List of Figures

Chapter 1: Group Policy Essentials

Figure 1.1: Edit a Windows XP Local Group Policy by drilling down into the User Configuration settings.
Figure 1.2: This fictitious Corp.com is relatively simple. Your environment may be more complex.
Figure 1.3: Right-click the domain name and choose Properties.
Figure 1.4: You've just created your first GPO in Active Directory.
Figure 1.5: The Group Policy tab now refers you to the GPMC and provides a link.
Figure 1.6: GPMC shows the same OUs as Active Directory Users and Computers. However, the GPMC shows GPO relationships, not users, computers, or other objects.
Figure 1.7: You need to expose the Active Directory sites before you can link GPOs to them.
Figure 1.8: Imagine your upcoming GPOs as just hanging out in the swimming pool of the domain.
Figure 1.9: The Group Policy Objects folder highlighted here is the representation of the swimming pool of the domain that contains your actual GPOs.
Figure 1.10: In Windows XP, all the tabs in the Display Properties dialog box are available by default.
Figure 1.11: You create your first GPO in the Group Policy Object container by right-clicking and choosing New.
Figure 1.12: You can right-click the GPO in the Group Policy Objects container and choose Edit from the shortcut menu to open the Group Policy Object Editor.
Figure 1.13: Double-click the policy setting and enable it.
Figure 1.14: Once you have your first GPO designed, you can link it to your site.
Figure 1.15: The Screen Saver tab in Windows XP is missing because the site policy is affecting the user.
Figure 1.16: At the domain level, you can create the GPO in the Group Policy Objects container and then immediately link to the GPO from here.
Figure 1.17: The Desktop tab is now also missing because the user is affected by the domain-level policy.
Figure 1.18: When you complete all these steps, your Human Resources OU should have Frank Rizzo and the HR-OU-Admins as well as the Human Resources Users OU and Human Resources Computers OU.
Figure 1.19: Select the "Manage Group Policy Links" task.
Figure 1.20: Frank cannot create new GPOs in the Group Policy Objects container.
Figure 1.21: Frank's delegated rights allow him to link to existing GPOs, but not to create new GPOs.
Figure 1.22: The GPMC will not allow you to edit an existing GPO if you do not own it (or do not have explicit permission to edit it).
Figure 1.23: The Settings tab is missing along with the Desktop tab, but the Screen Saver tab has returned.
Figure 1.24: By enabling this policy setting, you're disabling the Task Scheduler.
Figure 1.25: Use the Find command to find computers in the domain so you can move them.
Figure 1.26: RRAS policies are not associated with Windows 2003 Group Policy.

Chapter 2: Managing Group Policy with the GPMC

Figure 2.1: The Windows 2003 Group Policy Object Editor allows for filtering of the Administrative Template branch.
Figure 2.2: You can link multiple GPOs at the same level.
Figure 2.3: You get this message any time you click the icon for a link.
Figure 2.4: You can choose to enable or disable a GPO link.
Figure 2.5: You can disable half the GPO to make Group Policy process a weeee bit faster.
Figure 2.6: You can delete a link (as opposed to deleting the GPO itself).
Figure 2.7: Here, you're actually deleting the GPO itself.
Figure 2.8: The "Prohibit Tasks in Task Scheduler" GPO ( lowest circle) is linked at both the Temporary Office Help OU (Middle circle) and this Human Resources Computers OU (topmost circle).
Figure 2.9: Use the "Block Inheritance" feature to prevent all GPOs (and the policy settings within them) from all higher levels from affecting your users and computers.
Figure 2.10: Use the Enforced check box to guarantee settings contained within a specific GPO affect all users downward via inheritance.
Figure 2.11: Create anew Active Directory Security group for whom you want the GPO to apply.
Figure 2.12: When you remove "Authenticated Users," no one will get the effects of the GPO. Add only the users or groups you want the GPO to affect.
Figure 2.13: Selecting "Advanced" in the Delegation tab for the GPO (or GPO link) shows the under-the-hood security settings for the GPO.
Figure 2.14: Use the "Deny" bit to prevent Group Policy from applying.
Figure 2.15: The Security Filtering section on the Scope tab will not show you any use of "Deny" bits under the hood.
Figure 2.16: The Delegation tab helps you set permissions on a GPO.
Figure 2.17: You can choose to delegate to users in your domain, in other domains, or in domains in other forests.
Figure 2.18: These operations are equivalent to the Active Directory Users And Computers "Delegation Wizard."
Figure 2.19: These are controls over the creation of WMI filters.
Figure 2.20: These are controls over the WMI filters themselves .
Figure 2.21: The Group Policy Inheritance tab shows you which GPOs should apply.
Figure 2.22: The Group Policy Results Wizard performs What's-going-on calculations.
Figure 2.23: The Group Policy Results report shows lots of useful information.
Figure 2.24: If specific settings conflict, you can quickly determine which GPO "wins."
Figure 2.25: The Policy Events tab shows you events specific to this target computer.
Figure 2.26: Here, the Group Policy Modeling summary screen shows you what you're about to simulate. For instance, you can simulate moving a computer and/or a user to other locations, among other scenarios.
Figure 2.27: You can back up all your GPOs at once, if desired.
Figure 2.28: You can see all backups or just the latest versions.
Figure 2.29: You can locate GPOs with lots of characteristics.

Chapter 3: Group Policy Processing Behavior

Figure 3.1: simple deletion of the Registry entry will nullify our policy setting.
Figure 3.2: If you select "Log on using dial-up connection," you first process GPOs in the foreground (when Fast Boot is disabled).
Figure 3.3: The "Allow processing across a slow network connection" setting is not used in Windows 2000, Windows XP, or Windows 2003 for IP Security or EFS settings.
Figure 3.4: Choose the Loopback Processing mode desired, in this case, "Replace."
Figure 3.5: With Group Policy LoopbackReplace Mode processing enabled, all users are affected by a computer's setting.
Figure 3.6: Here's one example of how a cross-forest trust can be used.
Figure 3.7: You can set Forest-Wide Authentication or Selective Authentication.
Figure 3.8: You need to specifically grant the "Allowed to Authenticate" right in order for Sol to use this machine.
Figure 3.9: There are four main cases when dealing with NT 4 System Policy and Windows 2000 or Windows XP clients .

Chapter 4: Troubleshooting Group Policy

Figure 4.1: If the PDC Emulator is not available for writing, the user is prompted for an alternate location.
Figure 4.2: Every GPO gets a unique name.
Figure 4.3: Turn on the "Advanced Features" setting to see the Policies folder (and a whole lot more).
Figure 4.4: Expand the Policies folder to expose the underlying GPC objects.
Figure 4.5: Expand the Policies folder to expose the underlying GPC objects.
Figure 4.6: For the love of Pete, please don't do this.
Figure 4.7: Each GPC can display the underlying permissions of the GPO.
Figure 4.8: If Joe creates a GPO, he owns the GPO. No one else (other than Domain Admins or Enterprise Admins) can edit it.
Figure 4.9: The unique names of the GPOs are found as folder names in SYSVOL. This is the unique name for the "Hide Settings Tab/Restore Screen Saver Tab" you saw in Figure 4.2 earlier.
Figure 4.10: Use Gpotool to see if your GPCs and GPTs are synchronized across your Domain Controllers.
Figure 4.11: Gpotool has found trouble in paradise .
Figure 4.12: Replmon can show you the version numbers of all your GPOs.
Figure 4.13: The client-side extension DLLs actually perform the GPO processing.
Figure 4.14: You can disable the entire GPO if desired.
Figure 4.15: The LOGONSERVER variable shows the Domain Controller where this Windows 2000 client is picking up its Group Policy settings.
Figure 4.16: Windows XP's LOGONSERVER variable cannot be trusted. Use Kerbtray instead, which is shown running in the notification area.
Figure 4.17: You can always manually connect to a Domain Controller to see if Active Directory has performed replication.
Figure 4.18: Make sure you haven't raised the bar too high for your slower-connected users to receive Group Policy.
Figure 4.19: The RSoPtool in the Help and Support Center is useful when you're asking users to help you help them.
Figure 4.20: The RSoP MMC Snap-in tool shows you only the policy settings that are configured.
Figure 4.21: The RSoP MMC Snap-in tool calculates the reaction between the specified user and computer.
Figure 4.22: The Event Viewer is a terrific place to start your troubleshooting journey.
Figure 4.23: Verbose logging requires a hack to the Registry.

Chapter 5: Windows ADM Templates

Figure 5.1: Choose Add/Remove Templates from the shortcut menu.
Figure 5.2: The Word9 ADM template is now loaded.
Figure 5.3: Word obeys your policy commands when you load the corresponding ADM template.
Figure 5.4: Here is your new set_sounds.adm ADM template with the Sound portion of the Registry being manipulated.
Figure 5.5: To see old-style preferences, clear the "Only show policy settings that can be fully managed" check box.
Figure 5.6: The Group Policy Object Editor shows your new custom start sound preference setting for Windows.
Figure 5.7: Your Windows XP and Windows 2000 clients should embrace this preference.
Figure 5.8: A typical Windows 2000 network in transition
Figure 5.9: Without the latest ADM templates, your GPMC reports could come up short.
Figure 5.10: Open the ADM template to locate the policy and the corresponding Registry hack.

Chapter 6: Implementing Security with Group Policy

Figure 6.1: The "Default Domain Policy" GPO (linked to the domain level) sets the domain's default Account Policies, Kerberos policy, and Password policy. If you link GPOs containing these policy settings anywhere else, they are essentially ignored when Active Directory is being used.
Figure 6.2: If you have a GPO with a higher precedence than the "Default Domain Policy" GPO, it will "win" if there's a conflict.
Figure 6.3: The "Default Domain Controllers Policy" GPO affects every Domain Controller in the domain.
Figure 6.4: Use DCGPOFIX with Windows 2003 Domain Controllers to restore the defaults if necessary.
Figure 6.5: Active Directory GPOs restrict the modification of local computer policy. Windows XP has a better way than Windows 2000 to display effective permissions. The icon within the local computer policy has changed from "1/0" icons to a scroll and computer icon.
Figure 6.6: It might seem counterproductive to set the Password policy at any level but the domain.
Figure 6.7: Setting a Password policy in the domain (other than at the domain level) will affect passwords used for local accounts upon member machines.
Figure 6.8: Windows 2003 enables lots of auditable events by default.
Figure 6.9: This type of event is generated when GPOs are modified.
Figure 6.10: Auditing for GPO changes is set on the Policies folder within Active Directory Users And Computers.
Figure 6.11: Set auditing for files on the file or folder on the target system.
Figure 6.12: You can create .bat or .vbs files on the fly with this little trick.
Figure 6.13: You can specify which users you want to ensure are in specific groups.
Figure 6.14: Software Restriction Policies are available in both the Computer and User nodes.
Figure 6.15: The Security Levels branch of Software Restriction Policies sets your default level of protection.
Figure 6.16: The Security Levels branch of Software Restriction Policies sets your default level of protection.
Figure 6.17: Once you specify the file, the hash value is filled in.
Figure 6.18: On Windows XP machines, Solitaire is prevented from running.
Figure 6.19: On Windows XP (pre-SP2), a logoff and logon will be required for all "Launching Programs" to get the signal to restrict software.
Figure 6.20: The Registry lays out what will be restricted.
Figure 6.21: The Security Configuration And Analysis and Security Templates nodes are loaded in the MMC. The available security templates are listed here.
Figure 6.22: You can create your own security templates if desired.
Figure 6.23: The Indexing Service has been set to be disabled.
Figure 6.24: Use the Security dialog box to allow or deny access to specific folders.
Figure 6.25: The security analysis checks out the six categories of security.
Figure 6.26: The right pane changes to reflect your database path .
Figure 6.27: A big red X indicates that the machine is not complying with specific settings in the template.
Figure 6.28: Use the secedit command to perform batch analysis.
Figure 6.29: Drill down into the Security Settings, right-click, and then import a template.
Figure 6.30: The Security Configuration Wizard's help file automatically appears on the desktop after SP1 is loaded. However, you need to specifically add in the SCW components via Add/Remove Programs.
Figure 6.31: Kick off the SCW by creating a new security policy.
Figure 6.32: The SCW shows you the roles it thinks are currently running on your server.
Figure 6.33: The SCW will make your system less vulnerable to attack by disabling unused services.
Figure 6.34: Here you can add in additional security templates or just save your SCW policy out as an XML file.
Figure 6.35: The Settings tab might not show any settings from the transformed GPO. However, editing the GPO will show that the settings are, indeed, changed inside the GPO.

Chapter 7: Scripting GPMC Operations

Figure 7.1: The GPMC object model

Chapter 8: Profiles: Local, Roaming, and Mandatory

Figure 8.1: A simple Registry setting shows the entry for the wallpaper.
Figure 8.2: A look inside Frank Rizzo's profile reveals both visible and hidden folders.
Figure 8.3: Load the NTUSER.DAT file into the Registry.
Figure 8.4: It doesn't matter what the temporary dummy key is called.
Figure 8.5: Enter the full path where the desired wallpaper is stored.
Figure 8.6: Select Brett's entry in the User Profiles dialog box.
Figure 8.7: Copy the profile you just created to the NETLOGON share of a Domain Controller. Then, click Change to allow Everyone to use the profile.
Figure 8.8: Change the permissions on the Profiles share so that Authenticated Users have Change control.
Figure 8.9: Point the user's profile path settings at the server and share name.
Figure 8.10: Administrators cannot poke around user profiles (by default).
Figure 8.11: To move a specific profile to the server, use the Copy To dialog box.
Figure 8.12: You can see the two new "service profiles" in the upper window. You can see the system's own profile in the lower window.
Figure 8.13: Users roaming within Cross-Forest scenarios receive this message.
Figure 8.14: There are many policy settings that affect profiles.
Figure 8.15: Roaming Profile policy settings flowchart
Figure 8.16: Some entries for profiles are found under the User Node in Group Policy.
Figure 8.17: You can limit the Roaming Profile size , if desired.
Figure 8.18: Once the Roaming Profile size is set, users can't log off until they delete some files.
Figure 8.19: Prevent specific folders, such as the Desktop, from roaming.
Figure 8.20: Use the Copy To dialog box to copy one profile for many users.
Figure 8.21: Change a Roaming Profile to a Mandatory Profile by renaming NTUSER.DAT to NTUSER.MAN .
Figure 8.22: Point all similar users to the new Mandatory Profile.
Figure 8.23: You can prevent people from inadvertently modifying the newly established profile.
Figure 8.24: Take ownership of the folder.
Figure 8.25: You can force a Mandatory Profile if absolutely necessary.

Chapter 9: Intellimirror, Part 1: Redirected Folders, Offline Files, Synchronization Manager, and Disk Quotas

Figure 9.1: This is Microsoft's picture of the relationship between CCM and IntelliMirror.
Figure 9.2: Share the Data folder such that Authenticated Users have Change permissions.
Figure 9.3: The LikeUsers OU has a GPO named "My Docs Folder Redirection." After drilling down into the folder that you want to redirect, right-click and choose Properties.
Figure 9.4: The Basic settings redirect all users in the OU to the same location.
Figure 9.5: The Settings tab in Folder Redirection holds all sorts of magical powers!
Figure 9.6: Use the Advanced redirection function to choose different locations to move users' data.
Figure 9.7: Windows 2000 Folder Redirection in action
Figure 9.8: Windows XP Folder Redirection in action
Figure 9.9: Use one static path to ensure that all desktops receive the same setting.
Figure 9.10: Fast Boot in Windows XP can delay Folder Redirection until multiple reboots.
Figure 9.11: Be sure the user has permissions to write to the share you set up.
Figure 9.12: GPResult can help you determine if Folder Redirection is working.
Figure 9.13: The conflict-resolution engine helps users decide which version of a file they want to keep.
Figure 9.14: Four Offline Settings for caching behavior are available in Windows 2003.
Figure 9.15: Users can "pin" files by right-clicking them and making them available offline.
Figure 9.16: The Offline Files Wizard asks if the user wants to synchronize upon logon and logoffusually a pretty good idea.
Figure 9.17: If the Enable Reminders check box is checked, your users will know if something happens to the network; the only problem is that your users then know that something has happened to the network!
Figure 9.18: When synchronization is complete, this dialog box automatically closes .
Figure 9.19: Pinned files can easily be recognized by their "roundtrip" yin-yang icon.
Figure 9.20: The files in the Offline Files folder cache are only those that Wanda (on her Windows 2000 laptop) has actually used.
Figure 9.21: An Offline Files folder in Windows XP shows much more activity than an Offline Files folder on a Windows 2000 machine.
Figure 9.22: The Folder Options item on the Tools menu is the first place to start your Offline Folders configurations.
Figure 9.23: The default options for Offline Files on a Windows XP Professional machine. Only administrators can change all the options.
Figure 9.24: Pop-up balloons inform your users that they have lost connectivity to the network.
Figure 9.25: Users can select specific shares on which to synchronize items.
Figure 9.26: The Synchronization Manager is a framework for snap-ins such as "Offline Files" and "Offline Web Pages."
Figure 9.27: In Windows XP, Explorer is more vigorous in actually touching and opening files; hence, they are downloaded into the cache.
Figure 9.28: You'll find a slew of Offline Files options under the User node.
Figure 9.29: Many Offline Files options can also be found under the Computer node.
Figure 9.30: Use this feature to prevent users from using a specific server's files when offline.
Figure 9.31: Use the Administratively Assigned Offline Files policy setting to force specific files or folders to be pinned like the My Documents folder!
Figure 9.32: All files inside the My Documents folder on this Windows 2000 system are now pinned.
Figure 9.33: The workstation log shows that the server is available.
Figure 9.34: The workstation log shows state transitions in relation to the server.
Figure 9.35: You modify the options on the Quota tab for each drive letter.
Figure 9.36: Once you apply Quota Defaults, the system looks for all users on that volume who own files.
Figure 9.37: In the Add New Quota Entry dialog box, set a specific user's quota differently from the defaults.
Figure 9.38: You can get a bird's-eye view of who's using how much disk space.
Figure 9.39: You can use policy settings to dictate quotas on specific machines.
Figure 9.40: You can set the default disk warning and disk limit of the affected computers.

Chapter 10: IntelliMirror, Part 2: Software Deployment via Group Policy

Figure 10.1: You need to perform an Administrative Installation to prepare a source installation folder for Office.
Figure 10.2: The files are simply copied to the share; Office isn't being installed (despite the notification that it is).
Figure 10.3: Right-click the GPSI settings to deploy a new package.
Figure 10.4: Always use the full UNC and never the local path when this dialog box requests the file.
Figure 10.5: The applications you assign are listed under the node you chose to use (Computer ˜ Software Installation or User ˜ Software Installation).
Figure 10.6: Applications Assigned to computers install completely upon reboot.
Figure 10.7: The Office XP icons and program names will appear on the Start menu (more specifically on the Start ˜ All Programs menu).
Figure 10.8: You always Publish .zap files in Add/Remove Programs.
Figure 10.9: Office installations prevent users from just clicking the actual .exe of the installed file. Again, this behavior is entirely application specific.
Figure 10.10: These are the options on the Deployment tab when Assigning to computers.
Figure 10.11: These are the options on the Deployment tab when Assigning or Publishing to users.
Figure 10.12: The default of "Maximum" results in many applications no longer being a silent install.
Figure 10.13: The options in the Advanced Deployment Options dialog box in Windows 2003 Server
Figure 10.14: Use the Upgrades tab to migrate from one application to another.
Figure 10.15: Use the CIW to choose the options you want and create the .mst file.
Figure 10.16: Use the Security tab to specify who can and cannot run applications.
Figure 10.17: Use the GPSI Properties dialog box to set up general deployment settings.
Figure 10.18: You can set up some default settings for new packages in this GPO.
Figure 10.19: Use the File Extensions tab to set the priority for conflicting file extensions.
Figure 10.20: When applications fall out of the scope of management, they uninstall.
Figure 10.21: The MSICUU program in the Windows 2000 Support Tools can whack entire programs off your system.
Figure 10.22: Use Group Policy to change the default slow-link behavior.
Figure 10.23: This is what happens when a user tries to use a program that isn't fully installed.
Figure 10.24: Once you patch a .msi source, be sure to select "Redeploy Application."
Figure 10.25: Use Group Policy to affect the Windows Installer settings.
Figure 10.26: The Windows Installer user settings
Figure 10.27: The Scriptomatic version 1 tool from the "Microsoft Scripting Guys"
Figure 10.28: Right-click over the WMI Filters node to create a WMI filter
Figure 10.29: Enter in a name and description, then click the Add button to enter in your WMI filter.
Figure 10.30: Choose the GPO (or GPO link) and select a WMI Filter.

Chapter 11: Beyond IntelliMirror: Shadow Copies and Remote Installation Services

Figure 11.1: You set the Shadow Copies characteristics on a per-volume basis.
Figure 11.2: You can specify how much space to dedicate when files change, set a schedule to make Shadow Copies, and specify where to locate the storage area.
Figure 11.3: You can simply use GPSI to deploy the Shadow Copy client to your Windows 2000 and Windows XP (pre-SP2) machines.
Figure 11.4: After at least one change is preserved, users can revert to a point-in-time file.
Figure 11.5: You can restore the entire contents of the folder, or just use View to drag and drop the file to be restored to an alternate location.
Figure 11.6: Adding the RIS components is easyeven after Windows 2000 Server or Windows 2003 Server is fully installed.
Figure 11.7: Windows XP is copied from the installation source to be your first image.
Figure 11.8: You can customize some RIS defaults, such as the client's computer name.
Figure 11.9: When running RIPREP, give the image a descriptive name.
Figure 11.10: If you answer all the questions, your RIS installations will blast on through.
Figure 11.11: On this screen, tell the RIS server you want to associate an answer file with an image.
Figure 11.12: Use the RIS Group Policy objects to affect the users working with RIS.

Appendix A: Group Policy Tools

Figure A.1: You can copy a GPO from the Group Policy Objects container.
Figure A.2: When you paste a GPO, you can choose how to handle permissions.
Figure A.3: You can import the settings and overwrite an existing GPO.
Figure A.4: Select a GPO from which you want to import settings.
Figure A.5: A migration table can smooth the bumps between domains.
Figure A.6: GPMonitor
Figure A.7: Group Policy Inventory
Figure A.8: WinPolicies
Figure A.9: Group Policy Management Pack for MOM


Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP, and Windows 2000
Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
ISBN: 0782144470
EAN: 2147483647
Year: 2005
Pages: 110

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net