| There are some general rules of thumb to follow when using Group Policy to manage your network clients. This section details the best practices to keep in mind as you design your Group Policy solutions for most situations. It also provides some helpful tips on how to use software installations and folder redirection. Keeping Group Policy Manageable It has often been said that a simple solution is the best solution. Because Group Policy in Windows Server 2003 provides such a wide palette for customizing the network client experience, it can also become unwieldy as you build policy after policy in an effort to manage your environment. To avoid unnecessary complexity in your Group Policy solutions, keep the following recommendations in mind: Use a common sense naming convention As you name the policies you build for your environment, stick to a naming convention that will help you easily identify the function of your policies. Windows Server 2003 does not prevent you from naming two policies with the same name, but it would be confusing if you did so. Also, keeping your policy names simple lends ease of designing and troubleshooting with the Resultant Set of Policy (RSoP) tools. Use Block Policy Inheritance and No Override sparingly These features are great tools for applying Group Policy in organizations with strict hierarchical frameworks and for organizations with distributed administration. They can also make troubleshooting your policies difficult. Disable unused parts of Group Policy Objects (GPOs) If your policy uses only User Configuration, you can disable Computer Configuration. Likewise, if you are modifying only Computer Configuration through policy, you can disable User Configuration. This will speed up the startup and logon process for those network clients receiving the policy. Avoid cross-domain policy assignments Again, to expedite the startup and logon process, have your users receive their policy assignments from their own domain. The importance of this tip is particularly pertinent to the management of remote users.
Managing Client Software Installations If your organization requires software installations that leverage scheduling, inventorying, reporting, or installation across a wide area network (WAN), you should add a Systems Management Server (SMS) solution to your management arsenal. If, on the other hand, you have simpler software installation and deployment scenarios, you can extend the use of Group Policy to fill this role. Keep in mind these points when deploying software to your network clients: Assign or publish software to high-level Active Directory objects Because group policy settings apply by default to child containers, it is simpler to assign or publish applications by linking a Group Policy Object to a parent organizational unit or domain. Use security descriptors (ACEs) on the Group Policy Object for finer control over who receives the software. Assign or publish just once per Group Policy Object For simpler management and troubleshooting, knowing that each installation package is associated with one group policy, and likewise each policy is associated with one piece of software, will alleviate future confusion. Also, do not assign or publish to both the Computer Configuration and User Configuration of a Group Policy Object. Repackage existing software Because software is installed with Microsoft Windows Installer Packages (MSIs) via Group Policy, you may need to repackage software that is compiled with Setup.exe. Many third-party vendors supply utilities to develop installations in this native Windows format. Specify application categories Using categories makes it easier for users to find an application in Add or Remove Programs in the Control Panel. You can define application categories, such as Engineering Applications, Marketing Applications, and so on.
Using Folder Redirection You can use folder redirection to redirect certain special folders on the network client's desktop to network locations. Special folders are those folders, such as My Documents, that are located under Documents and Settings. Folder Redirection is a valuable extension of Group Policy that will come into play for some of the scenarios detailed later in this chapter. The following are some basic rules of thumb to guide you when using this Group Policy extension: Allow the system to create the folders If you create the folders yourself, they will not have the correct permissions. Do not redirect My Documents to the home directory This feature is available but should be used only if you have already deployed home directories in your organization. Redirection to the home directory is available only for backward compatibility. Enable client-side caching This is important for users with portable computers. Synchronize offline files before logging This feature of folder redirection should always be enabled to ensure that current files are available to users who work offline. Use fully qualified (UNC) paths For example, use \\server\share. Although paths like c:\foldername can be used, the path may not exist on all your target network clients, and redirection would fail.
|
