Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
EAN: N/A
Year: 2005
Pages: 338
Pages: 338
When you use Windows XP Professional or Windows 2000 Professional on Windows 2000 Server networks with Active Directory installed, you can take full advantage of IntelliMirror and Group Policy management features. If you are managing Windows XP Professional or Windows 2000 Professional desktops on networks and Active Directory is not installed, see Managing Desktops Without Active Directory later in this chapter.
IntelliMirror allows you to centrally manage workstations, saving you significant time while improving manageability. IntelliMirror ensures that users data, software, and personal settings are available when they move from one computer to another, whether or not their computers are connected to the network.
IntelliMirror consists of four components: user data management, user settings management, computer settings management, and Group Policy based software installation and maintenance. The IntelliMirror components can help you to:
Centrally create and manage the configuration of each user s desktop.
Enable users to access files from any location at any time by using Roaming User Profiles and Folder Redirection in combination with Offline Files.
Manage how software is deployed and installed on computers to ensure that users have the software they need to perform their jobs. Large organizations that need advanced software distribution and inventory capabilities should consider using Microsoft Systems Management Server (SMS) 2.0.
Manage and enforce centralized data storage, which helps administrators keep important corporate data backed up.
Save time when replacing computers by using Remote Installation Services(RIS) and Group Policy based software installation and maintenance to easily replace applications, Roaming User Profiles to recover user profiles, and Folder Redirection to centrally manage files.
For more information about implementing IntelliMirror features, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit. For more information about deploying IntelliMirror in a Windows 2000 Server environment, see the Change and Configuration Management Deployment Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources
Active Directory and Group Policy provide the foundation for implementing IntelliMirror. Without Active Directory, you cannot take full advantage of IntelliMirror for managing clients. Table 5-2 shows the streamlined management tasks you can perform in an Active Directory environment.
| Management Task | IntelliMirror Feature |
|---|---|
| Configure registry-based Group Policy settings for computers and users. | Administrative Templates |
| Manage local, domain, and network security. | Security Settings |
| Centrally install, update, and remove software. | Group Policy based software distribution |
| Manage Internet Explorer configuration settings after deployment. | Internet Explorer Maintenance |
| Apply scripts during user logon/logoff and computer startup/shutdown. | Scripts |
| Centrally manage users folders and files on the network, and make shared files and folders available offline. | Folder Redirection Offline Files and Folders |
| Centrally manage user profiles. | Roaming User Profiles |
You can also use Group Policy to manage Remote Installation Services (RIS) by centrally setting client configuration options. For more information about using RIS, see Automating and Customizing Installations, in this book.
Active Directory stores information about all physical and logical objects on the network. This information is automatically replicated across the network to simplify finding and managing data, no matter where the data is located in the organization. The Active Directory structure you create determines how you apply Group Policy settings. In an Active Directory environment, Group Policy allows you to define and control the state of computers and users in an organization. Group Policy allows you to control more than 600 customizable settings that you can use to centrally configure and manage users and computers.
Depending on the size of your organization, managing desktops, users, and their permissions can be a very complex task, especially because changes constantly happen. For example, users join and leave organizations, get promoted and transferred, and regularly change offices. Similarly, printers, computers, and network file shares are frequently added, removed, and relocated. When implemented in a Windows 2000 Active Directory infrastructure, Group Policy-based IntelliMirror features greatly simplify managing these ongoing changes. Once set, Group Policy automatically maintains the state you design without requiring further intervention.
You can associate or link a particular Group Policy object (GPO) to one or more sites, domains, or organizational units (OUs)in an Active Directory structure. When multiple GPOs are linked to a particular site, domain, or OU, you can prioritize the order in which the GPOs are applied by determining when in the processing order particular settings are processed.
By linking GPOs to sites, domains, and OUs, you can implement Group Policy settings as broadly or as narrowly in the organization as necessary. Consider the following when linking GPOs:
A GPO linked to a site applies to all users and computers in the site.
A GPO linked to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in all the OUs that are linked to that domain. Note that Group Policy is not inherited across domains.
A GPO linked to an OU applies directly to all users and computers in the OU and by inheritance to all users and computers in child OUs.
GPOs are stored in Active Directory by domain. You can, however, link a site, domain, or OU to a GPO in another trusted domain, but this is generally not recommended for performance reasons.
For detailed procedures for linking a GPO to a site, domain, or OU, see Windows 2000 Server Help. For complete technical information about Active Directory and Group Policy, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit. For information about planning and deploying an Active Directory structure, see Designing the Active Directory Structure in the Deployment Planning Guide. For examples of Active Directory deployment scenarios, see the Windows 2000 Server Deployment Lab Scenarios link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources
Windows XP Professional, Windows 2000 Professional, and Windows 2000 Server include IntelliMirror management technologies, which are primarily enabled by Group Policy. IntelliMirror and Group Policy greatly streamline managing user data, managing user settings, managing computer settings, and installing and maintaining software.
Files that a user creates and uses are user data. Examples are word processing documents, spreadsheets, or graphics files. User data belongs to the user and is located on the user s computer or on a network share to which the user has rights.
Less obvious forms of user data include Microsoft Internet Explorer cookies and Favorites and customized templates. User data is usually hard to recreate for example, a template that has undergone extensive design work and customization. With IntelliMirror, users can transparently access their data from any Windows XP Professional or Windows 2000 Professional based computer on the network, regardless of whether or not that computer is their primary computer.
IntelliMirror technologies that support user data management include:
Folder Redirection
Offline Files and Synchronization Manager
Roaming User Profiles
You can ensure that users data is always available to them in the following ways.
You can redirect user data to a network share, where it can be backed up as part of routine system maintenance. This can be done so that the process is transparent to the user. It is recommended that users be trained to store all user data in My Documents (in the built-in subfolders My Pictures, My Music, and My Videos, and in any subfolders they create to organize their data). The My Documents folder is then redirected to a network share. This capability helps to enforce corporate directives such as storing business-critical data on servers that are centrally managed by the IT staff. If users are in the habit of storing files on their desktops, you should also consider redirecting the desktop.
Although the Application Data folder can be redirected using Folder Redirection, this is generally only recommended in the following cases:
To reduce the size of the profile thereby decreasing logon time on multi-user computers where you have enabled a Group Policy setting to delete cached profiles. This gives users access to their application data, but without the need to download possibly large files every time they log on.
To reduce the size of the profile in situations where keeping initial logon time short is a top priority, such as on terminals.
For Terminal Services clients.
By using Offline Files and Synchronization Manager, administrators can ensure that the most up-to-date versions of a user s data reside on both the local computer and on the server. You can use Offline Files in conjunction with Folder Redirection to make available offline those folders that have been redirected to a server. Users can manually configure which files and folders are available offline, or administrators can configure them through Group Policy. The file is stored on a server, and the file on the local computer is synchronized with the network copy. Changes made while offline are synchronized with the server when the user reconnects to the network. Offline Files now supports Distributed File System (DFS) and Encrypting File System (EFS).
Although profiles are commonly used as a method of managing user settings (such as a user s shortcuts and other customizations of their environment), the profile also contains user data, including Favorites and Cookies. When roaming user profiles are enabled, users can access this data when they log on to any computer on the network. Windows XP Professional Group Policy settings allow the profile to roam correctly and free up system memory.
With the user settings management tools in Windows XP Professional, you can centrally define computing environments for groups of users, and grant or deny users the ability to further customize their environments.
By managing user settings, you can:
Reduce support calls by providing a preconfigured desktop environment appropriate for the user s job.
Save time and costs when replacing computers by automatically restoring the user s settings.
Help users be more efficient by automatically providing their desktop environment, no matter where they work.
The primary IntelliMirror technologies that support user settings management is Roaming User Profiles and Administrative Templates. The settings in Administrative Templates can control the desktop with pre-defined configurations; for more information, see the Administrative Templates section, later in this chapter.
A user profile contains:
The portion of the registry that stores settings such as Windows Explorer settings, persistent network connections, taskbar settings, network printer connections, user-defined settings made from Control Panel, Accessories, and application settings.
A set of profile folders that store information such as shortcut links, desktop icons, and startup applications.
User profiles are located by default on the local computer; one profile is created for each user who has logged on to that computer. By configuring user profiles to roam, you can ensure that the settings in a user s profile are copied to a network server when the user logs off from the computer and are available to the user no matter where he or she next logs on to the network.
While useful for roaming users, roaming user profiles are also beneficial for users who always use the same computer. For these users, roaming user profiles provide a transparent way to back up their profile to a network server, protecting the information from individual system failure. If a user s primary workstation needs to be replaced, the new computer receives the user s profile from the server as soon as the user logs on.
Some folders in a user profile cannot be configured to roam; these are found in the Local Settings folder, and include the subfolders Application Data (not to be confused with the other Application Data folder that is a peer of Local settings, which does roam), History, Temp, and Temporary Internet Files. These folders contain application data that is not required to roam with the user, such as temporary files, non-critical settings, and data too large to roam effectively. This data is not copied to and from the server when a user logs on or logs off.
As an illustration of using roaming and non-roaming folders, you might configure Internet Explorer to store a user s Favorites in the roaming portion of the user profile and store the temporary Internet files in the local, non-roaming portion of the user profile. By default, the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the roaming user profile. You can configure additional folders to not roam by specifying them in the Group Policy snap-in, at User Configuration\Administrative Templates\System\User Profiles\Exclude directories in roaming profile.
Group Policy settings also allow you to define how desktop computers are customized and restricted on your network. For optimal control of workstations, use Group Policy objects in an Active Directory network to centralize computer management. However, if Active Directory is not deployed, you can control security on a computer-by-computer basis by using the local Group Policy object. Each computer has one LGPO that can be used to manage the computer outside of an Active Directory environment. If you configure desktop security this way, make sure to set workstation security to match corporate security standards.
The Computer Configuration tree in the Group Policy Microsoft Management Console (MMC) snap-in includes the local computer-related Group Policy settings that specify operating system behavior, desktop behavior, application settings, security settings, computer-assigned application options, and computer startup and shutdown scripts. Computer-related Group Policy settings are applied when the operating system starts up and during periodic refresh cycles. See Using Group Policy to Manage Desktops, later in this chapter for more information.
You can also customize computer configuration settings by using the Group Policy MMC snap-in, thus simplifying individual computer setup.
While the advanced software deployment and management features of Systems Management Server 2.0 (SMS) offer distinct advantages in enterprise-sized organizations such as inventory, diagnosis, and monitoring Group Policy provides some ability to deploy software to workstations and servers running Windows 2000 or later. With Group Policy based software deployment, you can target groups of users and computers based on their location in the Active Directory. Group Policy based software deployment uses Windows Installer as the installation engine on the local computer.
This Software Installation and Maintenance component allows you to efficiently deploy, patch, upgrade, and remove software applications without visiting each desktop. This gives users reliable access to the applications that they need to perform their jobs, no matter which computer they are using.
Group Policy based software distribution enables you to:
Centrally deploy new software, upgrade applications, deploy patches and operating system upgrades, and remove previously deployed applications that are no longer required.
Ensure that users have the software they need to be productive without an Information Technology (IT) administrator or technical support person having to visit each computer.
Create a standard desktop operating environment that results in uninterrupted user productivity and straightforward administration.
Maintain version control of software for all desktop computers in the organization.
Identify and diagnose Group Policy setting failures by using Resultant Set of Policy (RSoP) in logging mode.
Deploy, in combination with Windows Installer, 64-bit applications as well as 32-bit applications.
Using the Software Installation extension of the Group Policy MMC snap-in, you can centrally manage the installation of software on a client computer, either by assigning applications to users or computers or by publishing applications for users. You can:
Assign software to users. As an administrator, you can install applications assigned to users the first time they log on after deployment, or you can have the application and its components install on demand as the user invokes that functionality.
Assign software to computers. When you assign an application to a computer, the installation occurs the next time the computer starts up, and the application is available for all the users on that computer.
Publish software for users. You can publish applications for users only. Those users can choose to install the software from a list of published applications located in Add or Remove Programs in Control Panel. Add or Remove Programs includes an active Web link that is associated with each application that provides users with the support information they need to install certain applications. For example, the default support link for Microsoft Office is http://www.microsoft.com/office Administrators can overwrite this default by using the Software Installation extension of the Group Policy snap-in.
| Situation or Condition | Publish | Assign to User (Install on Demand) | Assign to User (Full Install) | Assign to Computer |
|---|---|---|---|---|
| Once the administrator deploys the software, it is available for installation: | The next time the user, to whom this application s Group Policy setting applies, logs on. It is also immediately visible in Add or Remove Programs. | The next time the user, to whom this application s Group Policy setting applies, logs on. It is also immediately visible in Add or Remove Programs. | The next time the user logs on. It is also immediately visible in Add or Remove Programs. | The next time the computer is started. |
| The software is installed: | By the user from Add or Remove Programs or, optionally, by opening an associated document (for applications deployed to auto-install). | By the user from the Start menu or a desktop shortcut or by opening an associated document. | Automatically when the user logs on. | Automatically when the computer is started. |
| The software is not installed and the user opens a file associated with the software: | The software installs only if Auto-Install is selected. | The software installs. | Does not apply. The software is already installed. | Does not apply. The software is already installed. |
| The user wants to remove the software by using Add or Remove Programs: | The user can uninstall the software, and subsequently choose to install it again by using Add or Remove Programs. | The user can uninstall the software, but it is re-assigned the next time the user logs on. It is available for installation again from the typical software distribution points. | The user can uninstall the software, but it is re-assigned the next time the user logs on. It is available for installation again from the typical installation points. | Only the local administrator and the network administrator can remove the software. |
Group Policy is the primary tool for defining and controlling how programs, network resources, and Windows XP Professional and Windows 2000 Professional behave for users and computers in an organization. Similar to the way in which information is stored in Microsoft Word .doc files, Group Policy settings are contained in Group Policy objects (GPOs) created by using the Group Policy MMC snap-in.
Using Group Policy in an Active Directory environment, you can specify a user or computer configuration once, and then rely on the Windows XP Professional or Windows 2000 operating system to enforce that configuration on all affected client computers until you change it. After you apply Group Policy, the system maintains the state without further intervention.
You can define configurations by implementing Group Policy settings from a central location for hundreds or even thousands of users or computers at one time. For example, you might use Group Policy to implement the following rules:
Install Microsoft Office 2000 on all computers used by members of the Sales Department.
Prevent temporary personnel from accessing Control Panel.
Manage access to adding or removing hardware.
| Note | Do not confuse Group Policy settings with preferences. Group Policy settings are created by an administrator and enforced automatically. Preferences are system settings and configuration options, such as a screen saver or the view in My Documents that users set and alter without an administrator s intervention. Group Policy settings take precedence over preferences. |
Each combination of Group Policy settings that you configure is called a Group Policy object (GPO). You can link GPOs to computers and users based on their location in an Active Directory structure. That is, you can link a GPO to a site, domain, or organizational unit (OU). Each GPO is applied as part of the startup process or when a user logs on to a workstation. The settings within the GPOs are evaluated by the affected clients, using the hierarchical nature of Active Directory, as described in GPO Processing Order, later in this section.
| Note | Every computer receives one LGPO, which is stored on the local computer itself. Because LGPOs must be set and modified individually on every client computer, it is recommended that you use LGPOs to manage clients only if Active Directory is not deployed in your environment, and only if you are not using the Windows XP Professional or Windows 2000 Group Policy Administrative Templates with Windows NT 4.0 System Policy. |
To create, edit, and manage a GPO, use the Group Policy MMC snap-in, either as a stand-alone tool or as an extension to an Active Directory snap-in (such as the Active Directory Users and Computers snap-in or the Active Directory Sites and Services snap-in). When working in an Active Directory environment, the preferred method is to use the Group Policy snap-in as an extension to an Active Directory snap-in. This allows you to browse Active Directory for the correct Active Directory container, and then define Group Policy based on the selected scope. To access Group Policy from either the Active Directory Users and Computers snap-in or in the Active Directory Sites and Services snap-in, select the Group Policy tab from the Properties page of a site, domain, or organizational unit.
When you create a GPO, start with a template that contains all of the Group Policy settings available for you to configure. Because Group Policy settings apply to either computers or users, GPOs contain trees for each:
Computer Configuration. All computer-related Group Policy settings that specify operating system behavior, desktop behavior, security settings, computer startup and shutdown scripts, computer-assigned applications, and any settings provided by applications.
User Configuration. All user-related Group Policy settings that specify operating system behavior, desktop settings, security settings, user-assigned and user-published application options, folder redirection options, user logon and logoff scripts, and any Group Policy settings provided by applications.
| Warning | If an Active Directory domain contains both Windows 2000 and Windows XP Professional based clients, any new Group Policy settings specific to Windows XP Professional that you configure do not apply to the Windows 2000 based clients. See Group Policy Help or the Extended view in the Group Policy snap-in for the desktop operating system required for each setting to apply. |
Local computer Group Policy is applied during the startup process and periodic refresh cycles. User Group Policy is applied when the user logs on to the computer and during the periodic refresh cycle. When a computer starts, computer policy is applied during the boot process. Then, when a user logs on, user policy is applied in the following order: local GPO, GPOs linked to sites, GPOs linked to domains, and GPOs linked to organizational units (OUs). In the case of nested OUs, GPOs associated with parent OUs are processed prior to GPOs associated with child OUs. Keep this processing order in mind when configuring multiple GPOs to centrally manage desktops in your network environment.
| Note | If a setting in a later-applied GPO is not configured, it does not overwrite settings configured in earlier-applied GPOs. |
This order of application is the default behavior. You can modify the default processing order by using the No Override, Block Policy Inheritance, or Loopback Group Policy settings. These allow you to modify the rules of inheritance, either by forcing GPOs to affect groups of users or computers, or by preventing higher-level GPOs from affecting groups of users or computers.
The biggest change in Group Policy for Windows XP Professional is the introduction of the Resultant Set of Policy (RSoP) MMC snap-in. RSoP gives administrators a powerful and flexible tool for and troubleshooting Group Policy. RSoP allows you to see the aggregate effect of Group Policy on a target user or computer, including which settings take precedence over others.
RSoP is enabled by Windows Management Instrumentation (WMI) by leveraging the capability of WMI to extract data from the registry, drivers, the file system, Active Directory, Simple Network Management Protocol (SNMP), Windows Installer, Microsoft SQL Server , various networking features, and Microsoft Exchange Server.
Use Logging mode to determine which GPO settings are actually applied to a target user or computer. You can also use logging mode on a stand-alone computer.
For example, a help desk worker can connect to any Windows XP Professional-based computer on the network and run Logging mode if they have local administrator access on the target computer.
Group Policy provides several extensions you can use to configure GPOs that enable IntelliMirror features and manage users. These extensions include:
Administrative Templates.
Security Settings.
Software Installation and Maintenance.
Scripts (computer startup and shutdown scripts and user logon and logoff scripts).
Folder Redirection.
Internet Explorer Maintenance.
Remote Installation Services.
| Note | Folder Redirection, Software Installation and Maintenance, and RIS require Active Directory; they are not present on the local Group Policy object and cannot be managed by using the local Group Policy object. If Active Directory is not deployed on your network, use System Policy instead. |
You can use any of these extensions to apply Group Policy to users or computers, although settings are different for users and computers. Use the Group Policy snap-in to access the extensions. By default, all the available extensions are loaded when you start the Group Policy snap-in. Different extensions are available depending on whether you are viewing the local Group Policy object or Active Directory domain-based Group Policy.
Administrative templates (.adm files) are Unicode files that you can use to configure the registry-based settings that govern the behavior of many services, applications, and operating system components such as the Start menu. By default, the Group Policy snap-in contains four .adm files that cumulatively contain more than 600 settings. You can also access three additional .adm files that can be used with the Windows NT 4.0 System Policy Editor. The .adm files are described in Table 5-4.
| .adm File | Use With | Description |
|---|---|---|
| System.adm | Windows XP Professional | Contains many settings that you can use to customize the user s operating environment. |
| Inetres.adm | Windows XP Professional | Contains settings for Internet Explorer. |
| Conf.adm | Windows XP Professional | Contains settings you can use to configure Microsoft NetMeeting . |
| Winnt.adm | Windows NT 4.0 System Policy Editor, Poledit.exe | Contains policy for Windows NT 4.0 based clients. |
| Wmplayer.adm | Windows XP Professional | Contains settings you can use to configure Windows Media Player. |
| Common.adm | Windows NT 4.0 System Policy Editor, Poledit.exe | Contains policy for client computers running Windows NT 4.0, Microsoft Windows 95, and Microsoft Windows 98. |
| Windows.adm | Windows NT 4.0 System Policy Editor, Poledit.exe | Contains policy for Windows 95 and Windows 98 based clients. |
An .adm file specifies a hierarchy of categories and subcategories that together define how the Group Policy snap-in displays the options. The file also indicates the registry locations where the settings are stored if a particular selection is made, specifies any options or restrictions in values that are associated with the selection, and might specify a default value if a selection is activated.
In Windows 2000 and Windows XP Professional, all Group Policy settings set registry entries in either the \Software\Policies tree (the preferred location for all new policies) or the \Software\Microsoft\Windows\CurrentVersion\Policies tree, in either the HKEY_CURRENT_USER subtree or the HKEY_LOCAL_MACHINE subtree.
Policy settings that are stored in these registry subkeys are known as true policy settings. Storing settings here has the following advantages:
These subkeys are secure and cannot be modified by a non-administrator.
When Group Policy changes for any reason, these subkeys are cleaned, and then the new Group Policy related registry entries are rewritten.
This prevents Windows NT 4.0 behavior, where System Policy settings result in persistent settings in the registry. A policy remains in effect until the value of its corresponding registry entry is reversed, either by a counteracting policy or by editing the registry. These settings are stored outside the approved registry locations above and are known as preferences.
By default, only true policy settings are displayed in the Group Policy snap-in. Because they use registry entries in the Policies subkeys of the registry, they will not cause persistent settings in the registry when the GPO that applies them is no longer in effect. The following .adm files are displayed by default:
System.adm, which contains operating system settings.
Inetres.adm, which contains Internet Explorer restrictions.
Conf.adm, which contains NetMeeting settings.
WMPlayer.adm, which contains Windows Media Player settings.
Administrators can add additional .adm files to the Group Policy snap-in that set registry values outside of the Group Policy subkeys. These settings are referred to as preferences because the user, application, or other parts of the system can also change the settings. By creating non Group Policy .adm files, the administrator ensures that certain registry entries are set to specified values.
One useful feature of the Windows XP Professional Group Policy snap-in is view filtering. For example, you can hide settings that aren t configured or view only settings supported on a particular operating-system platform.
To filter the view of the Group Policy snap-in
Click View, and then click Filtering.
Select the Filter by requirements information check box, and then in the list box select the check boxes for the categories that you want to make visible.
If you want to hide settings that are not configured, select the Only show configured policy settings check box. If you do this, only enabled or disabled settings will be visible.
If you want to hide Windows NT 4.0 style system policy settings, make sure that the Only show policy settings that can be fully managed check box is selected. This option is recommended, and it is enabled by default.
You can also prevent administrators from viewing or using non-policy settings by enabling the Enforce Show Policies Only Group Policy setting in User Configuration\Administrative Templates\System\Group Policy.
The icon for non-policy or preference settings is red. True policy settings have a blue icon.
Use of non Group Policy settings within the Group Policy infrastructure is strongly discouraged because of the persistent nature of these registry-based settings. To set registry-based policy settings on client computers running Windows NT 4.0, Windows 95, and Windows 98, use the Windows NT 4.0 System Policy Editor tool, Poledit.exe.
Extended View for the Group Policy snap-in now provides Explain text for the selected Group Policy setting without having to open a separate Help window. It also clearly shows which operating system client platform is required for the selected setting to apply. You can now more easily determine which settings will function depending on the existing desktop operating systems on your network.
A Group Policy settings spreadsheet is available on the Web for easy tracking of your configured Group Policy settings. See the Group Policy Object Settings spreadsheet link on the Web Resources page at http://www.microsoft.com/windows /reskits/webresources.
Use the Security Settings extension to set the security options for computers and users within the scope of a GPO. For information about defining security settings for the domain and network, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit.
The Security Settings extension of the Group Policy snap-in complements existing system security management features such as Local Security Policy snap-in. You can continue to change specific settings as needed.
You can configure security for computers to include:
Account policies, such as computer security settings for password policy, lockout policy, and Kerberos authentication protocol policy in Active Directory domains.
| Warning | Security settings are applied only at the domain level. If configured at the OU level, they are neither processed nor applied. |
Local policies, including security settings for auditing, assigning user rights (such as who has network access to the computer), and security options (such as determining who can connect to a computer anonymously).
Event logging, which controls settings such as the size and retention method for the Application, Security, and System event logs.
Restricted groups, which allows administrators to control individual and group membership in security sensitive groups. You can enforce a membership policy regarding sensitive groups, such as Enterprise Administrators or Payroll. For more information about using security, see Security Settings later in this chapter.
System services, including services that control startup mode and access permissions for system services, such as who is allowed to stop and start the fax service.
Registry security, which allows you to configure security settings for registry containers, including access control, audit, and ownership.
File system, which configures security settings for file-system objects, including access control, audit, and ownership.
Public Key policies, which control and manage certificate settings.
IP Security policies, which propagates Internet Protocol security (IPSec) policy to any computer accounts affected by the GPO. For users, you can define IPSec security. This propagates IPSec policy to any user accounts affected by the GPO.
The following security templates are installed when Windows XP Professional is installed on an NTFS file system partition:
Basicwk.inf applies default settings for Windows XP Professional based computers for all areas except User Rights and Group memberships.
Basicsv.inf applies default settings for Windows 2000 Server based computers for all areas except User Rights and Group memberships.
Basicdc.inf applies default settings for domain controllers for all areas except User Rights and Group memberships.
User Rights and Group memberships are not modified by the basic templates because these templates are most often used for undoing file system or registry access control list (ACL) changes, or to apply the default Windows XP Professional ACLs to computers that have been upgraded from Windows NT 4.0. In these cases, administrators typically want to maintain existing User Rights and Group memberships.
Typically, you do not need to define the default security templates because they are installed by default on an NTFS partition. However, they can be useful if you have converted a drive from file allocation table (FAT) to NTFS, or if you have made customizations and want to restore the system to the default ACLs.
Do not deploy these templates by using Group Policy, because it can take a long time to reapply these basic templates. They are applied during setup. Incremental templates, on the other hand, are useful to deploy using Group Policy.
Windows XP Professional includes several incremental security templates. By default, these templates are stored in systemroot\Security\Templates. You can customize these predefined templates by using the Security Templates MMC snap-in or by importing them into the Security Settings extension of the Group Policy snap-in. These templates include:
Compatible. The Compatible template (Compatws.inf) relaxes the default permissions for the Users group so that older applications written to less stringent security standards are more likely to run.
Secure. Two templates, Securews.inf and Securedc.inf, work on workstations, servers, and domain controllers. These provide increased security compared to the access control permissions set by default when Windows XP Professional is installed. The Secure configuration includes increased security settings for Account Policy, Auditing, and some common security-related registry subkeys and entries.
High Secure. The High Secure templates are Hisecws.inf and Hisecdc.inf. These provide increased security over the secure configuration and work on workstations, servers, and domain controllers. This configuration requires that all network communications be digitally signed and encrypted.
For more information about these templates, see Authorization and Access Control in this book.
Use the Software Installation extension of the Group Policy snap-in to centrally manage software in your organization. You can assign (make mandatory) or publish (make optionally available) software to users, and assign (but not publish) software to computers. For more information about using the Software Installation extension, see Using IntelliMirror to Manage Desktops earlier in this chapter.
You can use Group Policy based scripts to automate computer startup and shutdown, and user logon and logoff sessions. You can use any language supported by Windows Script Host (WSH), a language-independent scripting host for 32-bit Windows platforms. Your options include Microsoft Visual Basic Scripting Edition (VBScript), JavaScript, Perl, and batch files (with .bat and .cmd extensions) such as in Microsoft MS DOS .
WSH is included in Windows XP Professional. With WSH, you can run scripts directly in Windows XP Professional by double-clicking a script file, or by typing the name of a script file at the command prompt.
You can use any WSH scripting tool including the VBScript programming system and Microsoft JScript development software to create scripts. Independent software vendors provide WSH support for other popular scripting languages. You can use Windows Script Host to run .vbs and .js scripts directly on the Windows desktop or command console, without having to embed the scripts in an HTML document. MS DOS-type batch files (with .bat and .cmd extensions) also use WSH.
Windows XP Professional supports the following five scripts:
Group Policy logon scripts
Group Policy logoff scripts
Group Policy startup scripts
Group Policy shutdown scripts
Logon scripts set on user objects
| Note | Although Group Policy based scripts are similar to logon scripts set on the user object, they often require multi-branching logic to target a specific group of users. Using Group Policy, you can target the scripts by using OUs and security group filtering. For this reason, the Windows XP Professional scripting options are a more efficient choice. |
Using the Scripts folder located under Computer Configuration\Administrative Templates\System and User Configuration\Configuration\Administrative Templates\System in the Group Policy snap-in, you can specify when and how startup and shutdown scripts are run. See Table 5-6 later in this chapter for a partial list of script-related settings.
Use Folder Redirection to redirect Windows XP Professional certain folders from their default location in the user profile to an alternate location on an Active Directory network where you can centrally manage them and keep them secure. The Windows XP Professional that can be redirected include My Documents (and its subfolders My Pictures, My Music, and My Videos), Application Data, Desktop, and the Start menu.
Using Internet Explorer Maintenance, you can administer and customize Internet Explorer on Windows XP Professional based client computers by using Group Policy instead of using the Internet Explorer Administration Kit (IEAK). You can also export these settings to clients running earlier versions of Windows. For more information about managing Internet Explorer, see the Microsoft Internet Explorer Resource Kit link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources For information about individual Internet Explorer Group Policy settings, see Group Policy Help or the Extended view in the Group Policy snap-in.
A new command-line tool, GPUdate.exe, replaces the Secedit.exe tool to give administrators better control and flexibility in refreshing policy. Normally, Group Policy refreshes every 90 minutes for the computer and user. However, after you revise a GPO, you can use GPUpdate to refresh the GPO so that it takes effect immediately. GPUpdate replaces the Windows 2000 tool Secedit.exe and provides increased control and flexibility. The command-line parameters for this tool are described in Table 5-5.
| Command-Line Parameter | Behavior |
|---|---|
| /target:{computer|user} | Specifies that only Computer or User policy settings are refreshed. By default, both Computer and User policy settings are refreshed. |
| /force | Reapplies all policy settings. By default, only policy settings that have changed are applied. |
| /wait:value | Sets the number of seconds to wait for policy processing to finish. The default is 600 seconds. The value 0 means not to wait. The value -1 means to wait indefinitely. When the time limit is exceeded, the command prompt returns, but policy processing continues. |
| /logoff | Causes a logoff after the Group Policy settings have been refreshed. This is required for those Group Policy client-side extensions that do not process policy on a background refresh cycle but that do process policy when the user logs on. Examples include user-targeted Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off. |
| /boot | Causes a reboot after the Group Policy settings are refreshed. This is required for those Group Policy client-side extensions that do not process policy on a background refresh cycle but that do process policy when the computer starts up, such as computer-targeted Software Installation. This option has no effect if there are no extensions called that require a reboot. |
| /sync | Causes the next foreground policy application to be processed synchronously. Foreground policy applications occur at computer boot and user logon. You can specify this for the user, computer, or both using the /target parameter. The /force and /wait parameters are ignored if specified. |