Creating and Managing Standard Desktop Configurations
IntelliMirror and Group Policy allow you to manage desktops with great efficiency. To take full advantage of these benefits, it is recommended that you define and set up default user configurations.
A standard configuration must be carefully adapted to the target users applications, tasks, and locations. It can also increase productivity by preventing users from making system changes that could cause downtime. Because standard configurations are easier to troubleshoot or replace, they can also reduce support costs.
IntelliMirror and Group Policy are designed for use in environments where administrators need to centralize tasks such as the following:
-
Managing mobile users
-
Managing new users
-
Creating managed desktops
-
Managing multi-user desktops
-
Replacing computers
Creating Managed Desktops
The managed desktop contains settings that can lower the total cost of ownership (TCO) of a desktop for any level of user. This configuration can reduce help desk costs and user downtime by providing users with just the applications and tools they need to perform their jobs. The user is permitted to install approved applications and make extensive customizations of applications and the desktop environment. At the same time, the managed desktop configuration can keep users from making potentially harmful changes to configuration settings, such as adding or disabling hardware devices, or changing system or user environment settings, such as the location of the My Documents folder, and can restrict access to such features as the MMC administration snap-ins and some hardware-configuration items in Control Panel. The user for this configuration does not usually require access to Network Connections.
Table 5-8 shows the desktop management features used to create a typical managed desktop configuration.
| Feature | Specifics | Explanation |
|---|---|---|
| Multiple Users | Per-user logon accounts | Users might share this computer during different shifts. Each user has a unique logon account. |
| Roaming User Profiles | Yes | Makes user settings available from any computer and enables administrators to easily replace computers without losing user configuration. |
| Folder Redirection | My Documents folder | User data is saved on server shares and Group Policy prevents users from storing data locally. |
| Ability for User to Customize | Most | Allows users to personalize their work environment while preventing changes to critical system settings. |
| Assigned Applications | Multiple | Core applications are automatically installed before the user logs on. |
| Published Applications | Multiple | All required applications are available for users to install locally. |
| Group Policy Settings | Yes | Group Policy settings are used to create the managed environment. |
Managing Mobile Users
Many organizations have mobile users traveling employees who often use a portable computer. Mobile users have unique needs because, although these users usually log on to the same computer, they sometimes connect through a high-speed line and sometimes through a low-speed (or dial up) line, and some mobile users never have a fast connection. Such users fall into two main categories:
-
Users who spend the majority of time away from the office or have no fixed office. Typically, these users connect by using slow links, although they might have occasional LAN access to their logon server, data servers, and application-delivery servers.
-
Users who spend most of their time in an office but occasionally work at home or in another location. The majority of their network access is at LAN-speed, but they occasionally use the Routing and Remote Access service or remote network links.
Despite the apparent differences between these two types of users, you can generally accommodate them with a single configuration. However, you might want to consider creating a slightly different GPO for users who spend the majority of their time out of the office.
Mobile users are often expected to provide much of their own computer support because on-site support is not available. For this reason, you might want to grant them more privileges than equivalent users on a desktop computer (for example, so they can install printers).
You might, however, decide to restrict mobile users from making system changes that might damage or disable their systems. For example, you might restrict mobile users from altering certain Internet Explorer settings or adding unapproved hardware devices. Although these users might need access to some of the MMC administration snap-ins, you can make available only a restricted set.
Mobile users expect transparent access to the most critical parts of their data and settings, regardless of whether the portable computer is connected to the network. They roam to desktop computers while their portable computer is in use, for example, to read mail while they are in a remote office. Finally, mobile users frequently disconnect their portable computer from the network without logging off and shutting down. This is more likely to happen with the hibernate and standby features of Windows XP Professional.
IntelliMirror provides several tools that greatly simplify managing mobile users. User data and settings management tools allow users to work on files offline and automatically update network versions of those files when they later reconnect to the network. The Offline Files feature allows users to work on network files when they are not actually connected to the network. Synchronization Manager coordinates synchronization of any changes between the offline version of a file and the network version.
| Note | If users are likely to disconnect from the network without logging off, it is recommended that you set Offline Files to periodically synchronize in the background. If Offline Files is set to synchronize only when users log off, users files might not be up-to-date. You might also want to educate users to manually synchronize their data before disconnecting from the network to ensure all files are up-to-date. |
Synchronization Manager also helps manage multi-user network files. If multiple users modify the same network file, Synchronization Manager notifies the users about the conflict and offers several resolution methods. The users can save the network version, their local version, or both versions. If both are to be kept, the user is asked for a new file name to store one of the versions so that uniqueness is maintained.
Software installation for the mobile user requires some additional planning. You can make sure that all important software components, defined by you or the user, are completely installed initially. This allows the user access to necessary software even when he or she is not connected to the network. That means that prior to these users leaving the office, you must ensure that all relevant features within the application are installed locally and are not just advertised. For example, make sure the spelling checker for Microsoft Office is locally installed so that the user does not trigger on-demand installation of this feature while offline.
It is not recommended that you publish software for mobile users who connect over slow links. Additionally, when mobile users connect over a slow link, user-assigned software effectively behaves the same as if you published it for these users. If you set the Group Policy slow link detection setting to the default in the user interface, the software will not install on demand. However, you can define the connection speed that is considered to be a slow link in the Group Policy setting for slow-link detection.
| Note | It is recommended you treat any link that is slower than local area network (LAN) speed as a slow link. |
If you determine that it is appropriate for mobile users to download software from a remote location and they experience difficulty staying connected when downloading the software, you can verify that the connection speed and Group Policy settings are set appropriately in the Group Policy slow link detection setting in Computer Configuration/Administrative Templates/System/Group Policy or User Configuration/Administrative Templates/System/Group Policy.
Typically, a mobile user has a single portable computer and does not roam between portable computers (unless the computer is replaced). However, roaming user profiles are useful to give some measure of protection against mobile computer failure or loss and to allow roaming to desktop computers when the mobile user is often connected to a fast network. When the mobile user is not often connected to a fast network, it is best not to use roaming user profiles.
Data accessed by the mobile user often falls into one or more of the following categories:
-
Data that resides on a network server and which users want to access while not connected to the network. Users typically own this data (for example, their home directory), but shared data can also be stored on the local computer.
-
Data that resides only on the network server (either not needed offline or volatile shared data that is inappropriate for storing offline).
-
Data that resides only on the portable computer local disk. Examples are policy manuals or other read-only items or large document sets that are needed offline by the user but the performance overhead of synchronizing precludes storing them on a file server. (In this case, a suitable backup mechanism is definitely needed.) Other examples might be large database files or other data items that have their own synchronization mechanism, such as the offline storage feature in Microsoft Outlook .
Table 5-9 summarizes desktop management features you can use to create a mobile user configuration.
| Feature | Specifics | Explanation |
|---|---|---|
| Number of Users | One | Each user has a local logon account. |
| Roaming User Profiles | Yes, depending on connection type and frequency | Provides centralized storage of user state to help administrators replace computers without losing user configuration. Also facilitates roaming. |
| Folder Redirection | My Documents folder | Allows users to access centrally stored data and documents from anywhere. Redirected folders are automatically made available offline, to provide access when users are not connected to the network. |
| Ability for User to Customize | Within certain guidelines | Allows users to personalize their work environment while preventing changes to critical system settings. |
| Assigned Applications | Multiple | Core applications are installed on all laptops. |
| Published Applications | Multiple | Optional applications are available for users to install locally. |
| Group Policy Settings | Yes | Policy settings are used to create the managed environment. |
For more information about configuring portable computers, see Supporting Mobile Users in this book.
Managing New Users
IntelliMirror, Group Policy, Windows Installer, and RIS greatly streamline adding new users and their computers to your network. You might use these technologies as follows to add a new managed user.
A new user logs on to a new computer and finds shortcuts to documents on the desktop. These shortcuts link to common files, data, and URLs such as the employee handbook, the company intranet, and appropriate departmental guidelines and procedures. Desktop options, application configurations, Internet settings, and so on are configured to the corporate standard. As the user customizes his or her environment (within boundaries defined by the administrator), these changes are added to the initial environment. For example, the user might change the screen resolution for better visibility, and might add shortcuts to the desktop.
In this situation, a default domain profile and Group Policy are used to configure the new user s environment based on job requirements. The advantage of using a default domain profile is that all new users start from a common, administrator-defined configuration in an existing domain structure. You create a customized domain profile that applies to all new domain users the first time they log on, and they receive the customized settings from this profile. Then, as the user personalizes desktop settings and items, these settings are saved in the user s profile that is stored locally, or in the case of a roaming user profile, in a predetermined location on the network. By implementing a default domain profile in conjunction with Roaming User Profiles, the administrator provides users with the necessary business information as a starting point, and also allows them to access their settings whenever and wherever needed. Finally, the administrator uses Folder Redirection to redirect the user s My Documents folder to a network location, so that the user s documents are safely stored on a network server and can be backed up regularly.
The administrator uses the Software Installation and Maintenance extension of Group Policy to assign Microsoft Word to a user or a specific group of users. The new user logs on for the first time and sees that the software, required to do his job, is listed in the Start menu. When the user selects Microsoft Word from the Start menu, or double-clicks on a Word document, Windows Installer checks to see whether the application is installed on the local computer. If it is not, Windows Installer downloads and installs the necessary files for Word to run and sets up the necessary local user and computer settings for an on-demand installation.
Managing Multi-User Desktops
A multi-user desktop is managed, but allows users to configure parts of their own desktops. The multi-user desktop is ideal for public shared access computers, such as those in a library, university laboratory, or public computing center. The multi-user desktop experiences high traffic and must be reliable and unbreakable while being flexible enough to allow some customization.
Users can change their desktop wallpaper and color scheme. Because many different people use the computers and security must be maintained, they cannot control or configure hardware or connection settings. The computers often require certain tools, such as word processing software, spreadsheet software, or a development studio. Students might need access to customized applications for instructional purposes and need to be able to install applications that the network administrator has published.
With the multi-user desktop configuration, users can:
-
Modify Internet Explorer and the desktop.
-
Run assigned or published applications.
-
Configure some Control Panel options.
However, users cannot:
-
Use the Run command in the Start menu or at a command prompt.
-
Add, remove, or modify hardware devices.
In the multi-user environment, turnover is high and a user is unlikely to return to the same computer. Therefore, local copies of roaming user profiles that are cached on the computer are removed after the user logs off, if the roaming user profile settings were successfully synchronized back to the server. Roaming user profiles use the My Documents and Application Data folders that are redirected to a network folder. However, users can log on even if their network profile is not available. In this case, the user receives a new profile based on the default profile.
The multi-user computer is assigned a set of core applications that is available to all users who log on to that particular computer. In addition, a wide variety of applications are available by publishing for user or assigning to users. Due to security risks, users cannot install from a disk, CD ROM, or Internet location. To conserve disk space on the workstation, most applications must be configured to run from a network server. Start menu shortcuts and registry-based settings are configured when the user selects an application to install, but most of the application s files remain on the server. The shares that store the applications can be configured for automatic caching for programs so that application files are cached at the workstation on first use.
Table 5-10 shows the desktop management features used to create a multi-user computing environment.
| Feature | Specifics | Explanation |
|---|---|---|
| Multiple Users | Per-user logon accounts | Users share this computer during different shifts. Each user has a unique logon account. |
| Roaming User Profiles | Yes | Makes user settings available from any computer and enables administrators to easily replace computers without losing their configuration. When the user logs off, the local cached version of the profile is removed to preserve disk space. |
| Folder Redirection | My Documents and Application Data | User data is saved on server shares and Group Policy prevents users from storing data locally. |
| Ability for User to Customize | Some | Most of the system is locked down, but some personal settings are available. |
| Assigned Applications | Multiple | Core applications that are common to all users are assigned to the computer. Other applications are available for on-demand install by means of user assignment. |
| Published Applications | Multiple | Applications are available for users to install from Add or Remove Programs in Control Panel. |
| Group Policy Settings | Yes | Group Policy settings are used to create the managed environment. |
Replacing Computers
When a user receives a new or different computer, it can cause a time-consuming interruption in productivity. It is extremely important that such users regain productivity in the shortest possible time and with a minimum of support. This can be accomplished by storing user data and settings independently of any specific computer. By using the Group Policy features Roaming User Profiles and Folder Redirection, you can assure that the user s data, settings, and applications are available wherever the user logs on to the network.
To further simplify setting up a new managed computer on your network, use Remote Installation Services (RIS) to create standardized operating-system configurations. RIS allows you to create a customized image of a Windows XP Professional or Windows 2000 Professional desktop from a source computer. Then you can save that desktop image to the RIS server. The image can include the operating system alone or a preconfigured desktop image, including the operating system and a standard, locally installed desktop application. You can use that preconfigured image to set up multiple desktops, saving valuable time. Create as many standard desktop images as you need to meet the needs of all types of users in your organization. For more information about using RIS, see Automating and Customizing Installations, in this book.
These technologies might work together as follows:
A user s computer suddenly undergoes a complete hardware failure. The user calls the internal support line. Shortly, a new computer, loaded only with the Windows XP Professional operating system, arrives. Without waiting for technical assistance, the user plugs in the new computer, connects it to the network, starts it, and can immediately log on.
Because roaming user profiles are enabled, the user finds that the desktop takes on the same configuration as the computer it replaced: the same color scheme, screensaver, and all the application icons, shortcuts, and favorites are present. Because folder redirection and software installation are enabled, the user can seamlessly access data files on the server using the necessary productivity applications once they automatically install.
For more information about implementing these and other standard desktop configurations, see the Desktop Management Scenarios link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources
EAN: N/A
Pages: 338