Microsoft Tools Roundup

Previous page
Table of content
Next page

As might be expected, Microsoft has a slew of tools to help manage your Group Policy infrastructure as well as your user profiles. In this section, we'll check out the Microsoft tools and where to find them.

image from book
Wholesale Backup and Restore of Your Test Lab (or an Easy Way to Migrate to Production)

One more tip before we leave this section. That is, when you're working in your test lab, you might find it necessary to completely demolish and rebuild your test lab for any variety of reasons. However, as noted in Chapter 2, when a GPO is restored, the links are not restored along with the GPO. Again, this is a protection mechanism for your benefit. However, as they say in the hallowed IT halls, "What you do in the test lab, stays in the test lab." So the test lab is a different animal. And, to that end, you might want to back up a whole gaggle of stuff for safekeeping, such as:

  • GPOs

  • Group Policy links

  • Security groups

  • Users

  • Permissions on GPOs

Then, if you need to demolish your test lab and put it back in order, you'll need a way to perform a wholesale restore of all these objects. The GPMC has a built-in script that will back up all these things into one little package. Then, when you're ready, you run another script that takes the package and expands it back into these objects.

The script that does all the backup stuff is called CreateXMLFromEnvironment.vbs. The one that does all the restoring is CreateEnvironmentFromXML.vbs. Both scripts are located in C:\Program Files\GPMC\scripts.

The other reason to use these scripts is to do a wholesale migration from the testlab into the real production environment. Personally, I'm not all that keen on a wholesale backup and restore of my testlab into the real world, but I guess if you had nothing at all in the real world this could be a useful way to get things over lock-stock-and-barrel. These scripts are a little too far-reaching for that purpose for my taste, but perhaps you'll find them just the thing.

Microsoft has a document about the ins and outs of both of these scripts. Be sure to check it before you jump headlong into using it, though, at http://tinyur1.com/ahen8 .

image from book
 

Group Policy Tools from Microsoft

Except for Active Directory Monitor and GPInventory, you can download the remainder of the Microsoft tools for free from the Windows 2003 Resource Kit. As of this writing, you can find it at www.microsoft.com/windowsserver2003/down1oads/tools/default.mspx under the heading "Windows Server 2003 Resource Kit Tools." After you install the Resource Kit, you'll find the tools in the \Program Files \ Windows Resource Kits \ Tools folder. Some of these tools are ready to use; others require additional installation.

Active Directory Monitor and GPOTOOL

These tools help to troubleshoot GPOs if the GPC and GPT get out of sync. See Chapter 4 for information.

admX ( within ADMX.MSI )ADM Template Comparison Utility

This tool prints (or redirects) an ADM template into a nice readable format for documentation. It will parse an ADM file and list: Registry path , Symbolic Policy Name, Full Policy Name , Registry Settings, and the Supported on keyword. You can also use it to show the differences between two similar ADM files.

This tool requires additional installation. Be sure the latest .Net Framework is installed (the one built in to Windows 2003 is not sufficient). Next , run the ADMX.MSI to install and follow the wizard. After installation, the default location for admX is c:\Program Files\Microsoft\admx. You'll need to execute admX.exe from there.

GPMonitorGroup Policy Monitor Tool

The purpose of GPMonitor, which is shown in Figure A.6, is to perform historical analysis of what has changed between different Group Policy refresh intervals on your clients and servers. This tool requires an armload of additional installation; it unpacks to a set of files that need to stay together. You deploy the MSI (Microsoft Installer) to two locations: the clients you want to monitor and a management station that you'll use to see your results. After you unpack the MSI, you deploy the MSI file via GPSI (Group Policy Software Installation) to the clients . Additionally, this package comes with an ADM template, which you need to import into the Group Policy Object Editor. The point of the ADM file is to push the data about the client's Group Policy application to a central shared folder location.

image from book
Figure A.6: GPMonitor

Once your clients start pushing up the data, you can run the GPMonitorUI at your management station to see what's going on. The clients will upload their historical data every N Group Policy refreshes. (The default is every 8.) From your management station, you can then see which GPOs have or have not applied yesterday , but are applying todayamong other possibilities.

Note 

Your management station needs the GPMC loaded in order to display the data as seen in Figure A.6, but the clients you want to monitor do not.

GPInventoryGroup Policy Inventory Tool

GPInventory is a late addition to the Windows 2003 Server Resource Kit. You must download and install it separately. To find it, search for "Group Policy Inventory" on Microsoft's website.

GPInventory can reach out across the network and query your clients and servers for a list of attributes you want to document in Excel or a text file. Simply point GPInventory toward a list of clients, select the attributes you want to gather, and then let it do its thing. Afterward, just save the resulting file.

In Figure A.7, I can easily find out how much memory my Windows XP clients have by selecting the "WMI: Computer Memory" field and documenting the RSoP (Resultant Set of Policy) status of all my clients with some of the other attributes.

image from book
Figure A.7: Group Policy Inventory

InetESC.adm

InetESC.adm is a Group Policy template that enhances the security configuration of Internet Explorer for Windows 2003 Server. Be sure to read the Resource Kit notes for specifically how to use it.

The WinPolicies Tool

WinPolicies, which is shown in Figure A.8, is also known as the "Policy Spy" (which happens to be what my next costume for Halloween will be, coincidentally). Anyway, WinPolicies can perform lots of the ultra -propeller head client-side troubleshooting stuff you saw in Chapter 4, without having to get your fingers too dirty.

image from book
Figure A.8: WinPolicies

Specifically, you can enable verbose logging, perform tracing, refresh policies (enforced, or not enforced), and get additional troubleshooting information. Typically, you run this tool on the client system experiencing the problem. You can run it as a mere-mortal user or as an administrator. Several features let you enter alternative credentials so you can use it, mostly, as a mere mortal, but still see log files that are for admins only. That's a nice touch.

WinPolicies doesn't really add any new features to the Group Policy troubleshooting arsenal, but it does consolidate them. And you still need to understand what you're looking at in order to make heads or tails of the output. Hopefully, the information in Chapter 4 gets you off to the right start.

The Group Policy Management Pack for MOM

MOM snap-in to monitor the health of Group Policy on WS 2003 Servers.

  • http://tinyur1.com/anatx

Microsoft Introduced the Group Policy Managemnet Pack for MOM for two very specific reasons. Organizations needed a mechanism to monitor the health of the Group Policy system. Many of the things, if not all of the things, that we do in Group Policy are mission critical. In the event that one of these pieces decides to go south we need to know about it. The Group Policy Management Pack monitors both Group Policy core processing and individual Client Side extensions. There are some limitations to the Managemnet Pack. It does not represent all of the extensions but Core , Software Installation, Folder Redirection, Quotas and other are included. Additionally there is quite a bit of knowledge built into the Pack to aid in troubleshooting.The Group Policy Management Pack can be downloaded from http://tinyur1.com/6mqy9 .

image from book
Figure A.9: Group Policy Management Pack for MOM

Profile Tools from Microsoft

Microsoft also has two tools to help manipulate Profiles if they need a kick in the pants. Here they are.

The Delprof Tool

You use this utility to bulk-delete profileseither locally or remotely. An update is available at www.microsoft.com/windowsserver2003/techinfo/reskit/tools/default.mspx . This is a command-line tool, so be careful, you can get in a lot of trouble in a hurry. Microsoft has a nice Knowledge Base article on this tool, MSKB 315411, that discusses how to eliminate profiles if they are not used in, say, 30 days.

The Proquota Tool

You can use this tool to limit the size that the roaming user profile can become. This isn't a tool you can run, per se. It's part of the operating system. It is invoked whenever the Limit profile size policy setting in User Configuration ˜ Administrative Templates ˜ System ˜ User Profiles is set to Enabled.


Previous page
Table of content
Next page
Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP, and Windows 2000
Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
ISBN: 0782144470
EAN: 2147483647
Year: 2005
Pages: 110
Authors: Jeremy Moskowitz
BUY ON AMAZON
Project Management JumpStart
Metrics and Models in Software Quality Engineering (2nd Edition)
Information Dashboard Design: The Effective Visual Communication of Data
Cultural Imperative: Global Trends in the 21st Century
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy