Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Administering Group Policy Group Policy Concepts Group Policy Implementation Planning Implementing Group Policy Managing Software Using Group Policy.

Published byAdrian Francis Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Administering Group Policy Group Policy Concepts Group Policy Implementation Planning Implementing Group Policy Managing Software Using Group Policy."— Presentation transcript:

1 1 Administering Group Policy Group Policy Concepts Group Policy Implementation Planning Implementing Group Policy Managing Software Using Group Policy Managing Special Folders Using Group Policy Troubleshooting Group Policy

2 2 Group Policy Concepts What Is Group Policy? Group Policy Objects Delegating Control of Group Policy The Group Policy Snap-In Group Policy Settings Computer and User Configuration Settings The MMC Snap-In Model Group Policy Snap-In Namespace How Group Policy Affects Startup and Logon How Group Policy Is Processed Group Policy Inheritance Using Security Groups to Filter Group Policy

3 3 What Is Group Policy? A group policy is a collection of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops. Group policies can determine the programs that are available to users, the programs that appear on the users’ desktops, and Start menu options.

4 4 Group Policy Objects GPOs are used to create a specific desktop configuration for a particular group of users. GPOs are collections of group policy settings. Each Windows 2000 computer has one local GPO and is subject to any number of nonlocal Active Directory–based GPOs. Local GPO settings can be overridden by nonlocal GPOs, so the local GPO is the least influential if the computer is in an Active Directory environment.

5 5 Group Policy Objects (con’t) In a nonnetworked environment, the local GPO’s settings are more important because they are not overwritten by nonlocal GPOs. Nonlocal GPOs are linked to Active Directory objects and can be applied to either users or computers. To use nonlocal GPOs, a Microsoft Windows 2000 domain controller must be installed. Nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.

6 6 Delegating Control of Group Policy Determine which administrative groups can administer GPOs by defining access permissions for each GPO. Assign Read and Write permissions to a GPO for an administrative group; the group delegates control of the GPO.

7 7 Group Policy Snap-In

8 8 Group Policy Snap-In Overview The MMC snap-in is used to organize and manage the many group policy settings in each GPO. Depending on the action to perform, the Group Policy snap-in can be opened in several ways.

9 9 Group Policy Settings Contained in a GPO Determine the user’s desktop environment Two types: Computer configuration settings and user configuration settings

10 10 Computer Configuration Settings Used to set group policies applied to computers, regardless of who logs on Applied when the OS initializes Include Software Settings, Windows Settings, and Administrative Templates

11 11 Users Configuration Settings Used to set group policies applied to users, regardless of which computer the user logs on to Applied when users log on to the computer Include Software Settings, Windows Settings, and Administrative Templates

12 12 Software Settings

13 13 Windows Settings

14 14 Scripts Two types of scripts: startup/shutdown and logon/logoff. Startup/shutdown scripts run at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off the computer. When multiple scripts are assigned to a user or computer, Windows 2000 executes the scripts from top to bottom. The order of execution for multiple scripts can be specified in the Properties dialog box.

15 15 Scripts (con’t) When a computer is shut down, Windows 2000 first processes logoff scripts, followed by shutdown scripts. The default timeout value for processing scripts is 10 minutes. A software policy can be used to adjust the timeout value if the logoff and shutdown scripts require more than 10 minutes to process. Administrators can use any ActiveX scripting language they choose. Scripting languages include VBScript, JScript, Perl, and MS-DOS style batch files.

16 16 Security Settings Security Settings allows a security administrator to manually configure security levels assigned to a local or nonlocal GPO. The configuration can be done after, or instead of, using a security template to set system security.

17 17 Additional User Configuration Group Policy Settings Internet Explorer Maintenance: Allows the administration and customization of IE on Windows 2000 computers Remote Installation Services: Used to control the behavior of remote OS installation; optionally, RIS can be used to provide customized packages for non-Windows 2000 clients of Active Directory Folder Redirection: Allows for the redirection of Windows 2000 special folders from their default user profile location to an alternate location on the network, where they can be centrally managed

18 18 Administrative Templates

19 19 Administrative Templates Overview More than 450 settings are available for configuring the user environment. Computer configurations are saved in the registry in HKEY_LOCAL_MACHINE (HKLM). User configurations are saved in the registry in HKEY_CURRENT_USER (HKCU).

20 20 Computer and User Configurations Administrative Templates contains all registry-based group policy settings, including settings for Windows Components, System, and Network. Windows Components: Allows the administration of the Windows 2000 components, including NetMeeting, Internet Explorer, Windows Explorer, MMC, Task Scheduler, and Windows Installer. System: Used to control logon and logoff functions and group policy itself. Network: Allows the control of settings for Offline Files and Network and Dial-Up Connections.

21 21 Computer Configuration Only Administrative Templates contain additional group policy settings for Printers. System Settings contain Disk Quotas, and DNS Client and Windows File Protection.

22 22 User Configuration Only Administrative Templates contains additional registry-based group policy settings. Start Menu & Taskbar settings: Control a user’s Start menu and taskbar Desktop settings: Control the appearance of a user’s desktop Control Panel settings: Determine the Control Panel options available to a user

23 23 The MMC Snap-In Model Nodes of the Group Policy snap-in are MMC snap-in extensions. By default, all the available Group Policy snap-in extensions are loaded when the Group Policy snap-in is started. The default behavior can be modified by using the MMC method of creating custom consoles and by using policy settings to control the behavior of MMC itself. The Administrative Templates node is used to configure the policy settings. Developers can create an MMC extension to the Group Policy snap-in to provide additional policies. Snap-in extensions may be extended.

24 24 Group Policy Snap-In Namespace The root node of the Group Policy snap-in is displayed as the name of the GPO and the domain to which it belongs. Format: GPO Name [DomainName] Policy. Example: Default Domain Controllers Policy [server1. microsoft. com] Policy.

25 25 How Group Policy Affects Startup on Logon The network starts, and RPCSS and MUP are started. An ordered list of GPOs is obtained for the computer. Computer configurations settings are processed. Startup scripts run. The user presses Ctrl+Alt+Delete to log on. After the user is validated, the user profile is loaded, governed by the group policy settings in effect. An ordered list of GPOs is obtained for the user. User configuration settings are processed. Logon scripts run. The OS user interface prescribed by group policy appears.

26 26 How Group Policy Is Processed Local GPO: Each Windows 2000 computer has exactly one GPO stored locally. Site GPOs: Any GPOs that have been linked to the site are processed next, synchronously; the administrator specifies the order of GPOs linked to a site. Domain GPOs: Multiple domain-linked GPOs are processed synchronously; the administrator specifies the order of GPOs linked to a domain. OU GPOs: GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and finally, the GPOs linked to the OU that contains the user or computer are processed.

27 27 Group Policy and Active Directory

28 28 Exceptions to the Processing Order A computer that is a member of a workgroup processes only the local GPO. No Override. Block Policy Inheritance. Loopback setting.

29 29 Group Policy Inheritance Group policy is passed down from parent to child containers. If a separate group policy is assigned to a parent container, that group policy applies to all containers beneath the parent container, including the user and computer objects in the container. If a group policy setting is specified for a child container, the child container’s group policy setting overrides the setting inherited from the parent container. If a parent OU has policy settings that are not configured, the child OU does not inherit them.

30 30 Group Policy Inheritance (con’t) Policy settings that are disabled are inherited as disabled. If a policy is configured for a parent OU, but not for a child OU, the child inherits that parent’s policy setting. If a parent policy and a child policy are compatible, the child inherits the parent policy, and the child’s setting is also applied. Policies are inherited as long as they are compatible. If a policy configured for a parent OU is incompatible with the same policy configured for a child OU, the child does not inherit the policy setting from the parent; the setting in the child is applied.

31 31 Using Security Groups to Filter Group Policy Because more than one GPO can be linked to a site, domain, or OU, GPOs associated with other directory objects may need to be linked. By setting the appropriate permissions for security groups, group policy can be filtered to influence only the computers and users specified.

32 32 Group Policy Implementation Planning Designing GPOs by Setting Type GPO Implementation Strategies Layered vs. Monolithic GPO Design Functional Roles vs. Team Design OU Delegation with Central or Distributed Control

33 33 GPO Setting Types

34 34 Single Policy Type Includes GPOs that deliver a single type of group policy setting. The goal is to separate each type of group policy setting into a separate GPO. Create a GPO for software management settings, user documents and settings, software policies, and so on. Give Read/Write access only to the user or users who need to administer a GPO. Best suited for organizations in which administrative responsibilities are delegated among several individuals.

35 35 Multiple Policy Type Includes GPOs that deliver multiple types of group policy settings. The goal is to include multiple types of group policy settings in a single GPO. Best suited for organizations in which administrative responsibilities are centralized and an administrator may need to perform many or all types of group policy administration.

36 36 Dedicated Policy Type Includes GPOs dedicated to either Computer Configuration or User Configuration group policies. The goal is to include all User Configuration group policy settings in one GPO and all Computer Configuration group policy settings in a separate GPO. Increases the number of GPOs that must be processed at logon; lengthens logon time. Aids in troubleshooting.

37 37 GPO Implementation Strategies Planning an AD structure requires consideration of how group policy will be implemented for the organization. Delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility are important factors. Most organizations will combine several strategies to create custom solutions.

38 38 Layered vs. Monolithic Design

39 39 Layered The goal is to include a specific policy setting in as few GPOs as possible. Create a base GPO to be applied to the domain that contains policy settings for as many users and computers in the domain as possible. Create additional GPOs tailored to the common requirements of each corporate group and apply them to the appropriate OUs. When a change is required, GPOs have to be modified to enforce the change. Administration is simplified at the expense of a longer logon time. Best suited for environments in which different groups in the organization have common security concerns and changes to group policy are frequent.

40 40 Monolithic The goal is to use very few GPOs for any given user or computer. All the policy settings required for a given site, domain, or OU should be implemented within a single GPO. If the site, domain, or OU has groups of users or computers with different policy requirements, consider subdividing the container into OUs and applying separate GPOs to each OU rather than to the parent. Changes involve more administration than with the layered approach because the settings may need to be changed in multiple GPOs. The logon time is shorter than it is with the layered approach. Best suited for environments in which users and computers can be classified into a small number of groups for policy assignment.

41 41 Functional Roles vs. Team Design

42 42 Functional Roles vs. Team Design Overview Active Directory’s OU structure was designed to facilitate ease of administration and delegation of authority. The OU structure may or may not represent the functional roles within the organization. When designing group policy for an organization with a functional role OU structure, the group policy should be designed by delegating control to the OU levels. If the OU architecture does not represent group organization, then OU delegation of control should be used, but groups should be used as a filtering mechanism for applying group policy.

43 43 Functional Roles Design The goal is to use an OU structure that reflects the functional roles within the organization for applying group policy. A minimum number of GPOs is used, with each tailored to a group’s specific needs. A GPO is created for each OU. Network administrators can set ACL permissions for GPO administration either at the domain or OU administrator level. Best suited for organizations designed according to functional roles; groups of users organized according to users’ occupations. Each functional role requires specific group policies.

44 44 Team Design The goal is to use groups as a filtering mechanism in applying group policy in an organization that uses the virtual team concept. Individuals within the organization form teams to perform a task or project and each individual is a member of multiple teams. Each team has specific group policy requirements. Eliminates complexity by strategically applying the GPOs at only one location. Allows administrators to centrally administer the GPOs and minimizes the GPO-to-OU assignments. Best suited for organizations that need an efficient and flexible method of managing group policy in a dynamic environment with an OU architecture that does not reflect the team structure.

45 45 Central vs. Distributed Control

46 46 OU Delegation Overview Administration of OUs can be delegated. OU administrators may need to block group policies that have been assigned to their OU at higher organizational levels. Certain policies may need to be enforced, and OU administrators will not be allowed to block them. Accomplished by using a central or distributed control design

47 47 Central Control Design Offers delegated administration as well as centralized control. Use the No Override option on OUs. Create a GPO to include only security settings for a domain, and then set the No Override option so that all child OUs are affected by the security options specified at the domain level. For all other types of policy, control of those GPOs could be delegated to the specific OU administrators. Best suited for organizations that choose to delegate administration of OUs, but would like to enforce certain group policies throughout the domain.

48 48 Distributed Control Design Administrators of OUs are allowed to block group policies from being applied to their OU, but can’t block group policies marked as No Override. Create GPOs for each OU. Set ACL permissions allowing OU administrators full control over GPOs. Set the Block Policy Inheritance option for each OU. Best suited for organizations that choose to minimize the number of domains, but do not want to sacrifice autonomous administration of OUs. Allows administrators to enforce certain group policies throughout the domain.

49 49 Implementing Group Policy Creating a GPO Creating a GPO Console Delegating Administrative Control of a GPO Specifying Group Policy Settings Disabling Unused Group Policy Settings Indicating GPO Processing Exceptions Filtering GPO Scope Linking a GPO Modifying Group Policy Removing a GPO Link Deleting a GPO Editing a GPO and GPO Settings Practice: Implementing a Group Policy

50 50 Delegating Administrative Control of a GPO After a GPO is created, which groups of administrators have access permissions to the GPO must be determined. The Default Domain Policy GPO cannot be deleted by any administrator, by default. Prevents the accidental deletion of this GPO, which contains important required settings for the domain If working with a GPO from a pre-built console, such as Active Directory Users and Computers, the Delegation Of Control Wizard is not available for use in delegating administrative control of a GPO; it only controls security of an object.

51 51 Default GPO Permissions Authenticated Users: Read, Apply Group Policy, Special Permissions CREATOR OWNER: Special Permissions Domain Administrators: Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions Enterprise Administrators: Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions SYSTEM: Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

52 52 Disabling Unused Group Policy Settings If a GPO has only settings that are Not Configured, then it is possible to avoid processing those settings by disabling the node. Disabling the node expedites startup and logon for those users and computers subject to the GPO.

53 53 Indicating GPO Processing Exceptions GPOs are processed according to the Active Directory hierarchy. The default order of processing group policy settings may be changed by several actions.

54 54 Modifying the Order of GPOs

55 55 Filtering GPO Scope Policies in a GPO apply only to users who have Read permission for that GPO. The scope of a GPO is filtered by creating security groups and then assigning Read permission to the selected groups. A policy is prevented from applying to a specific group by denying that group Read permissions to the GPO.

56 56 Permissions for GPO Scopes

57 57 Linking a GPO By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created. Settings apply to that site, domain, or OU. The Group Policy tab for the site, domain, or OU properties is used to link a GPO to additional sites, domains, or OUs.

58 58 Add A Group Policy Object Link Dialog Box

59 59 Removing, Deleting, and Editing GPOs Removing a GPO Link Removing a GPO link unlinks the GPO from the specified site, domain, or OU. The GPO remains in Active Directory until it is deleted. Deleting a GPO Deleting a GPO removes it from Active Directory. Any sites, domains, or OUs to which a GPO is linked when it is deleted will no longer be affected by it. Editing a GPO The same procedures that are used for creating a GPO and for specifying group policy settings are used to edit a GPO or its settings.

60 60 Managing Software Using Group Policy Software Management Tools Assigning Applications Publishing Applications How Software Installation Works Implementing Software Installation Planning and Preparing a Software Installation Setting Up an SDP Specifying Software Installation Defaults Deploying Software Applications Setting Automatic Installation Options Setting Up Application Categories Setting Software Application Properties Maintaining Software Applications

61 61 Managing Software Using Group Policy Overview The Software Installation extension is a software management feature of Windows 2000 that is an administrator’s primary tool for managing software within an organization. Managing software using Software Installation provides users with immediate access to the software they need to perform their jobs, and ensures that users have an easy and consistent experience when working with software throughout its life cycle. Users no longer need to look for a network share, use a CD- ROM, or install, fix, and upgrade software themselves.

62 62 Software Management Tools Overview The Software Installation extension of the Group Policy snap-in: Used by administrators to manage software Windows Installer: Installs software packaged in Windows Installer files Add/Remove Programs in Control Panel: Used by users to manage software on their own computers

63 63 The Software Installation Extension Primary tool for managing software within an organization Works in conjunction with group policy and Active Directory Centrally manages the installation of software on a client computer by assigning applications to users or computers or by publishing applications for users Assigns required or mandatory software to users or to computers Publishes software that users might find useful to perform their jobs

64 64 Application Assigned to User The application is advertised to the user the next time he or she logs on to a workstation. The application advertisement follows the user regardless of which physical computer he or she actually uses. The application is installed the first time the user activates the application on the computer, either by selecting the application on the Start menu or by activating a document associated with the application.

65 65 Application Assigned to the Computer The application is advertised and the installation is performed when it is safe to do so. A “safe time” typically is when the computer starts up, so that no competing processes are on the computer.

66 66 Publishing Applications When the application is published to users, the application does not appear installed on the users’ computers. No shortcuts are visible on the desktop or Start menu. No changes are made to the local registry on the users’ computers. Advertisement attributes are stored in Active Directory. Information, such as the application’s name and file associations, is exposed to the users in the Active Directory container. After publication, the application is available for user installation by using Add/Remove Programs in Control Panel or by clicking a file associated with the application.

67 67 How Software Installation Works The Software Installation extension uses Windows Installer technology to systematically maintain software. Windows Installer is a service that allows the OS to manage the installation process.

68 68 Windows Installer’s Three Key Parts An OS service that performs the installation, modification, and removal of the software in accordance with the information in the Windows Installer A database containing information that describes the installed state of the application An API that allows applications to interact with Windows Installer to install or remove additional features of the application after the initial installation is complete

69 69 Windows Installer Advantages Enables users to take advantage of self-repairing applications. Notes when a program file is missing and immediately reinstalls the damaged or missing files, thereby fixing the application. Makes modifications to customize the installation of a Windows Installer package at the time of assignment or publication; modifications are saved with the.mst file extension.

70 70 Windows Installer Package The Windows Installer package is a file that contains explicit instructions on the installation and removal of specific applications. The developer provides the Windows Installer package.msi file and ships it with the application. If a Windows Installer package is not provided with an application, it may need to be created or the application may need to be repackaged, using a third-party tool.

71 71 Deploying Software with Software Installation Is Limited to Only If Native Windows Installer package.msi files: Developed as a part of the application and take full advantage of the Windows Installer Repackaged application.msi files: Allow applications that do not have a native Windows Installer package to be repackaged An existing setup program (application.zap file): Installs an application by using its original SETUP.EXE program

72 72 Other Files Encountered During Software Installation Patch.msp files: Used for bug fixes, service packs, and similar files Application assignment scripts.aas files: Contain instructions associated with the assignment or publication of a package

73 73 Customizing Windows Installer Packages Transforms can be used to customize Windows Installer applications. Customization is provided by allowing the original package to be transformed using authoring and repackaging tools. Some applications provide wizards or templates that permit a user to create modifications.

74 74 Tasks for Implementing Software Installation Planning and preparing the software installation Setting up a software distribution point Specifying software installation defaults Deploying software applications Setting automatic installation options Setting up application categories Setting software application properties Maintaining software applications

75 75 Planning and Preparing a Software Installation: Considerations Review the organization’s software requirements on the basis of the overall organizational structure within Active Directory and available GPOs. Determine how to deploy the applications. Create a pilot to test how software will be assigned or published to users or computers. Prepare software using a format that allows the administrator to manage it based on what the organization requires. Test all of the Windows Installer packages or repackaged software.

76 76 Planning and Preparing a Software Installation: Strategies and Considerations Create OUs based on software management needs. Deploy software close to the root in the Active Directory tree. Deploy multiple applications with a single GPO. Publish or assign one application only once in the same GPO or in a series of GPOs that might apply to a single user or computer.

77 77 Planning and Preparing a Software Installation: Software Licenses Licenses are required for software written by independent software vendors and distributed using SDPs. The administrator is responsible for matching the number of users who can access software to the number of licenses on hand. The administrator is responsible for verifying that guidelines provided by each ISV are being followed. The Administrator should gather the package formats for the software and perform any necessary modifications to the packages.

78 78 Setting Up an SDP Create the folders for the software on the file server that will be the SDP and make the folders network shares. Replicate the software to the SDPs by placing or copying the software, packages, modifications, all necessary files, and components to a distribution share(s); place all software in a separate folder on the SDP. Set the appropriate permissions on the folders so that only administrators can change the files, and users can only read the files from the SDP folders and shares; use group policy to manage the software within the appropriate GPO.

79 79 Specifying Software Installation Defaults A GPO can contain several settings that affect how an application is installed, managed, and removed. The default settings for the new packages are globally defined within the GPO in the General tab of the Software Installation Properties dialog box. Some of the default settings can be changed later by editing the package properties in the Software Installation extension.

80 80 General Tab of the Software Installation Properties

81 81 Deploying Software Installation Defaults Because software can be either assigned or published, and targeted to either users or computers, a workable combination can be established to meet the software management goals. Modifications (.mst files) are customizations applied to Windows Installer packages. Modifications must be applied at the time of assignment or publication, not at the time of installation.

82 82 Software Deployment Approaches

83 83 Publishing Applications An application is published to make it available to people managed by the GPO, should they want the application. Each person decides whether or not to install the published application. Applications can only be published to users.

84 84 Deploying Applications with Modifications Modifications are associated with the Windows Installer package at deployment time rather than when the Windows Installer is actually using the package to install or modify the application. Modifications are applied to Windows Installer packages by the administrator. This order in which modifications are applied must be determined before the application is assigned or published.

85 85 Setting Automatic Installation Options The application that is installed when users select a file can be specified by the administrator by selecting a file extension and configuring a priority for installing applications associated with the file extension, using the File Extensions tab in the Software Installation Properties dialog box. The first application listed is the application installed in association with the file extension. File extension associations are managed on a per-GPO basis. Changing the priority order in a GPO affects only those users who have that GPO applied to them.

86 86 File Extensions Tab

87 87 Setting Up Application Categories Organizing, assigning, and publishing applications, from within Add/Remove Programs in Control Panel, into logical categories makes it easier for users to locate the appropriate application. Windows 2000 does not ship with any predefined categories. Categories are established per domain, not per GPO. Categories need to be defined only once for the whole domain.

88 88 Setting Software Application Properties Each application can be fine-tuned in several ways: By editing installation options By specifying application categories to be used By setting permissions for the software installation

89 89 Editing Installation Options for Applications Default settings can be changed, even if they have been globally defined within the GPO, by editing the package properties. Installation options affect how an application is installed, managed, and removed.

90 90 Deployment Tab

91 91 Specifying Application Categories Applications must be associates with existing categories. Categories generally pertain to published applications only, because assigned applications do not appear in Add/Remove Programs.

92 92 Categories Tab of the Properties Dialog Box

93 93 Maintaining Software Applications Upgrading Applications Several events trigger an upgrade. Upgrades typically incorporate major changes into the software and normally have new version numbers. A substantial number of files change for an upgrade. The Software Installation extension is used to establish the procedure to upgrade an existing application to the current release.

94 94 Add Upgrade Package Dialog Box

95 95 Maintaining Software Applications Removing Applications A version of a software application is no longer supported. Administrators can remove the software version from Software Installation without forcing the removal of the software from the computers of users who are still using the software. Users can continue to use the software themselves. No user is able to install the software version. A software application is no longer used. Administrators can force the removal of the software. The software is automatically deleted from a computer, either the next time the computer is turned on or the next time the user logs on. Users cannot install or run the software.

96 96 Managing Special Folders Using Group Policy Folder Redirection Default Special Folder Locations Setting Up Folder Redirection Policy Removal Considerations

97 97 Windows 2000 Redirected Special Folders Application Data Desktop My Documents My Pictures Start Menu

98 98 Redirecting the My Documents Folder: Advantages The user’s documents are always available, even if the user logs on to various network computers. When roaming user profiles are used, only the network path to the My Documents folder is part of the roaming user profile, not the My Documents folder itself. Data stored on a shared network server can be backed up as part of routine system administration; requires no action on the part of the user. The system administrator can use group policy to set disk quotas, limiting the amount of space used by users’ special folders. Data specific to a user can be redirected to a different hard disk on the user’s local computer from the hard disk holding the OS files.

99 99 Default Locations for Special Folders

100 100 Setting Up Folder Redirection Redirect to a location according to security group membership. Redirect to one location for everyone in the site, domain, or OU. Redirect the My Pictures folder to follow the My Documents folder redirection.

101 101 Target Tab in the Properties Dialog Box

102 102 Specify Group And Location Dialog Box

103 103 Settings Tab of the Properties Dialog Box

104 104 Policy Removal Considerations

105 105 Troubleshooting Group Policy Group Policy Best Practices

106 106 Troubleshooting Group Policy Overview Considering dependencies between components is an important part of troubleshooting group policy problems. When trying to fix problems that appear in one component, it is generally helpful to check whether components, services, and resources on which it relies are working correctly. Event logs are useful for tracking down problems caused by this type of hierarchical dependency.

107 107 Symptom: The user has Read access to a GPO but cannot open it Cause: An administrator must have both Read and Write permissions for the GPO to open it in the Group Policy snap-in Solution: Become a member of a security group with Read and Write permission for the GPO

108 108 Symptom: User receives “Failed To Open The Group Policy Object” message when trying to edit a GPO Cause: A networking problem, specifically a problem with the DNS configuration Solution: Make sure DNS is working properly

109 109 Symptom: Group policy is not being applied to users and computers in a security group that contains them, even though a GPO is linked to an OU containing that security group Cause: This is correct behavior; group policy affects only users and computers contained in sites, domains, and OUs; GPOs are not applied to security groups Solution: Link GPOs to sites, domains, and OUs only; keep in mind that the location of a security group in Active Directory is unrelated to whether group policy applies to the users and computers in that security group

110 110 Symptom: Group policy is not affecting users and computers in a site, domain, or OU Cause: Group policy settings can be prevented, intentionally or inadvertently, from taking effect on users and computers in several ways. A GPO can be disabled from affecting users, computers, or both. A GPO also needs to be linked either directly to an OU containing the users and computers, or to a parent domain or OU so that the group policy settings apply through inheritance. Solution: Make sure that the intended policy is not being blocked. Make sure no policy set at a higher level of Active Directory has been set to No Override.

111 111 Symptom: Group policy is not affecting users and computers in a site, domain, or OU (con’t) Cause: When multiple GPOs apply, they are processed in this order: local, site, domain, OU. By default, settings applied later have precedence. Solution: If block Policy Inheritance and No Override are both used, No Override takes precedence. Verify that the user or computer is not a member of any security group for which the AGP permission is set to Deny.

112 112 Symptom: Group policy is not affecting users and computers in a site, domain, or OU (con’t) Cause: Group policy can be blocked at the level of any OU, or enforced through a setting of No Override applied to a particular GPO link. The user or computer must belong to one or more security groups with appropriate permissions set. Solution: Verify that the user or computer is a member of at least one security group for which the AGP permission is set to Allow. Verify that the user or computer is a member of at least one security group for which the Read permission is set to Allow.

113 113 Symptom: Group policy is not affecting users and computers in an Active Directory container Cause: GPOs cannot be linked to Active Directory containers other than sites, domains, and OUs Solution: Link a GPO to an OU that is a parent to the Active Directory container; then, by default, those settings are applied to the users and computers in the container through inheritance

114 114 Symptom: Group policy is not taking effect on the local computer Cause: Local policies are the weakest; any nonlocal GPO can overwrite them Solution: Check to see what GPOs are being applied through Active Directory and whether those GPOs have settings that are in conflict with the local settings

115 115 Symptom: Published applications do not appear in Add/Remove Programs in Control Panel Cause: Group policy was not applied. Active Directory cannot be accessed. User does not have any published applications in the GPOs that apply to him or her. Client is running Terminal Server. Solution: Investigate each possibility. Software Installation is not supported for Terminal Server clients.

116 116 Symptom: Document activation of a published application does not cause the application to install Cause: The administrator did not set auto-install Solution: Ensure that Auto-Install This Application By File Extension Activation is checked in the Deployment tab in the application’s Properties sheet

117 117 Symptom: The user receives an error message such as “The Feature You Are Trying To Install Cannot Be Found In The Source Directory” Cause: Network or permissions problems Solution: Ensure that the network is working correctly. Ensure that the user has Read and AGP permissions for the GPO. Ensure that the user has Read permission for the SDP. Ensure that the user has Read permission for the application.

118 118 Symptom: After removal of an application, the shortcuts for the application still appear on the user’s desktop Cause: The user has created shortcuts, and Windows Installer has no knowledge of them Solution: The user must remove the shortcuts manually

119 119 Symptom: The user receives an error message such as “Another Installation Is Already In Progress” Cause: An uninstallation might be taking place in the background with no user interface presented to the user, or perhaps the user has inadvertently triggered two installations simultaneously Solution: The user can try again later

120 120 Symptom: The user opens an already installed application, and the Windows Installer starts Cause: An application might be undergoing automatic repair, or a user-required feature is being added Solution: No action is required

121 121 Symptom: The user receives error messages such as “Active Directory Will Not Allow The Package To Be Deployed” or “Cannot Prepare Package For Deployment” Cause: The package might be corrupted or there might be a networking problem Solution: Investigate and take appropriate action

122 122 General Group Policy Practices Disable unused parts of a GPO. Use the Block Policy Inheritance and No Override features sparingly. Minimize the number of GPOs associated with users or computers in domains or OUs. Filter policy based on security group membership. Use loopback only when necessary. Avoid cross-domain GPO assignments.

123 123 Software Installation Practices Specify application categories for the organization. Make sure Windows Installer packages include modifications before they are published or assigned. Assign or publish just once per GPO. Take advantage of authoring tools. Repackage existing software. Use SMS and Dfs. Assign or publish close to the root in the Active Directory hierarchy. Use Software Installation properties for widely scoped control. Use Windows Installer package properties for fine control.

124 124 Folder Redirection Practices Incorporate %username% into fully qualified UNC paths. Have My Pictures follow My Documents. Consider the effects of policy removal. Accept defaults.

Download ppt "1 Administering Group Policy Group Policy Concepts Group Policy Implementation Planning Implementing Group Policy Managing Software Using Group Policy."

Similar presentations

Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Managing User Settings with Group Policy

Managing User Settings with Group Policy
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Similar presentations

Ads by Google