Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing User Desktops with Group Policy

Published byColeen Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Managing User Desktops with Group Policy"— Presentation transcript:

1 Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy Presentation: 60 minutes Lab: 45 minutes After completing this module, students will be able to: Configure folder redirection and scripts by using Group Policy Objects (GPOs). Describe and implement Administrative Templates. Configure GPO preferences. Deploy software with GPOs. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_06.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself, so that you understand how they work and the concepts that each covers. This enables you to provide meaningful hints to students who may find themselves stuck during a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 6 Managing User Desktops with Group Policy

2 Managing Software with Group Policy
20411B Module Overview 6: Managing User Desktops with Group Policy Managing Software with Group Policy

3 Lesson 1: Implementing Administrative Templates
20411B Lesson 1: Implementing Administrative Templates 6: Managing User Desktops with Group Policy Demonstration: Configuring Settings with Administrative Templates

4 What Are Administrative Templates?
20411B What Are Administrative Templates? 6: Managing User Desktops with Group Policy Administrative Templates provide you with the ability to control both the environment of the operating system and user experience Administrative Templates sections for computers are: Administrative Templates sections for users are: Explain that Administrative Templates are the primary means of configuring the client computer’s registry settings through Group Policy. Explain that Administrative Templates are a repository of registry-based changes. By using the Administrative Template sections of the GPO, you can deploy modifications to both the computer (the HKEY_LOCAL_MACHINE hive in the registry) and user (the HKEY_CURRENT_USER hive in the registry) portions of the registry. Mention that many of the new settings only apply to newer version of Windows. Discuss how you can use Administrative Templates to control the environment of the operating system and user experience. For example, you can control Windows components and network issues for the user and computer. You can manage the user desktop environment through Administrative Templates. As an example, explain how you can limit or prohibit a user’s access to Control Panel and desktop items. Mention that you can create and add custom Administrative Templates with the Group Policy Management Console (GPMC). Control Panel Network Printers System Windows components Control panel Desktop Network Start menu and taskbar System Windows components Each of these main sections contain many subfolders to further organize settings

5 What Are ADM and ADMX Files?
20411B What Are ADM and ADMX Files? 6: Managing User Desktops with Group Policy ADM files: Are copied into every GPO in SYSVOL Are difficult to customize The main disadvantage of ADM files is that they are copied into every GPO that is created, and consume about 3 megabytes (MB) of space. This can lead to SYSVOL bloat, a term that describes the fact that SYSVOL can grow very large because of the GPOs that keep repetitive copies of the same ADM files. ADMX files: Include language-neutral ADML files that provide the localized language Are not stored in the GPO Are extensible through XML

6 or Windows Server 2008 workstation
20411B The Central Store 6: Managing User Desktops with Group Policy The Central Store: Is a central repository for ADMX and ADML files Is stored in SYSVOL Must be created manually Is detected automatically by Windows Vista or Windows Server 2008 Explain that a central store provides a central repository for ADMX files. A central store is stored in SYSVOL, and you must create and update a central store manually; normal AD DS replication ensures that central store is copied to all domain controllers. Explain that the central store provides consistency for administrators that edit GPOs from multiple Windows 7 or Windows 8 workstations. Consider doing a short demonstration to show how to create a central store. ADMX files Windows Vista or Windows Server 2008 workstation Domain controller with SYSVOL Domain controller with SYSVOL

7 Discussion: Practical Uses of Administrative Templates
20411B Discussion: Practical Uses of Administrative Templates 6: Managing User Desktops with Group Policy How do you currently provide desktop security? How much administrative access do users have to their systems? Which Group Policy settings will you find useful in your organization? Provide the students with 15 minutes to look through the Administrative Templates in a GPO, and formulate the settings that would be the most useful in their current environment. Point out some of the lesser-known settings that might be of general interest. For example, the settings regarding driver and device installation, and removable-storage access typically would be of interest to administrators. Be prepared to answer questions about individual settings. Ask students to share the reasons that they use GPOs and logon scripts currently.

8 Demonstration: Configuring Settings with Administrative Templates
20411B Demonstration: Configuring Settings with Administrative Templates 6: Managing User Desktops with Group Policy In this demonstration, you will see how to: Filter Administrative Template policy settings Apply comments to policy settings Add comments to a GPO Create a new GPO by copying an existing GPO Create a new GPO by importing settings that were exported from another GPO Leave the virtual machine running for subsequent demonstrations. Preparation Steps You require the 20411B-LON-DC1 and 20411B-LON-CL1 virtual machines for this demonstration. Demonstration Steps Filter Administrative Template policy settings Switch to LON-DC1. Sign in as Adatum\Administrator with the password Pa$$w0rd. From Server Manager, click Tools, and then click Group Policy Management. In the console tree, expand Forest: Adatum.com, Domains, and Adatum.com, and then click the Group Policy Objects container. Right-click the Group Policy Objects container, and then click New. In the New GPO dialog box, in the Name field, type GPO1, and then click OK. In the details pane, right-click GPO1, and then click Edit. The Group Policy Management Editor appears. In the console tree, expand User Configuration, expand Policies, and then click Administrative Templates. Right-click Administrative Templates, and then click Filter Options. Select the Enable Keyword Filters check box. In the Filter for word(s) text box, type screen saver. In the drop-down list next to the text box, select Exact, and then click OK. Administrative Templates policy settings are filtered to show only those that contain the words screen saver. Spend a few moments examining the settings that you have found. In the console tree, under User Configuration, right-click Administrative Templates, and then click Filter Options. (More notes on the next slide)

9 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy Clear the Enable Keyword Filters check box. In the Configured drop-down list, select Yes, and then click OK. Administrative Template policy settings are filtered to show only those that have been configured (enabled or disabled). No settings have been enabled. In the console tree, under User Configuration, right-click Administrative Templates, and clear the Filter On option. Add comments to a policy setting In the console tree, expand User Configuration, Policies, Administrative Templates, and Control Panel, and then click Personalization. Double-click the Enable screen saver policy setting. In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Password Protect the Screen Saver, and then click OK. Double-click the Password protect the screen saver policy setting. Click Enabled. In the Comment section, type Corporate IT Security Policy implemented with this policy in combination with Enable screen saver, and then click OK. Add comments to a GPO In the console tree of the Group Policy Management Editor, right-click the root node, GPO1 [LON- DC1.ADATUM.COM], and then click Properties. Click the Comment tab. Type Adatum corporate standard policies. Settings are scoped to all users and computers in the domain. Person responsible for this GPO: your name. This comment appears on the Details tab of the GPO in the Group Policy Management Console (GPMC). Click OK, and then close the Group Policy Management Editor. (More notes on the next slide)

10 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy Create a new GPO by copying an existing GPO In the GPMC console tree, click the Group Policy Objects container, right-click GPO1, and then click Copy. Right-click the Group Policy Objects container, click Paste, and then click OK. Click OK. Create a new GPO by importing settings that were exported from another GPO In the GPMC console tree, click the Group Policy Objects container, right-click GPO1, and then click Back Up. In the Location: box, type c:\, and then click Back Up. When the backup finishes, click OK. In the GPMC console tree, right-click the Group Policy Objects container, and then click New. In the Name: box, type ADATUM Import, and then click OK. In the GPMC console tree, right-click the ADATUM Import GPO, and then click Import Settings. The Import Settings Wizard appears. Click Next three times. Select GPO1, and then click Next two times. Click Finish, and then click OK. Close the Group Policy Management console.

11 Lesson 2: Configuring Folder Redirection and Scripts
20411B Lesson 2: Configuring Folder Redirection and Scripts 6: Managing User Desktops with Group Policy Demonstration: Configuring Scripts with GPOs

12 What Is Folder Redirection?
20411B What Is Folder Redirection? 6: Managing User Desktops with Group Policy Folder redirection is a feature that allows folders to be located on a network server, but appear as if they are located on the local drive Folders that can be redirected in Windows Vista, Windows 7, and Windows 8 are: Explain some of the advantages of folder redirection: Data appears to follow the user when the user logs on to different computers. Data stored on servers is more likely to be backed up. Size of local profiles is reduced. There is less data to transfer in the case of client machine replacement. Mention that the Documents folder can include all of its own subfolders, like Music, Pictures, and Video. Consider demonstrating the folders that you can redirect. Desktop Start Menu Documents Pictures AppData\Roaming Contacts Downloads Favorites Saved Games Searches Links Music Videos

13 Settings for Configuring Folder Redirection
20411B Settings for Configuring Folder Redirection 6: Managing User Desktops with Group Policy Folder redirection configuration options: Accounting Users Use Basic folder redirection when all users save their files to the same location Use Advanced folder redirection when the server hosting the folder location is based on group membership Use the Follow the Documents folder to force certain folders to become subfolders of Documents Discuss the difference between Basic and Advanced redirection settings. Discuss the four options on the target folder location’s drop-down list. Explain the options on the Settings tab. Mention that the default option is to grant the user exclusive rights, and to move the folder’s current contents (in the case of Documents). Discuss the options available when the policy no longer applies to the user, and mention that the default option is to leave the folder in the shared location. Question Users in the same department often sign in to different computers. They need access to their Documents folder. They also need data to be private. What folder redirection setting would you choose? Answer Create a folder for each user under the root path. This creates a Documents folder to which only the user has access. Accounts A-M Accounts N-Z Accounting Managers Target folder location options: Redirect to the users’ home directory (Documents folder only) Create a folder for each user under the root path Redirect to the following location Redirect to the local user profile location Amy Anne

14 Security Settings for Redirected Folders
20411B Security Settings for Redirected Folders 6: Managing User Desktops with Group Policy NTFS permissions for root folder Creator/Owner Full control – subfolders and files only Administrator None Security group of users that save data on the share List Folder/Read Data, Create Folders/Append Data-This Folder Only Local System Full control Stress that the students must create the initial network-share root folder manually, and then assign permissions. The folder redirection feature then creates the appropriate subfolders, and applies the appropriate permissions. Describe the minimum permissions required for redirected folders. Mention that these are minimum permissions, and that different environments may require different permission sets. Share permissions for root folder Creator/Owner Full control – subfolders and files only Security group of users that save data on the share Full control NTFS permissions for each users’ redirected folder Creator/Owner Full control – subfolders and files only %Username% Full control, owner of folder Administrators None Local System Full control

15 Demonstration: Configuring Folder Redirection
20411B Demonstration: Configuring Folder Redirection 6: Managing User Desktops with Group Policy In this demonstration, you will see how to: Create a shared folder for folder redirection Create a GPO to redirect the Documents folder Test folder redirection Leave the virtual machine running for subsequent demonstrations. Preparation Steps The required virtual machines 20411B-LON-DC1 and 20411B-LON-CL1 should be running after the preceding demonstration. Demonstration Steps Create a shared folder On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Computer. In the details pane, double-click Local Disk (C:), and then on the Home tab, click New folder. In the Name box, type Redirect and then press Enter. Right-click the Redirect folder, click Share with, and then click Specific people. In the File Sharing dialog box, click the drop-down arrow, select Everyone, and then click Add. For the Everyone group, click the Permission Level drop-down arrow, and then click Read/Write. Click Share, and then click Done. Close the Local Disk (C:) window. Create a GPO to redirect the Documents folder Pause the mouse pointer in the lower right of the display, and then click Start. Click Administrative Tools, and then double-click Group Policy Management. Expand Forest: Adatum.com, and then expand Domains. Right-click Adatum.com, and then click Create a GPO in this domain and Link it here. In the New GPO dialog box, in the Name box, type Folder Redirection, and then click OK. Expand Adatum.com, right-click Folder Redirection GPO, and then click Edit. (More notes on the next slide)

16 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection. Right-click Documents, and then click Properties. In the Document Properties dialog box, on the Target tab, next to Setting, click the drop-down arrow, and then select Basic – Redirect everyone’s folder to the same location. Ensure the Target folder location box is set to Create a folder for each user under the root path. In the Root Path box, type \\LON-DC1\Redirect, and then click OK. In the Warning dialog box, click Yes. Close all open windows. Test folder redirection Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. On the Start screen, type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter: gpupdate/force Y From the Start screen, click Desktop. Right-click the desktop, and then click Personalize. In the navigation pane, click Change desktop icons. In Desktop Icon Settings, select the User’s Files check box, and then click OK. (More notes on the next slide)

17 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy On the desktop, double-click Administrator. Right-click My Documents and then click Properties. In the My Document Properties dialog box, note that the location of the folder is now the Redirect network share in a subfolder named for the user. Sign out of LON-CL1.

18 Group Policy Settings for Applying Scripts
20411B Group Policy Settings for Applying Scripts 6: Managing User Desktops with Group Policy You can use scripts to perform many tasks, such as clearing page files or mapping drives, and clearing temp folders for users Explain that you cannot set all configuration settings by using Group Policy settings. You can use scripts to perform many tasks, such as clearing page files or mapping drives, and clearing temp folders for users. Describe the four types of scripts and when the scripts run. Describe the difference between synchronous and asynchronous script processing. Explain that logon scripts run asynchronously by default, and startup scripts run synchronously by default, but that you can modify that behavior. Mention that if scripts are set to run synchronously, then a failed script can cause a computer to hang. You can assign Group Policy script settings to assign: For computers: Startup scripts Shutdown scripts For users: Logon scripts Logoff scripts

19 Demonstration: Configuring Scripts with GPOs
20411B Demonstration: Configuring Scripts with GPOs 6: Managing User Desktops with Group Policy In this demonstration, you will see how to: Create a login script to map a network drive Create and link a GPO to use the script and store the script in the Netlogon share Log on to client computer and test results Leave the virtual machine running for subsequent demonstrations. Preparation Steps The required virtual machines, 20411B-LON-DC1 and 20411B-LON-CL1, already should be running after the preceding demonstration. Demonstration Steps Create a logon script to map a network drive On LON-DC1, point to the lower right-hand corner, and then click Start. From the Start screen, type Notepad, and then press Enter. In Notepad, type the following command: Net use t: \\LON-dc1\Redirect Click the File menu, and then click Save. In the Save As dialog box, in the File name box, type Map.bat. In the Save as type: list, select All Files (*.*). In the navigation pane, click Desktop, and then click Save. Close Notepad. On the desktop, right-click the Map.bat file, and then click Copy. Create and link a GPO to use the script, and then store the script in the Netlogon share Open Server Manager. From Server Manager, click Tools, and then click Group Policy Management. Expand Forest: Adatum.com, and then expand Domains. Right-click Adatum.com, and then click Create a GPO in this domain and link it here. (More notes on the next slide)

20 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy In the New GPO dialog box, in the Name box, type DriveMap, and then click OK. Expand Adatum.com, right-click the Drivemap GPO, and then click Edit. In the Group Policy Management Editor, under User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff). In the details pane, double-click Logon. In the Logon Properties dialog box, click Show Files. This opens the Netlogon share in Computer. In the details pane, right-click a blank area, and then click Paste. Close the Logon window. In the Logon Properties dialog box, click Add. In the Add a Script dialog box, click Browse. Click the Map.bat script, and then click Open. Click OK twice to close all dialog boxes. Close the Group Policy Management Editor and the Group Policy Management console. Sign in to the client to test the results On LON-CL1, sign in as Adatum\Administrator with the password Pa$$word. Click Desktop, and on the taskbar, click File Explorer. Verify that you have a drive mapped to \\Lon-dc1\redirect by examining the navigation pane. Sign out of LON-CL1.

21 Lesson 3: Configuring Group Policy Preferences
20411B Lesson 3: Configuring Group Policy Preferences 6: Managing User Desktops with Group Policy Demonstration: Configuring Group Policy Preferences

22 What Are Group Policy Preferences?
20411B What Are Group Policy Preferences? 6: Managing User Desktops with Group Policy Group Policy preferences expand the range of configurable settings within a GPO You now can process Group Policy preferences because of several new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a GPO. These new preference extensions are included in the Group Policy Management Editor window of the GPMC. The kinds of preference items that can be created by using each extension are listed when you select New for the extension. Examples of the new Group Policy preference extensions include the following: Folder Options Drive Maps Printers Scheduled Tasks Services Start Menu Group Policy preferences: Enable IT professionals to configure, deploy, and manage settings that were not manageable by using Group Policy Are natively supported on Windows Server 2008 and Vista SP2 or newer Can be created, deleted, replaced, or updated

23 Comparing Group Policy Preferences and GPO Settings
20411B Comparing Group Policy Preferences and GPO Settings 6: Managing User Desktops with Group Policy Group Policy Settings Group Policy Preferences Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify Are written to the normal locations in the registry that the application or operating system feature uses to store the setting Typically disable the user interface for settings that Group Policy is managing Do not cause the application or operating system feature to disable the user interface for the settings they configure Refresh policy settings at a regular interval Refresh preferences by using the same interval as Group Policy settings by default The main difference between policy settings and preference settings is that preference settings are not enforced. This means the end user can change any preference setting that is applied through Group Policy, but not policy settings. Preference items are intended to supplement policy settings, and you can configure the following as preference items: Settings that cannot be configured through policy settings. Settings that have limitations when they were configured through policy settings.

24 Features of Group Policy Preferences
20411B Features of Group Policy Preferences 6: Managing User Desktops with Group Policy Common Tab Targeting Features Group Policy preferences provide better targeting through item-level targeting and action modes. In addition to providing significantly more coverage, better targeting, and easier management, Group Policy preferences enable you to deploy settings to client computers without restricting the users from changing the settings. This capability provides you with the flexibility to decide whether to enforce specific settings. You can deploy settings that you do not want to enforce by using Group Policy preferences. Is used to configure additional options that control the behavior of a Group Policy preference item Determines to which users and computers a preference item applies

25 Demonstration: Configuring Group Policy Preferences
20411B Demonstration: Configuring Group Policy Preferences 6: Managing User Desktops with Group Policy In this demonstration, you will see how to: Configure a desktop shortcut with Group Policy preferences Target the preference Configure a new folder with Group Policy preferences Test the preferences At the end of this demonstration, you can revert the virtual machines. Preparation Steps The required virtual machines, 20411B-LON-DC1 and 20411B-LON-CL1, should be running after the preceding demonstration. Demonstration Steps Configure a desktop shortcut with Group Policy preferences On LON-DC1, from Server Manager, open the Group Policy Management console. In the Group Policy Management console, click the Group Policy Objects folder, and in the details pane, right-click the Default Domain Policy, and then click Edit. Expand Computer Configuration, expand Preferences, expand Windows Settings, right-click Shortcuts, point to New, and then click Shortcut. In the New Shortcut Properties dialog box, in the Action list, select Create. In the Name box, type Notepad. In the Location box, click the arrow, and then select All Users Desktop. In the Target path box, type C:\Windows\System32\Notepad.exe. Target the preference On the Common tab, select the Item-level targeting check box, and then click Targeting. In the Targeting Editor dialog box, click New Item, and then click Computer Name. In the Computer name box, type LON-CL1, and then click OK twice. Configure a new folder with Group Policy preferences Under Windows Settings, right-click Folders, point to New, and then click Folder. In the New Folder dialog box, in the Action list, select Create. In the Path field, type C:\Reports. (More notes on the next slide)

26 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy Target the preference On the Common tab, select the Item-level targeting check box, and then click Targeting. In the Targeting Editor dialog box, click New Item, and then click Operating System. In the Product list, select Windows 8, and then click OK twice. Close the Group Policy Management Editor. Test the preferences Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. Type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter.: gpupdate /force At the command prompt, type the following command, and then press Enter: Y From Start, click Desktop. Verify the presence of the Notepad shortcut on the desktop. On the taskbar, click File Explorer. Verify the presence of the C:\Reports folder.

27 Lesson 4: Managing Software with Group Policy
20411B Lesson 4: Managing Software with Group Policy 6: Managing User Desktops with Group Policy Managing Software Upgrades by Using Group Policy

28 20411B How Group Policy Software Distribution Helps to Address the Software Lifecycle 6: Managing User Desktops with Group Policy Preparation 1 Deployment 1.0 2 Describe the software-deployment phases when using Group Policy. This is a good opportunity to have students spend a few minutes sharing how software is deployed in their environment. Briefly explain the role of Group Policy in the four phases of software lifecycle. Explain that the software that Group Policy delivers can be removed by Group Policy when the software’s lifecycle ends. Removal 4 Maintenance 2.0 3

29 How Windows Installer Enhances Software Distribution
6: Managing User Desktops with Group Policy Windows Installer: Windows Installer service: Fully automates the software installation and configuration process Modifies or repairs an existing application installation Windows Installer package contains: Information about installing or uninstalling an application An .msi file and any external source files Summary information about the application A reference to an installation point Describe the Microsoft Windows Installer file format. Mention that you can use third-party software to create Microsoft Installer (MSI) files for packaging custom applications. Explain that the MSI file and any associated installation files must be available in a shared directory on the network. Users only need to have Read permission on those directories. Describe the role of the Windows Installer service and elevated privileges. Discuss the benefits of the Windows Installer service. Point out to students that all Microsoft software packages are distributed with an .msi file. If they want to distribute a software package that installs with an .exe file, they need to convert the .exe file to an .msi file by using a third-party utility. Question Do users need administrative rights to install applications manually that have MSI files? Answer Yes. Only MSI files delivered through Group Policy use the Windows Installer service. If a user attempts to install an MSI file manually, they need administrative rights. What are some disadvantages of deploying software through Group Policy? Some of the disadvantages include: Large applications generate a lot of network traffic. You cannot control when the installation will occur. Laptop users are not able to connect to the distribution point when they are not connected to the LAN. The CSE that delivers software does not function over a slow link, by default. Benefits of using Windows Installer: Custom installations Resilient applications Clean removal

30 Assigning and Publishing Software
6: Managing User Desktops with Group Policy Software Distribution Share Publish software using document activation Publish software using Add or Remove Programs Assign software during computer configuration Assign software during user configuration Explain the differences between assigning and publishing an application. Stress that you can assign applications only to computers and not publish them, and that software that has been assigned to a computer will be available to all users who sign in to that computer. Explain that an assigned program is not installed fully until the user launches it. Explain how a user can install a published program through the Programs applet of Control Panel. Describe how document file-extension activation works to install an application. Mention that you can change the deployment type anytime from assigned to published or published to assigned.

31 Managing Software Upgrades by Using Group Policy
6: Managing User Desktops with Group Policy Mandatory upgrade Users can use only the upgraded version 2.0 Deploy next version of the application When you need to apply upgrades or updates, you can use Group Policy if the original application was deployed through Group Policy. Mention that updates to Microsoft applications are delivered through .MSP files. These usually address minor issues like an update. Sometimes users require the old version of software to stay in sync with clients or vendors that have not upgraded. You can make upgrades optional to accommodate this situation. You also may redeploy a package if the original MSI file has been modified. Explain how to remove a package if it was delivered originally by using Group Policy. Removal can be mandatory or optional. Optional upgrade Users can decide when to upgrade 1.0 2.0 2.0 2.0 1.0 Selective upgrade You can select specific users for an upgrade

32 Lab: Managing User Desktops with Group Policy
Exercise 2: Configuring Folder Redirection Exercise 1: Implementing Settings by Using Group Policy Preferences A. Datum has been using logon scripts to provide users with drive mappings to file shares. The maintenance of these scripts is an ongoing problem because they are large and complex. Your manager has asked you to implement the drive mappings by using Group Policy preferences so that logon scripts can be removed. You also have been asked to place a shortcut to the Notepad application for all users that belong to the IT security group. Exercise 2: Configuring Folder Redirection In order to help minimize profile sizes, you have been asked to configure folder redirection for the branch office users to redirect several profile folders to each user’s home drive. Virtual machines: B-LON-DC1 20411B-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd Logon Information Estimated Time: 45 minutes

33 20411B Lab Scenario 6: Managing User Desktops with Group Policy A. Datum Corporation is a global engineering and manufacturing company with its head office in London, U.K. An IT office and a data center are located in London to support the London head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure. A. Datum has just opened up a new branch office. Users in this office require an automated method for mapping drives to shared server resources and you decide to use Group Policy preferences. Furthermore, you have been asked to create a shortcut to the Notepad application for all users that belong to the IT security group. To help minimize profile sizes, you have been asked to configure folder redirection to redirect several profile folders to each user’s home drive.

34 20411B Lab Review 6: Managing User Desktops with Group Policy You have created Group Policy preferences to configure new power options. How can you ensure that they will be applied only to laptop computers? Question Which options can you use to separate user's redirected folders to different servers? Answer You can use Advanced folder redirection to choose different shared folders, on different servers, for different security groups. Can you name two methods you could use to assign a GPO to selected objects within an OU? You could use WMI Filters to define a criterion for applying Group Policy, such as whether or not the machine is a laptop or operating system, or you could use permissions on the GPO itself to allow or deny GPO settings to users or computers. You have created Group Policy preferences to configure new power options. How can you ensure that they will be applied only to laptop computers? Use item-level targeting to apply the preference to portable computers. Then, the preference will be applied if the hardware profile of the computer identifies it as a portable computer.

35 Module Review and Takeaways
20411B Module Review and Takeaways 6: Managing User Desktops with Group Policy Common Issues and Troubleshooting Tips Review Questions Question Why do some Group Policy settings take two logons before going into effect? Answer Users typically sign in with cached credentials before Group Policy can apply to the current session. The settings will take effect at the next logon. How can you support Group Policy preferences on Windows XP? You must download and install the CSEs for Group Policy preferences. What is the benefit of having a central store? A central store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are required. After you have set up the central store, the Group Policy Management Editor recognizes it, and then loads all Administrative Templates from the central store instead of from the local machine. What is the main difference between Group Policy settings and Group Policy preferences? GPO settings enforce some setting on client side, and disable client interface for modification. However, Group Policy preferences provide settings, and allow the client to modify them. What is the difference between publishing and assigning software through Group Policy? If you assign software to user or computer, it will be installed without asking users whether they want to install it. Publishing software will allow user to decide whether to install software. Can you use Windows PowerShell scripts as startup scripts? Only computers that are running Windows Server 2008 R2 or Windows 7 (or newer) can run Windows PowerShell scripts. (More notes on the next slide)

36 6: Managing User Desktops with Group Policy
20411B 6: Managing User Desktops with Group Policy Best Practices Related to Group Policy Management Include comments on GPO settings Use a central store for Administrative Templates when having clients with Windows Vista, Windows 7, and Windows 8 Use Group Policy preferences to configure settings that are not available in the Group Policy set of settings Use Group Policy software installation to deploy packages in .msi format to a large number of users or computers Common Issues and Troubleshooting Tips Common Issue: You have configured folder redirection for an OU, but none of the user’s folders are being redirected to the network location. When you look in the root folder, you observe that a subdirectory named for each user has been created, but they are empty. Troubleshooting Tip: The problem is most likely permission-related. Group Policy creates the user’s named subdirectories, but the users do not have enough permission to create their redirected folders inside them. Common Issue: You have assigned an application to an OU. After multiple logons, users report that no one has installed the application. Troubleshooting Tip: The problem may be permission-related. Users need Read access to the software distribution share. Another possibility is that the software package was mapped by using a local path instead of a UNC. Common Issue: You have a mixture of Windows XP and Windows 8 computers. After configuring several settings in the Administrative Templates of a GPO, users with Windows XP operating system report that some settings are being applied and others are not. Troubleshooting Tip: Not all new settings apply to earlier systems such as Windows XP. Check the setting itself to see to which operating systems the setting applies. Common Issue: Group Policy preferences are not being applied. Troubleshooting Tip: Check the preference settings for item-level targeting or incorrect configuration.

Download ppt "Managing User Desktops with Group Policy"

Similar presentations

ACTIVE DIRECTORY GROUP POLICY MAEDS Spring PD Day 2012 Nicholas A. Hay Jefferson Schools

ACTIVE DIRECTORY GROUP POLICY MAEDS Spring PD Day 2012 Nicholas A. Hay Jefferson Schools
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Managing User Settings with Group Policy

Managing User Settings with Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Deploying and Managing Software by Using Group Policy.

Deploying and Managing Software by Using Group Policy.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Securing Windows Servers Using Group Policy Objects

Securing Windows Servers Using Group Policy Objects
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Introduction to Group Policy

Introduction to Group Policy

Similar presentations

Ads by Google