceptions Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xp sp2man.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xp sp2man.mspx Group Policy 600+ Group Policy Settings 500+ IE Settings Group Policy Settings Reference for Windows XP Professional Service Pack 2 Release Candidate 2 (GPO Settings Spreadsheet) http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ma ngxpsp2/mngintro.mspx http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/ma ngxpsp2/mngintro.mspx

26 Administering SP2 Updating Group Policy in AD Domain policies must be updated to support new XP SP2 options Update administrative consoles to SP2 Update all GPOs which potentially manage Windows XP client populations Group Policy Object Editor Refreshed via Computer Configuration Group Policy

27 Administering SP2 Recommended Enterprise Settings (1) Guidelines only, review all settings prior to deployment!! Windows Firewall: Protect all network connections Enabled Windows Firewall: Do not allow exceptions Not configured Windows Firewall: Define program exceptions Set to the names of applications and services used by the computers running Windows XP SP2 on your network for managed, server, listener, or peer applications. (eg SMS)

28 Administering SP2 Recommended Enterprise Settings (2) WF: Allow local program exceptions Enabled WF: Allow remote administration exception Disabled, unless the Windows XP SP2-based computers are configured remotely using MMC snap-in or monitored remotely using WMI. WF: Allow file and print sharing exception Enabled only if the computers running Windows XP SP2 are sharing local folders and printers.

29 Administering SP2 Recommended Enterprise Settings (3) Windows Firewall: Allow ICMP exceptions Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic. Windows Firewall: Allow Remote Desktop exception Enabled only if you use Remote Desktop to connect to Windows XP SP2-based computers. Windows Firewall: Allow UPnP framework exception Enabled only if you use UPnP devices on your network. Windows Firewall: Prohibit notifications Disabled

30 Administering SP2 Recommended Enterprise Settings (4) Windows Firewall: Allow logging Not configured Windows Firewall: Prohibit unicast response to multicast or broadcast requests Disabled – may break WOL Windows Firewall: Define port exceptions Set to the TCP and UDP ports used by the Windows XP SP2 computers on your network for managed, server, listener, or peer applications that cannot be specified by filename. (Add SMS and similar ports here) Windows Firewall: Allow local port exceptions Enabled (pending corporate policy)

31 Administering SP2 3 rd Party firewalls scenarios Disable WF Disable WF via accidental installation Unattend.txt or Netfw.inf Deploy registry settings to disable WF HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\ DomainProfile \EnableFirewall=0 (DWORD data type) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\ StandardProfile \EnableFirewall=0 (DWORD data type) Configure GPOs accordingly

32 Demo Using Group Policy to Manage Windows Firewall

33 Summary and Takeaways Plan and Test Some applications may require modification Locating and addressing issues can take time The benefit of increasing security is likely to be greater than the cost to deploy Test as Service Pack – Deploy as OS Leverage existing investments AD, SMS 2003, SUS, ACT, BDD, CER SP2 impacts both IT and the business Implement with appropriate rigor SP2 allows customers to focus on business

34 Resources Group Policy Web sites www.microsoft.com/grouppolicy www.microsoft.com/technet/grouppolicy GPMC Web site www.microsoft.com/windowsserver2003/gpmc/ www.microsoft.com/windowsserver2003/gpmc/ Scripting resources 32 sample scripts included with the product %programfiles%\gpmc\scripts GPMC SDK %programfiles%\gpmc\scripts\gpmc.chm Also in Platform SDK Newsgroupmicrosoft.public.windows.group_policy

35 Microsoft Partner and MCS Offerings for Deployment Two week packaged early planning consulting offerings Get things going … 80% lead to full implementation Complete deployments Services sales and proposal guidance Delivery content adds to Solution Accelerators MCS and Partners Implement Strategy Briefing, Architecture Design Session Align technology solution with business goals Microsoft QuickStart Microsoft QuickPlan Microsoft Portfolio QuickStart for Business Desktop QuickStart for Zero Touch Desktop (draft) QuickPlan for Business Desktop QuickPlan for Zero Touch Desktop (draft) Portfolio for Business Desktop Portfolio for Zero Touch Desktop (draft)

36 Q & A

37 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Microsoft® Desktop Deployment Assistance Program 5. Managing the Desktop Joe Liptrot."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Understanding Group Policy on Windows Server 2003.

Understanding Group Policy on Windows Server 2003.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.

Khan Rashid Lesson 11-The Best Policy: Managing Computers and Users Through Group Policy.
Managing User Settings with Group Policy

Managing User Settings with Group Policy
Windows XP Service Pack 2 Deployment Dave Lee West Campus.

Windows XP Service Pack 2 Deployment Dave Lee West Campus.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure.

9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?

Similar presentations

Ads by Google