Improving IntelliMirror

IntelliMirror management technologies is a set of powerful features for change and configuration management. IntelliMirror combines the advantages of centralized computing with the performance and flexibility of distributed computing. IntelliMirror ensures that users' data, software, and personal settings are available when they move between computers and that those settings persist when their computers are connected to the network. Also, administrators can use Remote Installation Services (RIS) to perform remote installations of the operating system. Many IntelliMirror features rely on Group Policy, which in turn requires Active Directory. Active Directory is included with Microsoft Windows 2000 Server and with the Windows Server 2003 family.

Most of the IntelliMirror features in Windows XP and the Windows Server 2003 family are also available in Windows 2000. You can use IntelliMirror in a network that uses all or any of these operating systems. However, improvements in the features that were added for Windows XP and Windows Server 2003 provide greater flexibility in administering computers and user accounts in your network.

The features of IntelliMirror increase the availability of a user's data, personal computer settings, and computing environment by intelligently managing information, settings, and software. Based on policy definitions, IntelliMirror is able to deploy, recover, restore, and replace user data, software, and personal settings in a Windows 2000 “based or Windows Server 2003 “based environment. Essentially, IntelliMirror provides users with follow-me functionality for their personal computing environment. Users have constant access to all of their information and software, regardless of which computers they are using and whether they are connected to the network, with the assurance that their data is safely maintained and available.

IntelliMirror allows an administrator to set policy definitions once and be confident that the policy will be applied without further administrative intervention. At the core of IntelliMirror are four features:

• Policy management.

  You use this feature to manage computer and user settings. You can configure settings in Group Policy and have confidence that those settings will be applied to the target computers and users. For example, you can configure password policies for computers and know that Windows will apply those settings without requiring the computer to restart or the user to log off.

• User data management.

  You use this feature to manage files, documents, spreadsheets, workbooks, and other information that people create and use to perform their jobs. By redirecting specific user data folders, such as the My Documents folder, to a network location and then making this location available to users for offline use, users can access their data at any location on or off the network.

• User settings management.

  You use this feature to centrally define the computing environment for various groups of users and computers. You can also easily restore user settings in case of computer failure. User settings include both personal preferences and centrally defined customizations of the operating system desktop environment and applications. Settings can include language settings, desktop layout, and other user preferences. Users' customized settings can be made available wherever they log on.

• Software installation and maintenance.

  You use this feature to install, configure, repair, or remove applications, Service Packs , and operating system upgrades. You can assign or publish software to users or computers. Assigning or publishing to a user provides the applications to that user regardless of where the user logs on to the network. Assigning to computers makes the application available to all users of the targeted computer. The latter is useful for common applications that all users will need, such as productivity and antivirus software. When assigning an application, you can choose to have the application installed in full when the user logs on or on demand ”when the user invokes the applications or specific parts of them. If the application is configured for installation on demand, it appears installed to the user; however, the software is not actually installed until the first time the user selects it. Using this option can significantly reduce the time it takes to deploy desktop configurations to multiple users, many of whom do not need to use all the possible features included in a particular program. On the other hand, the full-installation option, available in Windows Server 2003, is useful for specific groups of users such as frequent travelers who might require all available applications to be fully installed before they travel. When you publish an application, the user can install it on their computer through Add Or Remove Programs in Control Panel. In either case, applications follow users or computers, making the same applications available at any computer that a user logs on to.

IntelliMirror features can be used separately or all together, depending on the business or organizational requirements. Alternatively, you can restrict users' data and settings from being available at all times because of network configuration issues, security concerns, or corporate standards.

From an organizational point of view, overall cost compared with benefits is of great concern. IntelliMirror features are designed to deliver new benefits while reducing system administration. The majority of IntelliMirror features are designed to keep users working productively while enabling centralized administration and thus reducing administrative intervention and associated costs. The new level of centralized management made possible with IntelliMirror allows organizations to accomplish their change and configuration management goals more easily because the entire organization can be viewed and altered from the single view of Active Directory. Both administrators and users benefit, resulting in lowered computing costs with improved productivity.

Policy Management

IntelliMirror contains several important new features that give administrators powerful tools for managing users and computers.

Expected to be available as a free add-on to Windows Server 2003, the Group Policy Management Console (GPMC) will provide the new framework for managing Group Policy. With GPMC, Group Policy becomes much easier to use, a benefit that will enable more organizations to better utilize Active Directory and take advantage of its powerful management features. For example, GPMC enables backup and restore of GPOs, import/export and copy/paste of GPOs, reporting of GPO settings and Resultant Set of Policy (RSoP) data, use of templates for managed configurations, and scriptability for all GPMC operations. In addition, GPMC lets you manage Group Policy for multiple domains and sites within a given forest, all in a simplified user interface with drag-and-drop support. And with cross-forest trust, you can manage Group Policy across multiple forests from the same console. GPMC can manage Group Policy for Windows 2000 or Windows .NET domains.

While Group Policy objects can be linked only to sites, domains, or organizational units (OUs) within a given forest, the cross-forest feature in Windows .NET Server enables several new scenarios that Group Policy supports. For example, it's possible for a user in forest A to log on to a computer in forest B, each with their own sets of policy. Alternatively, settings within a GPO can ­reference servers in external forests, such as software distribution points. ­Windows Server 2003 Group Policy successfully supports these interoperability scenarios.

The RSoP tool in Windows Server 2003 allows you to see the effect of Group Policy on a targeted user or computer. With RSoP, you have a powerful and flexible base-level tool to plan, monitor, and troubleshoot Group Policy. RSoP is an infrastructure and tool in the form of MMC snap-ins enabling you to determine and analyze the current set of policies in two modes: logging mode and planning mode. In logging mode, you can assess what has applied to a particular target. In planning mode, you can see how policies would be applied to a target and then examine the results before deploying a change to Group Policy.

RSoP is enabled by WMI by leveraging WMI's capability to gather data from a variety of sources. An MMC-based tool hosts snap-in extensions displaying results based on a given target. A targeting wizard sets the scope used by the RSoP tool. The wizard guides an administrator through the steps necessary to create an appropriate target, generate RSoP data, and start the RSoP tool to use that data.

WMI makes available a large amount of data for a target computer, such as hardware and software inventory, settings, and configuration information. WMI gathers data from the registry, drivers, the file system, Active Directory, Simple Network Management Protocol (SNMP), the Windows Installer service, structured query language (SQL), networking, and Exchange Server. WMI filtering in Windows Server 2003 allows you to dynamically determine whether to apply a GPO based on a query of WMI data. These queries (also called WMI filters) determine which users and computers receive the policy settings configured in the GPO where you create the filter. This functionality lets you dynamically target Group Policy based on the properties of the local machine. Here are some sample properties you might use when constructing WMI filters:

• Services

  Computers where Dynamic Host Configuration Protocol (DHCP) is turned on

• Registry

  Computers that have a given registry key populated

• Hardware inventory

  Computers with a Pentium III processor

• Software inventory

  Computers with Visual Studio .NET installed

• Hardware configuration

  Computers with network interface cards (NICs) on interrupt level 3

• Software configuration

  Computers with multicasting turned on

• Associations

  Computers that have any service dependent on systems network architecture (SNA) service

• Ping

  Computers that can ping a specific server in less than 100 milli ­seconds

Policy settings are more easily understood , managed, and verified with Web-view integration in the Group Policy Object Editor. Clicking on a policy instantly shows the text explaining its function and supported environments such as Windows XP “only or Windows 2000. This makes it easier for you to click through various policies and better assess how to achieve a Group Policy goal. This explanatory text has been expanded in the Windows Server 2003 family to include help text for categories of policies such as Start Menu and Taskbar.

The Windows Server 2003 family includes more than 160 new policies. These new policies allow you to control the behavior of numerous features, including

• Terminal Server

• Application compatibility

• Networking such as SNMP, quality of service (QoS), firewall, and dial-up connections

• DNS logon

• Roaming user profiles and Group Policy

• Control Panel

• Windows Media Player

Distinguishing whether policies work on Windows 2000, a particular service pack, or Windows Server 2003 is made easy with the supported keyword included in the administrative template (.adm) file for each policy. Administrators or users can search for policies based on these keywords and see only those policies that work on a specific version of the operating system. Explanations of each policy begin with a statement verifying which version of the operating system supports the policy.

User Data Management

Data availability is a leading concern for most organizations. What happens to user data when a hard disk fails? Who ensures that users back up their files on a timely basis? Too often, user data backups are not performed, and important files are lost if a user's hard disk fails. Other data availability concerns include whether users have access to their data if they move to different computers on the network or are only intermittently connected to the network. With IntelliMirror user data management features, you can ensure that users can access their data from any computer wherever they log on, whether on line or off line. You can back up user data centrally and provide fast computer replacement in disaster recovery situations.

When you implement IntelliMirror user data management, users can access their data from any computer running Windows 2000 Professional (or a later operating system) on the corporate network. The user's data follows the user because the data is stored in specified network locations. You can manually configure which files and folders are available or configure them through Group Policy. In addition, if a user takes network-based resources off line, any changes made while off line are synchronized when the user reconnects to the network.

With user data management, you can ensure that users' data is always available to them in the following ways:

• Administrators can provide improved protection of user data by ensuring that local data is also redirected or copied to a network share, providing a central location for administrator-managed backups. This capability helps to enforce corporate directives such as placing all-important data on servers.

• Administrators can ensure that the most up-to-date versions of a user's data reside on both the local computer and on the server. Because local caching maintains data on the local computer even when it is disconnected from the network, data is readily available to the user, even when working off line.

• Data can follow a person when the person roams to another computer on the network. This provides increased accessibility because people can use any computer on the network to access their data.

  Note

  Through Group Policy, you can redirect a user's My Documents folder to the user's home directory. This aids in transitioning users from a legacy deployment of home directories to the My Documents model while maintaining compatibility with the existing home directory environment.

  
  

Implementing user data management relies on some or all of the following technologies:

• Active Directory

• Group Policy

• RSoP

• Roaming user profiles

• Folder redirection

• Offline Files

• Synchronization manager

• Distributed File System (DFS)

• Encrypting File System (EFS)

• Disk quotas

User Settings Management

In most organizations, new users and existing employees who change computers often need help from the IT department to initially configure their computers. With IntelliMirror user settings management, administrators can centrally define computing environments for groups of users and computers so that users automatically get the correct configurations for their jobs. Also, administrators can restore user settings if a computer fails as well as ensure that users' desktop settings follow them if they roam to another computer. With user settings management, you can

• Reduce support calls by providing a preconfigured desktop environment appropriate for the user's job.

• Save time and costs of computer replacement.

• Help users be more efficient by automatically providing their desktop environment, no matter where they work.

The settings you can manage include desktop configurations, security settings, language settings, application settings, and scripts (computer startup and shutdown, and user logon and logoff ). These configurations and settings make up a user's profile. This information is stored on every local computer for each user who has logged on to that computer. You can also redirect any of the ­special folders in a user profile to a network share. Then the same user profiles are available wherever a user logs on.

User settings, like user data, can follow the user, regardless of where that user logs on. You use Group Policy settings to customize and control users' computing environments and to grant or deny the users the ability to customize their own computing environments. These settings can be applied to both users and computers. When users have permission, they often customize the style and default settings of their computing environment to suit their needs and work habits. Settings contain three basic types of information: user and administrative information, temporary information, and data specific to the local computer. Temporary and local computer information typically should not roam with a user; moving such information can cause unnecessary overhead, and differences between computers can disrupt the roaming function. When you use roaming user profiles to manage user settings, Group Policy ensures that only vital user and administrative settings information is retained, while temporary and local computer settings are dynamically and appropriately regenerated as required. This minimizes the amount of information that must be stored and transferred across the network while still allowing users to have a similar experience on any computer that they log on to.

You use the following technologies to implement user settings management:

• Active Directory

• Group Policy

• Offline Files

• Synchronization manager

• DFS

• Folder redirection

• Roaming user profiles

  Note

  The Windows Server 2003 family includes several new policies to allow more flexible configuration of user profiles, including polices to disable user profiles on a per-machine basis and the ability to configure read-only profiles.

  
  

Software Management

There are a number of challenges in providing software to users. Some of these are as follows:

• Users need a wide variety of applications to perform their jobs. Different users require different applications. As a result, many large organizations support hundreds, often thousands, of software applications. Administrators must efficiently deploy these applications to the users who need them.

• An organization's software application needs evolve over time. New applications and new versions of applications become available, offering features and functionality that were not available before. Enhancements such as new user templates, or service packs that become available between full version upgrades, also must be deployed from time to time.

• Users are promoted or change jobs and need several new applications. At the same time, they no longer need some of the applications that were required to do their old jobs. Or users move to a computer in another location and expect to have their key applications available to them. Administrators have to support and manage these rapidly changing software requirements as well.

User productivity is enhanced when users have all of the software applications that will enable them to perform their jobs efficiently. It is also important for administrators to track applications that are no longer being used or are out-of-date, and to make sure they are phased out. The IT department has to determine when to stop supporting software that is no longer useful. You can ask users to stop using certain applications and remove applications that are outdated . In some cases, the best solution is to remove the obsolete application rather than incur the compatibility issues and other problems that can result from its continued use. All of these application management tasks can be extremely labor intensive , which is why many organizations want to automate them for large groups or even for all client computers at one time.

You can use the software installation and maintenance feature of Intelli ­Mirror to install software applications at computer startup, at user logon, or on demand. You can also use this feature to upgrade deployed applications, remove earlier applications that are no longer required, and deploy service packs and operating system upgrades. It can ensure that a person cannot install any software from local media, such as a CD-ROM or a floppy disk. This feature also provides for the following situations:

• If a user inadvertently deletes files from an application, it will repair itself.

• If a user moves from one computer to another, their software will always be available to them.

• If a user does not have an application installed on their computer and they try to open a document associated with that application, the application will automatically be installed and the document will open .

You use Group Policy to define software installation options that specify which applications are to be deployed, upgraded, or removed from a computer. You can apply software installation policies to groups of users or to groups of computers, depending on your organization's needs. There are two methods by which you can install applications on users' computers ”assigning and publishing:

• Assigning.

  You can assign applications to either a user or a computer using Group Policy. When you assign applications to a computer, the application is automatically installed the next time the computer is started. When you assign applications to a user with Group Policy, the administrator can choose to have the application installed either on demand when the user selects the application or in full when the user next logs on:

  • On demand.

    If the application is installed on demand, the user's computer is set up with a Start menu shortcut, and the appropriate file associations are created in the registry. To the user, it looks and feels as if the application is already present. However, the application is not fully installed until the user needs the application. When the user attempts to open the application or a file associated with that application, Windows Installer checks to make sure that all the files and parameters of the application are present for the application to properly execute. If they are not present, Windows Installer retrieves and installs them from a predetermined distribution point. Once in place, the application opens.

  • Full installation.

    The full-installation option is useful for specific groups of users such as frequent travelers who might require all available applications to be fully installed before they travel. With full installation, a user's applications are installed at logon.

    Assigning applications makes them resilient ”they are available no matter what the user does; for example, if the user removes an application, it will automatically be reinstalled on demand.

• Publishing.

  When you publish an application, it appears in Add Or Remove Programs in Control Panel. Users can choose to install published applications. Installation can also be configured to occur automatically when a user attempts to open a file that requires a specific published application. You publish applications when the software is not absolutely necessary for users to perform their jobs.

  To obtain the full benefits of publishing technology, all published applications should be authored for installation using the Windows Installer service. Although you can still publish non “Windows Installer service applications using .zap files, you won't get the benefits of elevated privileges as explained in the following paragraph, and of course, you won't get the benefits of using Windows Installer either.

Deploying software through Group Policy requires applications to use the Windows Installer service, which provides much more than just the capability to install applications. It also protects the integrity of the application against inadvertent mishaps with local files. For example, if a user attempts to use a copy of Microsoft Word that's missing some essential files, the Windows Installer service reinstalls the files from the installation point the next time the application is launched. In addition, Windows Installer “based applications that are deployed using Group Policy can install with elevated privileges, meaning that users don't have to be administrators on their local machines to install software that you, as a network administrator, want them to have. Application repair follows the same logic as on-demand installation. Whenever an application authored by Windows Installer is invoked, the Windows Installer service checks to ensure that the appropriate files are available; if required, files or settings are repaired automatically.

Windows Server 2003 makes other improvements to software deployment:

• Full installation at logon of user-assigned applications.

  Available from Software Settings in the Group Policy Object Editor snap-in, the Group Policy Software Installation extension (formerly the Application Deployment Editor) is updated for Windows Server 2003 with the new full-installation option. Full installation allows a user-assigned application to be installed completely at logon, instead of on demand. This is useful for certain groups such as mobile users who need to have all parts of a program installed while traveling away from the network.

• 64-bit software deployment support.

  This feature provides support for 64-bit software deployment with Group Policy. New options in Group Policy Software Installation aid in determining whether 32-bit applications should be deployed to 64-bit clients . Software Installation also allows existing deployments of Windows 2000 to be managed with the same level of functionality provided by the Windows Server 2003 family. This is useful if an administrator is planning to deploy a 32-bit Windows Installer package to a group of users with 64-bit systems. The administrator knows that the 32-bit package works correctly on 64-bit computers and uses the new Make 32-bit x86 Windows Installer Application Available To IA64 Machines option in Group Policy Software Installation to deploy the package to all users.

Implementing software installation and maintenance uses some or all of the following Windows technologies:

• Active Directory

• Group Policy

• Windows Installer

• Add Or Remove Programs

• DFS

• File Replication service (FRS)

Computer Setup Process

When a user needs a new computer ”whether the person is new to the organization, the existing computer has failed, or it's simply time for a hardware upgrade ”IT departments have had to spend a great deal of time preparing and installing the operating system and basic applications. This often involves a lengthy in-person support call to the user's office. To support the computer setup process, administrators need a way to

• Return users to productive work quickly.

• Significantly reduce the frequency and length of related support calls ”or even eliminate those service calls altogether.

Remote Installation helps you significantly reduce the amount of labor required to deploy a new operating system on a computer. The entire process is policy-based and can be accomplished without on-site technical support. You can use the Remote Installation feature to perform a new installation of Windows on Pre-Boot eXecution Environment (PXE) remote boot-enabled client computers throughout your organization. An administrator does not have to visit the new computer to install a new operating system and core applications. You can provide a customized, fully automated installation process from a remote source. When the computer is turned on, the user presses F12 to initiate the operating system installation process. The computer then starts from a network server that supports RIS. After the user logs on, RIS can install either of the following:

• The network equivalent of a CD-based installation of Windows

• An operating system image (referred to as an RIPrep image) that can include preconfigured applications such as word processing and e-mail

You use the following technologies to implement Remote Installation:

• Active Directory

• Group Policy

• DNS

• DHCP

• RIS