1

Administering Group Policy

• Group Policy Concepts

• Group Policy Implementation Planning

• Implementing Group Policy

• Managing Software Using Group Policy

• Managing Special Folders Using Group Policy

• Troubleshooting Group Policy

2

Group Policy Concepts• What Is Group Policy?

• Group Policy Objects

• Delegating Control of Group Policy

• The Group Policy Snap-In

• Group Policy Settings

• Computer and User Configuration Settings

• The MMC Snap-In Model

• Group Policy Snap-In Namespace

• How Group Policy Affects Startup and Logon

• How Group Policy Is Processed

• Group Policy Inheritance

• Using Security Groups to Filter Group Policy

3

What Is Group Policy?

• A group policy is a collection of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users’ desktops.

• Group policies can determine the programs that are available to users, the programs that appear on the users’ desktops, and Start menu options.

4

Group Policy Objects

• GPOs are used to create a specific desktop configuration for a particular group of users.

• GPOs are collections of group policy settings.

• Each Windows 2000 computer has one local GPO and is subject to any number of nonlocal Active Directory–based GPOs.

• Local GPO settings can be overridden by nonlocal GPOs, so the local GPO is the least influential if the computer is in an Active Directory environment.

5

Group Policy Objects (con’t)

• In a nonnetworked environment, the local GPO’s settings are more important because they are not overwritten by nonlocal GPOs.

• Nonlocal GPOs are linked to Active Directory objects and can be applied to either users or computers.

• To use nonlocal GPOs, a Microsoft Windows 2000 domain controller must be installed.

• Nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.

6

Delegating Control of Group Policy

• Determine which administrative groups can administer GPOs by defining access permissions for each GPO.

• Assign Read and Write permissions to a GPO for an administrative group; the group delegates control of the GPO.

7

Group Policy Snap-In

8

Group Policy Snap-In Overview

• The MMC snap-in is used to organize and manage the many group policy settings in each GPO.

• Depending on the action to perform, the Group Policy snap-in can be opened in several ways.

9

Group Policy Settings

• Contained in a GPO

• Determine the user’s desktop environment

• Two types: Computer configuration settings and user configuration settings

10

Computer Configuration Settings

• Used to set group policies applied to computers, regardless of who logs on

• Applied when the OS initializes

• Include Software Settings, Windows Settings, and Administrative Templates

11

Users Configuration Settings

• Used to set group policies applied to users, regardless of which computer the user logs on to

• Applied when users log on to the computer

• Include Software Settings, Windows Settings, and Administrative Templates

12

Software Settings

13

Windows Settings

14

Scripts

• Two types of scripts: startup/shutdown and logon/logoff.

• Startup/shutdown scripts run at computer startup or shutdown.

• Logon/logoff scripts run when a user logs on or off the computer.

• When multiple scripts are assigned to a user or computer, Windows 2000 executes the scripts from top to bottom.

• The order of execution for multiple scripts can be specified in the Properties dialog box.

15

Scripts (con’t)

• When a computer is shut down, Windows 2000 first processes logoff scripts, followed by shutdown scripts.

• The default timeout value for processing scripts is 10 minutes.

• A software policy can be used to adjust the timeout value if the logoff and shutdown scripts require more than 10 minutes to process.

• Administrators can use any ActiveX scripting language they choose.

• Scripting languages include VBScript, JScript, Perl, and MS-DOS style batch files.

16

Security Settings

• Security Settings allows a security administrator to manually configure security levels assigned to a local or nonlocal GPO.

• The configuration can be done after, or instead of, using a security template to set system security.

17

Additional User Configuration Group Policy Settings

• Internet Explorer Maintenance: Allows the administration and customization of IE on Windows 2000 computers

• Remote Installation Services: Used to control the behavior of remote OS installation; optionally, RIS can be used to provide customized packages for non-Windows 2000 clients of Active Directory

• Folder Redirection: Allows for the redirection of Windows 2000 special folders from their default user profile location to an alternate location on the network, where they can be centrally managed

18

Administrative Templates

19

Administrative Templates Overview

• More than 450 settings are available for configuring the user environment.

• Computer configurations are saved in the registry in HKEY_LOCAL_MACHINE (HKLM).

• User configurations are saved in the registry in HKEY_CURRENT_USER (HKCU).

20

Computer and User Configurations

• Administrative Templates contains all registry-based group policy settings, including settings for Windows Components, System, and Network.

• Windows Components: Allows the administration of the Windows 2000 components, including NetMeeting, Internet Explorer, Windows Explorer, MMC, Task Scheduler, and Windows Installer.

• System: Used to control logon and logoff functions and group policy itself.

• Network: Allows the control of settings for Offline Files and Network and Dial-Up Connections.

21

Computer Configuration Only

• Administrative Templates contain additional group policy settings for Printers.

• System Settings contain Disk Quotas, and DNS Client and Windows File Protection.

22

User Configuration Only

Administrative Templates contains additional registry-based group policy settings.

• Start Menu & Taskbar settings: Control a user’s Start menu and taskbar

• Desktop settings: Control the appearance of a user’s desktop

• Control Panel settings: Determine the Control Panel options available to a user

23

The MMC Snap-In Model

• Nodes of the Group Policy snap-in are MMC snap-in extensions.

• By default, all the available Group Policy snap-in extensions are loaded when the Group Policy snap-in is started.

• The default behavior can be modified by using the MMC method of creating custom consoles and by using policy settings to control the behavior of MMC itself.

• The Administrative Templates node is used to configure the policy settings.

• Developers can create an MMC extension to the Group Policy snap-in to provide additional policies.

• Snap-in extensions may be extended.

24

Group Policy Snap-In Namespace

• The root node of the Group Policy snap-in is displayed as the name of the GPO and the domain to which it belongs.

• Format: GPO Name [DomainName] Policy.

• Example: Default Domain Controllers Policy [server1. microsoft. com] Policy.

25

How Group Policy Affects Startup on Logon

• The network starts, and RPCSS and MUP are started.

• An ordered list of GPOs is obtained for the computer.

• Computer configurations settings are processed.

• Startup scripts run.

• The user presses Ctrl+Alt+Delete to log on.

• After the user is validated, the user profile is loaded, governed by the group policy settings in effect.

• An ordered list of GPOs is obtained for the user.

• User configuration settings are processed.

• Logon scripts run.

• The OS user interface prescribed by group policy appears.

26

How Group Policy Is Processed• Local GPO:

• Each Windows 2000 computer has exactly one GPO stored locally.

• Site GPOs:

• Any GPOs that have been linked to the site are processed next, synchronously; the administrator specifies the order of GPOs linked to a site.

• Domain GPOs:

• Multiple domain-linked GPOs are processed synchronously; the administrator specifies the order of GPOs linked to a domain.

• OU GPOs:

• GPOs linked to the OU highest in the Active Directory hierarchy are processed first, followed by GPOs linked to its child OU, and finally, the GPOs linked to the OU that contains the user or computer are processed.

27

Group Policy and Active Directory

28

Exceptions to the Processing Order

• A computer that is a member of a workgroup processes only the local GPO.

• No Override.

• Block Policy Inheritance.

• Loopback setting.

29

Group Policy Inheritance

• Group policy is passed down from parent to child containers.

• If a separate group policy is assigned to a parent container, that group policy applies to all containers beneath the parent container, including the user and computer objects in the container.

• If a group policy setting is specified for a child container, the child container’s group policy setting overrides the setting inherited from the parent container.

• If a parent OU has policy settings that are not configured, the child OU does not inherit them.

30

Group Policy Inheritance (con’t)

• Policy settings that are disabled are inherited as disabled.

• If a policy is configured for a parent OU, but not for a child OU, the child inherits that parent’s policy setting.

• If a parent policy and a child policy are compatible, the child inherits the parent policy, and the child’s setting is also applied.

• Policies are inherited as long as they are compatible.

• If a policy configured for a parent OU is incompatible with the same policy configured for a child OU, the child does not inherit the policy setting from the parent; the setting in the child is applied.

31

Using Security Groups to Filter Group Policy

• Because more than one GPO can be linked to a site, domain, or OU, GPOs associated with other directory objects may need to be linked.

• By setting the appropriate permissions for security groups, group policy can be filtered to influence only the computers and users specified.

32

Group PolicyImplementation Planning

• Designing GPOs by Setting Type

• GPO Implementation Strategies

• Layered vs. Monolithic GPO Design

• Functional Roles vs. Team Design

• OU Delegation with Central or Distributed Control

33

GPO Setting Types

34

Single Policy Type

• Includes GPOs that deliver a single type of group policy setting.

• The goal is to separate each type of group policy setting into a separate GPO.

• Create a GPO for software management settings, user documents and settings, software policies, and so on.

• Give Read/Write access only to the user or users who need to administer a GPO.

• Best suited for organizations in which administrative responsibilities are delegated among several individuals.

35

Multiple Policy Type

• Includes GPOs that deliver multiple types of group policy settings.

• The goal is to include multiple types of group policy settings in a single GPO.

• Best suited for organizations in which administrative responsibilities are centralized and an administrator may need to perform many or all types of group policy administration.

36

Dedicated Policy Type

• Includes GPOs dedicated to either Computer Configuration or User Configuration group policies.

• The goal is to include all User Configuration group policy settings in one GPO and all Computer Configuration group policy settings in a separate GPO.

• Increases the number of GPOs that must be processed at logon; lengthens logon time.

• Aids in troubleshooting.

37

GPO Implementation Strategies

• Planning an AD structure requires consideration of how group policy will be implemented for the organization.

• Delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility are important factors.

• Most organizations will combine several strategies to create custom solutions.

38

Layered vs. Monolithic Design

39

Layered• The goal is to include a specific policy setting in as few GPOs

as possible.

• Create a base GPO to be applied to the domain that contains policy settings for as many users and computers in the domain as possible.

• Create additional GPOs tailored to the common requirements of each corporate group and apply them to the appropriate OUs.

• When a change is required, GPOs have to be modified to enforce the change.

• Administration is simplified at the expense of a longer logon time.

• Best suited for environments in which different groups in the organization have common security concerns and changes to group policy are frequent.

40

Monolithic• The goal is to use very few GPOs for any given user or computer.

• All the policy settings required for a given site, domain, or OU should be implemented within a single GPO.

• If the site, domain, or OU has groups of users or computers with different policy requirements, consider subdividing the container into OUs and applying separate GPOs to each OU rather than to the parent.

• Changes involve more administration than with the layered approach because the settings may need to be changed in multiple GPOs.

• The logon time is shorter than it is with the layered approach.

• Best suited for environments in which users and computers can be classified into a small number of groups for policy assignment.

41

Functional Roles vs. Team Design

42

Functional Roles vs. Team Design Overview

• Active Directory’s OU structure was designed to facilitate ease of administration and delegation of authority.

• The OU structure may or may not represent the functional roles within the organization.

• When designing group policy for an organization with a functional role OU structure, the group policy should be designed by delegating control to the OU levels.

• If the OU architecture does not represent group organization, then OU delegation of control should be used, but groups should be used as a filtering mechanism for applying group policy.

43

Functional Roles Design

• The goal is to use an OU structure that reflects the functional roles within the organization for applying group policy.

• A minimum number of GPOs is used, with each tailored to a group’s specific needs.

• A GPO is created for each OU.• Network administrators can set ACL permissions for

GPO administration either at the domain or OU administrator level.

• Best suited for organizations designed according to functional roles; groups of users organized according to users’ occupations.

• Each functional role requires specific group policies.

44

Team Design• The goal is to use groups as a filtering mechanism in applying

group policy in an organization that uses the virtual team concept.

• Individuals within the organization form teams to perform a task or project and each individual is a member of multiple teams.

• Each team has specific group policy requirements.

• Eliminates complexity by strategically applying the GPOs at only one location.

• Allows administrators to centrally administer the GPOs and minimizes the GPO-to-OU assignments.

• Best suited for organizations that need an efficient and flexible method of managing group policy in a dynamic environment with an OU architecture that does not reflect the team structure.

45

Central vs. Distributed Control

46

OU Delegation Overview

• Administration of OUs can be delegated.

• OU administrators may need to block group policies that have been assigned to their OU at higher organizational levels.

• Certain policies may need to be enforced, and OU administrators will not be allowed to block them.

• Accomplished by using a central or distributed control design

47

Central Control Design

• Offers delegated administration as well as centralized control.

• Use the No Override option on OUs.• Create a GPO to include only security settings for a

domain, and then set the No Override option so that all child OUs are affected by the security options specified at the domain level.

• For all other types of policy, control of those GPOs could be delegated to the specific OU administrators.

• Best suited for organizations that choose to delegate administration of OUs, but would like to enforce certain group policies throughout the domain.

48

Distributed Control Design

• Administrators of OUs are allowed to block group policies from being applied to their OU, but can’t block group policies marked as No Override.

• Create GPOs for each OU.• Set ACL permissions allowing OU administrators full

control over GPOs.• Set the Block Policy Inheritance option for each OU.

• Best suited for organizations that choose to minimize the number of domains, but do not want to sacrifice autonomous administration of OUs.

• Allows administrators to enforce certain group policies throughout the domain.

49

Implementing Group Policy• Implementing Group Policy

• Creating a GPO

• Creating a GPO Console

• Delegating Administrative Control of a GPO

• Specifying Group Policy Settings

• Disabling Unused Group Policy Settings

• Indicating GPO Processing Exceptions

• Filtering GPO Scope

• Linking a GPO

• Modifying Group Policy

• Removing a GPO Link

• Deleting a GPO

• Editing a GPO and GPO Settings

• Practice: Implementing a Group Policy

50

Delegating Administrative Control of a GPO

• After a GPO is created, which groups of administrators have access permissions to the GPO must be determined.

• The Default Domain Policy GPO cannot be deleted by any administrator, by default.

• Prevents the accidental deletion of this GPO, which contains important required settings for the domain

• If working with a GPO from a pre-built console, such as Active Directory Users and Computers, the Delegation Of Control Wizard is not available for use in delegating administrative control of a GPO; it only controls security of an object.

51

Default GPO Permissions

• Authenticated Users: Read, Apply Group Policy, Special Permissions

• CREATOR OWNER: Special Permissions

• Domain Administrators: Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

• Enterprise Administrators: Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

• SYSTEM: Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

52

Disabling Unused Group Policy Settings

• If a GPO has only settings that are Not Configured, then it is possible to avoid processing those settings by disabling the node.

• Disabling the node expedites startup and logon for those users and computers subject to the GPO.

53

Indicating GPO Processing Exceptions

• GPOs are processed according to the Active Directory hierarchy.

• The default order of processing group policy settings may be changed by several actions.

54

Modifying the Order of GPOs

55

Filtering GPO Scope

• Policies in a GPO apply only to users who have Read permission for that GPO.

• The scope of a GPO is filtered by creating security groups and then assigning Read permission to the selected groups.

• A policy is prevented from applying to a specific group by denying that group Read permissions to the GPO.

56

Permissions for GPO Scopes

57

Linking a GPO

• By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created.

• Settings apply to that site, domain, or OU.

• The Group Policy tab for the site, domain, or OU properties is used to link a GPO to additional sites, domains, or OUs.

58

Add A Group Policy Object Link Dialog Box

59

Removing, Deleting, and Editing GPOs

• Removing a GPO Link

• Removing a GPO link unlinks the GPO from the specified site, domain, or OU.

• The GPO remains in Active Directory until it is deleted.

• Deleting a GPO

• Deleting a GPO removes it from Active Directory.• Any sites, domains, or OUs to which a GPO is linked

when it is deleted will no longer be affected by it.

• Editing a GPO

• The same procedures that are used for creating a GPO and for specifying group policy settings are used to edit a GPO or its settings.

60

Managing Software Using Group Policy• Software Management Tools

• Assigning Applications

• Publishing Applications

• How Software Installation Works

• Implementing Software Installation

• Planning and Preparing a Software Installation

• Setting Up an SDP

• Specifying Software Installation Defaults

• Deploying Software Applications

• Setting Automatic Installation Options

• Setting Up Application Categories

• Setting Software Application Properties

• Maintaining Software Applications

61

Managing Software Using Group Policy Overview

• The Software Installation extension is a software management feature of Windows 2000 that is an administrator’s primary tool for managing software within an organization.

• Managing software using Software Installation provides users with immediate access to the software they need to perform their jobs, and ensures that users have an easy and consistent experience when working with software throughout its life cycle.

• Users no longer need to look for a network share, use a CD-ROM, or install, fix, and upgrade software themselves.

62

Software Management Tools Overview

• The Software Installation extension of the Group Policy snap-in: Used by administrators to manage software

• Windows Installer: Installs software packaged in Windows Installer files

• Add/Remove Programs in Control Panel: Used by users to manage software on their own computers

63

The Software Installation Extension

• Primary tool for managing software within an organization

• Works in conjunction with group policy and Active Directory

• Centrally manages the installation of software on a client computer by assigning applications to users or computers or by publishing applications for users

• Assigns required or mandatory software to users or to computers

• Publishes software that users might find useful to perform their jobs

64

Application Assigned to User

• The application is advertised to the user the next time he or she logs on to a workstation.

• The application advertisement follows the user regardless of which physical computer he or she actually uses.

• The application is installed the first time the user activates the application on the computer, either by selecting the application on the Start menu or by activating a document associated with the application.

65

Application Assigned to the Computer

• The application is advertised and the installation is performed when it is safe to do so.

• A “safe time” typically is when the computer starts up, so that no competing processes are on the computer.

66

Publishing Applications• When the application is published to users, the application

does not appear installed on the users’ computers.

• No shortcuts are visible on the desktop or Start menu.

• No changes are made to the local registry on the users’ computers.

• Advertisement attributes are stored in Active Directory.

• Information, such as the application’s name and file associations, is exposed to the users in the Active Directory container.

• After publication, the application is available for user installation by using Add/Remove Programs in Control Panel or by clicking a file associated with the application.

67

How Software Installation Works

• The Software Installation extension uses Windows Installer technology to systematically maintain software.

• Windows Installer is a service that allows the OS to manage the installation process.

68

Windows Installer’s Three Key Parts

• An OS service that performs the installation, modification, and removal of the software in accordance with the information in the Windows Installer

• A database containing information that describes the installed state of the application

• An API that allows applications to interact with Windows Installer to install or remove additional features of the application after the initial installation is complete

69

Windows Installer Advantages

• Enables users to take advantage of self-repairing applications.

• Notes when a program file is missing and immediately reinstalls the damaged or missing files, thereby fixing the application.

• Makes modifications to customize the installation of a Windows Installer package at the time of assignment or publication; modifications are saved with the .mst file extension.

70

Windows Installer Package

• The Windows Installer package is a file that contains explicit instructions on the installation and removal of specific applications.

• The developer provides the Windows Installer package .msi file and ships it with the application.

• If a Windows Installer package is not provided with an application, it may need to be created or the application may need to be repackaged, using a third-party tool.

71

Deploying Software with Software Installation Is Limited to Only If

• Native Windows Installer package .msi files: Developed as a part of the application and take full advantage of the Windows Installer

• Repackaged application .msi files: Allow applications that do not have a native Windows Installer package to be repackaged

• An existing setup program (application .zap file): Installs an application by using its original SETUP.EXE program

72

Other Files Encountered During Software Installation

• Patch .msp files: Used for bug fixes, service packs, and similar files

• Application assignment scripts .aas files: Contain instructions associated with the assignment or publication of a package

73

Customizing Windows Installer Packages

• Transforms can be used to customize Windows Installer applications.

• Customization is provided by allowing the original package to be transformed using authoring and repackaging tools.

• Some applications provide wizards or templates that permit a user to create modifications.

74

Tasks for Implementing Software Installation

• Planning and preparing the software installation

• Setting up a software distribution point

• Specifying software installation defaults

• Deploying software applications

• Setting automatic installation options

• Setting up application categories

• Setting software application properties

• Maintaining software applications

75

Planning and Preparing a Software Installation: Considerations

• Review the organization’s software requirements on the basis of the overall organizational structure within Active Directory and available GPOs.

• Determine how to deploy the applications.

• Create a pilot to test how software will be assigned or published to users or computers.

• Prepare software using a format that allows the administrator to manage it based on what the organization requires.

• Test all of the Windows Installer packages or repackaged software.

76

Planning and Preparing a Software Installation: Strategies and Considerations

• Create OUs based on software management needs.

• Deploy software close to the root in the Active Directory tree.

• Deploy multiple applications with a single GPO.

• Publish or assign one application only once in the same GPO or in a series of GPOs that might apply to a single user or computer.

77

Planning and Preparing a Software Installation:Software Licenses

• Licenses are required for software written by independent software vendors and distributed using SDPs.

• The administrator is responsible for matching the number of users who can access software to the number of licenses on hand.

• The administrator is responsible for verifying that guidelines provided by each ISV are being followed.

• The Administrator should gather the package formats for the software and perform any necessary modifications to the packages.

78

Setting Up an SDP

• Create the folders for the software on the file server that will be the SDP and make the folders network shares.

• Replicate the software to the SDPs by placing or copying the software, packages, modifications, all necessary files, and components to a distribution share(s); place all software in a separate folder on the SDP.

• Set the appropriate permissions on the folders so that only administrators can change the files, and users can only read the files from the SDP folders and shares; use group policy to manage the software within the appropriate GPO.

79

Specifying Software Installation Defaults

• A GPO can contain several settings that affect how an application is installed, managed, and removed.

• The default settings for the new packages are globally defined within the GPO in the General tab of the Software Installation Properties dialog box.

• Some of the default settings can be changed later by editing the package properties in the Software Installation extension.

80

General Tab of the Software Installation Properties

81

Deploying Software Installation Defaults

• Because software can be either assigned or published, and targeted to either users or computers, a workable combination can be established to meet the software management goals.

• Modifications (.mst files) are customizations applied to Windows Installer packages.

• Modifications must be applied at the time of assignment or publication, not at the time of installation.

82

Software Deployment Approaches

83

Publishing Applications

• An application is published to make it available to people managed by the GPO, should they want the application.

• Each person decides whether or not to install the published application.

• Applications can only be published to users.

84

Deploying Applications with Modifications

• Modifications are associated with the Windows Installer package at deployment time rather than when the Windows Installer is actually using the package to install or modify the application.

• Modifications are applied to Windows Installer packages by the administrator.

• This order in which modifications are applied must be determined before the application is assigned or published.

85

Setting Automatic Installation Options

• The application that is installed when users select a file can be specified by the administrator by selecting a file extension and configuring a priority for installing applications associated with the file extension, using the File Extensions tab in the Software Installation Properties dialog box.

• The first application listed is the application installed in association with the file extension.

• File extension associations are managed on a per-GPO basis.

• Changing the priority order in a GPO affects only those users who have that GPO applied to them.

86

File Extensions Tab

87

Setting Up Application Categories

• Organizing, assigning, and publishing applications, from within Add/Remove Programs in Control Panel, into logical categories makes it easier for users to locate the appropriate application.

• Windows 2000 does not ship with any predefined categories.

• Categories are established per domain, not per GPO.

• Categories need to be defined only once for the whole domain.

88

Setting Software Application Properties

Each application can be fine-tuned in several ways:

• By editing installation options• By specifying application categories to be used• By setting permissions for the software installation

89

Editing Installation Options for Applications

• Default settings can be changed, even if they have been globally defined within the GPO, by editing the package properties.

• Installation options affect how an application is installed, managed, and removed.

90

Deployment Tab

91

Specifying Application Categories

• Applications must be associates with existing categories.

• Categories generally pertain to published applications only, because assigned applications do not appear in Add/Remove Programs.

92

Categories Tab of the Properties Dialog Box

93

Maintaining Software Applications Upgrading Applications

• Several events trigger an upgrade.

• Upgrades typically incorporate major changes into the software and normally have new version numbers.

• A substantial number of files change for an upgrade.

• The Software Installation extension is used to establish the procedure to upgrade an existing application to the current release.

94

Add Upgrade Package Dialog Box

95

Maintaining Software Applications Removing Applications• A version of a software application is no longer supported.

• Administrators can remove the software version from Software Installation without forcing the removal of the software from the computers of users who are still using the software.

• Users can continue to use the software themselves.• No user is able to install the software version.

• A software application is no longer used.

• Administrators can force the removal of the software.• The software is automatically deleted from a computer,

either the next time the computer is turned on or the next time the user logs on.

• Users cannot install or run the software.

96

Managing Special Folders Using Group Policy

• Folder Redirection

• Default Special Folder Locations

• Setting Up Folder Redirection

• Policy Removal Considerations

97

Windows 2000 Redirected Special Folders

• Application Data

• Desktop

• My Documents

• My Pictures

• Start Menu

98

Redirecting the My Documents Folder: Advantages• The user’s documents are always available, even if the

user logs on to various network computers.

• When roaming user profiles are used, only the network path to the My Documents folder is part of the roaming user profile, not the My Documents folder itself.

• Data stored on a shared network server can be backed up as part of routine system administration; requires no action on the part of the user.

• The system administrator can use group policy to set disk quotas, limiting the amount of space used by users’ special folders.

• Data specific to a user can be redirected to a different hard disk on the user’s local computer from the hard disk holding the OS files.

99

Default Locations for Special Folders

100

Setting Up Folder Redirection

• Redirect to a location according to security group membership.

• Redirect to one location for everyone in the site, domain, or OU.

• Redirect the My Pictures folder to follow the My Documents folder redirection.

101

Target Tab in the Properties Dialog Box

102

Specify Group And Location Dialog Box

103

Settings Tab of the Properties Dialog Box

104

Policy Removal Considerations

105

Troubleshooting Group Policy

• Troubleshooting Group Policy

• Group Policy Best Practices

106

Troubleshooting Group Policy Overview

• Considering dependencies between components is an important part of troubleshooting group policy problems.

• When trying to fix problems that appear in one component, it is generally helpful to check whether components, services, and resources on which it relies are working correctly.

• Event logs are useful for tracking down problems caused by this type of hierarchical dependency.

107

Symptom: The user has Read access to a GPO but cannot open it

• Cause: An administrator must have both Read and Write permissions for the GPO to open it in the Group Policy snap-in

• Solution: Become a member of a security group with Read and Write permission for the GPO

108

Symptom: User receives “Failed To Open The Group Policy Object” message when trying to edit a GPO

• Cause: A networking problem, specifically a problem with the DNS configuration

• Solution: Make sure DNS is working properly

109

Symptom: Group policy is not being applied to users and computers in a security group that contains them, even though a GPO is linked to an OU containing that security group

• Cause: This is correct behavior; group policy affects only users and computers contained in sites, domains, and OUs; GPOs are not applied to security groups

• Solution: Link GPOs to sites, domains, and OUs only; keep in mind that the location of a security group in Active Directory is unrelated to whether group policy applies to the users and computers in that security group

110

Symptom: Group policy is not affecting users and computers in a site, domain, or OU• Cause:

• Group policy settings can be prevented, intentionally or inadvertently, from taking effect on users and computers in several ways.

• A GPO can be disabled from affecting users, computers, or both.

• A GPO also needs to be linked either directly to an OU containing the users and computers, or to a parent domain or OU so that the group policy settings apply through inheritance.

• Solution:

• Make sure that the intended policy is not being blocked.• Make sure no policy set at a higher level of Active

Directory has been set to No Override.

111

Symptom: Group policy is not affecting users and computers in a site, domain, or OU (con’t)

• Cause:

• When multiple GPOs apply, they are processed in this order: local, site, domain, OU.

• By default, settings applied later have precedence.

• Solution:

• If block Policy Inheritance and No Override are both used, No Override takes precedence.

• Verify that the user or computer is not a member of any security group for which the AGP permission is set to Deny.

112

Symptom: Group policy is not affecting users and computers in a site, domain, or OU (con’t)

• Cause:

• Group policy can be blocked at the level of any OU, or enforced through a setting of No Override applied to a particular GPO link.

• The user or computer must belong to one or more security groups with appropriate permissions set.

• Solution:

• Verify that the user or computer is a member of at least one security group for which the AGP permission is set to Allow.

• Verify that the user or computer is a member of at least one security group for which the Read permission is set to Allow.

113

Symptom: Group policy is not affecting users and computers in an Active Directory container

• Cause: GPOs cannot be linked to Active Directory containers other than sites, domains, and OUs

• Solution: Link a GPO to an OU that is a parent to the Active Directory container; then, by default, those settings are applied to the users and computers in the container through inheritance

114

Symptom: Group policy is not taking effect on the local computer

• Cause: Local policies are the weakest; any nonlocal GPO can overwrite them

• Solution: Check to see what GPOs are being applied through Active Directory and whether those GPOs have settings that are in conflict with the local settings

115

Symptom: Published applications do not appear in Add/Remove Programs in Control Panel

• Cause:

• Group policy was not applied.• Active Directory cannot be accessed.• User does not have any published applications in the

GPOs that apply to him or her.• Client is running Terminal Server.

• Solution:

• Investigate each possibility.• Software Installation is not supported for Terminal

Server clients.

116

Symptom: Document activation of a published application does not cause the application to install

• Cause: The administrator did not set auto-install

• Solution: Ensure that Auto-Install This Application By File Extension Activation is checked in the Deployment tab in the application’s Properties sheet

117

Symptom: The user receives an error message such as “The Feature You Are Trying To Install Cannot Be Found In The Source Directory”

• Cause: Network or permissions problems

• Solution:

• Ensure that the network is working correctly.• Ensure that the user has Read and AGP permissions

for the GPO.• Ensure that the user has Read permission for the

SDP.• Ensure that the user has Read permission for the

application.

118

Symptom: After removal of an application, the shortcuts for the application still appear on the user’s desktop

• Cause: The user has created shortcuts, and Windows Installer has no knowledge of them

• Solution: The user must remove the shortcuts manually

119

Symptom: The user receives an error message such as “Another Installation Is Already In Progress”

• Cause: An uninstallation might be taking place in the background with no user interface presented to the user, or perhaps the user has inadvertently triggered two installations simultaneously

• Solution: The user can try again later

120

Symptom: The user opens an already installed application, and the Windows Installer starts

• Cause: An application might be undergoing automatic repair, or a user-required feature is being added

• Solution: No action is required

121

Symptom: The user receives error messages

such as “Active Directory Will Not Allow The Package To Be Deployed” or “Cannot Prepare Package For Deployment”

• Cause: The package might be corrupted or there might be a networking problem

• Solution: Investigate and take appropriate action

122

General Group Policy Practices

• Disable unused parts of a GPO.

• Use the Block Policy Inheritance and No Override features sparingly.

• Minimize the number of GPOs associated with users or computers in domains or OUs.

• Filter policy based on security group membership.

• Use loopback only when necessary.

• Avoid cross-domain GPO assignments.

123

Software Installation Practices• Specify application categories for the organization.

• Make sure Windows Installer packages include modifications before they are published or assigned.

• Assign or publish just once per GPO.

• Take advantage of authoring tools.

• Repackage existing software.

• Use SMS and Dfs.

• Assign or publish close to the root in the Active Directory hierarchy.

• Use Software Installation properties for widely scoped control.

• Use Windows Installer package properties for fine control.

124

Folder Redirection Practices

• Incorporate %username% into fully qualified UNC paths.

• Have My Pictures follow My Documents.

• Consider the effects of policy removal.

• Accept defaults.