Professional Documents
Culture Documents
Objectives
Create and manage Group Policy objects to control user desktop settings, security, scripts, and folder redirection Manage and troubleshoot Group Policy inheritance Deploy and manage software using Group Policy
Group policy can only be applied to computers running Windows Server 2003, Windows 2000, and Windows XP
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 4
Create new OUs using Active Directory Users and Computers Move users into the new OUs
Activity 9-3: Creating a Group Policy Object and Browsing Settings Using Active Directory Users and Computers
Objective: Create a GPO using Active Directory Users and Computers as an alternative to MMC snap-in
From Active Directory Users and Computers, use the Group Policy tab of the Properties of an existing OU to add and create GPOs Browse configuration settings of a Group Policy Object
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 9
Editing a GPO
10
12
14
15
19
Activity 9-7: Configuring File System Security Using Group Policy Settings
Objective: Use Group Policy settings to configure security permissions Create a folder Use Active Directory Users and Computers to configure the permissions on the folders Update Group Policy settings on the server Verify that the permissions are explicitly defined
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 20
Assigning Scripts
Windows Server 2003 can run scripts during:
User logon or logoff User section of GPO Computer startup and shutdown Computer section of GPO
Default is for scripts to run synchronously from top to bottom Can specify script time-outs, asynchronous execution, and hiding of scripts
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 21
Redirecting Folders
Allows you to redirect the contents of a users profile to a network location Profile contents that can be redirected are application data, desktop, My Documents, Start menu Redirection is useful because it:
Aids in backup Reduces logon time Allows creation of a standard desktop for multiple users
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 23
24
By default, all GPO settings are inherited At each level, there can be multiple GPOs
Policies are applied in the order that they appear on the Group Policy tab for each container, bottom GPO first
Applying a large number of GPOs can affect startup and logon performance
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 25
27
28
29
Configuring No Override
If a policy is configured with No Override
It will be enforced despite conflicts in lower-level policies It will be enforced on lower-level containers with Block Policy inheritance set
30
31
Activity 9-12: Determining Group Policy Settings Using the Resultant Set of Policy Tool
Objective: Use RSoP to determine effective Group Policy settings Use Active Directory Users and Computers to configure the Default Domain Policy Open a new MMC with the Resultant Set of Policy snap-in Use RSoP to Generate RSoP Data
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 35
36
Software Preparation
Microsoft Windows installer package (MSI)
MSI file contains all of the information needed to install an application in a variety of configurations Software vendors include preconfigured MSI packages For older applications, can create MSI packages using 3rd party utilities (e.g., VERITAS)
To install, place MSI file in a shared folder and configure Group Policy to access for installation
38
39
Deployment
Two ways to deploy an application
Assigning applications Publishing applications
40
Assigning Applications
When a policy is created to assign an application
Any user who the policy applies to has a shortcut on the Start menu Application is installed when user clicks shortcut the first time or opens it with an associated document If policy configured in computer section, application is installed next time the computer is started Applications are resilient (if files are corrupted, will reinstall itself)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 41
Publishing Applications
When a policy is created to publish an application
Not advertised in Start menu Installed using the Add/Remove Programs applet or by opening an associated document Only published to users and not computers
42
43
Software Maintenance
Software must be maintained with patches and updates Deployment of patches and updates can be:
Mandatory upgrade Optional upgrade Redeployment of an application
46
Software Removal
Application must have been originally installed using a Windows installer package Removal can be:
Forced removal Optional removal
Forced removal uninstalls application and prevents it from being reinstalled Optional removal does not uninstall application but does prevent it from being reinstalled once removed
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 47
Summary
A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects Two default GPOs created when Active Directory is installed:
Default Domain Policy Default Domain Controllers Policy
Summary
GPOs can be used:
to control user desktop settings and security settings to apply scripts on user logon and logoff and computer startup and shutdown for folder redirection
Summary
GPOs are useful in deploying and maintaining software applications GPOs are used for four main phases of software rollout: preparation, deployment, maintenance, removal For deployment, Group Policy uses an MSI file containing information needed to install in a variety of configurations Deployed applications can be either assigned or published
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environemnt 50