CHAPTER 12
ADMINISTERING GROUP POLICY
Group policy is very flexible and includes options for registry-based policy settings, security settings,
application management, scripts, computer startup and shutdown, logon and logoff, and folder redirection.
What is Group Policy?
Group policies are collections of user and computer configuration settings that can be linked to computers,
sites, domains, and organizational units (OUs) to specify the behavior of users’ desktops.
Group Policy Objects
To create a specific desktop configuration for a particular group of users, you create group policy objects
(GPOs). GPOs are collections of group policy settings. Each Windows 2000 computer has one local
GPO, and may in addition be subjected to any number of nonlocal (Active Directory-based) GPOs.
One local GPO is stored on each computer whether or not the computer is part of an Active Directory
environment or a networked environment. However, as the local GPO settings can be overridden by
nonlocal GPOs, the local GPO is the least influential if the computer is in an Active Directory environment.
Nonlocal GPOs are linked to Active Directory objects (sites, domains, and OUs) and can be applied to
either users or computers. To use nonlocal GPOs, you must have a Windows 2000 domain controller
installed.
Delegating Control of Group Policy
You can determine which administrative groups can administer (create, modify, delete) GPOs by defining
access permissions for each GPO. By assigning Read and Write permissions to a GPO for an
administrative group, the group can delegate control of the GPO.
MICROSOFT HIDES 70% OF THE REGISTRY, it is encoded and encrypted.
L S D O (local, site, domain, and OU)
======================================================================
winads12.html PAGE
2 2002/03/03
The Group Policy Snap-In
A Microsoft Management Console (MMC) snap-in is used to organize and manage the many group
policy settings in each GPO. The snap-in for the Default Domain Controllers Policy GPO.
***** See the chart
on page 396 ****
Group Policy Settings
Group policy settings are contained in a GPO and determine the user’s desktop environment. There are
two types of group policy settings: computer configuration settings and user configuration settings.
Computer and User Configuration Settings
Computer configuration settings are used to set group policies applied to computers, regardless of who
logs on to them. Computer configuration settings are applied when the operating system initializes.
User Configuration settings are used to set group policies applied to users, regardless of which computer
the user logs on to. User configuration settings are applied when users log on to the computer.
NOTE: Although some settings are user interface settings, for example, the background bitmap or the
ability to use the Run command on the Start menu, they can be applied to computers using computer
configuration settings.
Both computer settings and user configuration settings include Software Settings, Windows Settings,
and Administrative Templates.
======================================================================
winads12.html PAGE
3 2002/03/03
Software Settings
For both the computer configuration and user configuration, Software Settings contains only Software
Installation settings by default. Software Installation settings help you specify how applications are
installed and maintained within your organization.
You manage an application within a GPO that, in turn, is associated with a particular Active Directory
container, a site, domain or OU. Applications can be managed in one of two modes: assigned or
published. You assign an application to a computer when you want computers or people managed
by the GPO to have the application.
You cannot publish an application to computers.
Windows Settings
For both the computer configuration and user configuration, Windows Settings holds scripts and
Security Settings.
Scripts allow you to specify two types of scripts: startup/shutdown and logon/logoff. Startup/shutdown
scripts at computer startup or shutdown. Logon/logoff scripts run when a user logs on or off the
computer.
When you assign multiple logon/logoff or startup/shutdown scripts to a user or computer, Windows
2000 executes the scripts from top to bottom.
When a computer is shut down, Windows 2000 first processes logoff scripts followed by shutdown
scripts. By default, the timeout value for processing scripts is 10 minutes. If the logoff and shutdown
scripts require more than 10 minutes to process, you must adjust the timeout value with a software
policy.
Security Settings allows a security administrator to manually configure security levels assigned to a
local or nonlocal GPO. This can be done after, or instead of, using a security template to set
system security.
For the user configuration only, Windows Settings hold additional group policy settings for Internet
Explorer Maintenance, Remote Installation Services, and Folder Redirection. Internet Explorer
Maintenance allows you to administer and customize Microsoft Internet explorer on Windows 2000
computers.
Folder Redirection
allows you to redirect Windows 2000 special folders (My Documents, Application
Data, Desktop, and
Start menu) from their default user profile location to an alternate location
on the
network, where they
can be centrally managed.
======================================================================
winads12.html PAGE
4 2002/03/03
Administrative Templates
For both the computer and user configurations, Administrative Templates contains all registry-based
group policy settings, including settings for Windows Components, System, and Network. Windows
components allows you to administer Windows 2000 components including NetMeeting, Internet
Explorer, Windows Explorer, Microsoft Management Console, Task Scheduler, and Windows Installer.
System is used to control logon and logoff functions and group policy itself.
For the computer configuration only, Administrative Templates contains additional group policy settings
or Printers. Additionally, System Settings contains Disk Quotas, and Domain Name System (DNS)
Client and Windows File Protection.
In Administrative Templates there are more than 450 of these settings available for configuring the user
environment. In the
registry, computer configurations are saved in HKEY_LOCAL_MACHINE(HKLM)
and user configurations are saved in HKEY_CURRENT_USER (HKCU). The default refresh rate is
every 8 hours, but you can change it if you want to.
NOTE: You can display administrative template settings by clicking the Administrative Templates node,
clicking View, then clicking Show Policies Only to show all settings, or Show Configured Policies Only
to show only those settings that have been configured.
The MMC Snap-in Model
The nodes of the Group Policy snap-in are themselves MMC snap-in extensions. By Default, all the
available Group Policy snap-in extensions are loaded when you start the Group Policy snap-in. You
can modify this default behavior by using the MMC method of creating custom consoles and by using
policy settings to control the behavior of MMC itself. Use the Administrative Templates node to
configure these policy settings.
Using this extension model, developers can create an MMC extension to the Group Policy snap-in to
provide additional policies. These snap-in extensions may in turn be extended.
======================================================================
winads12.html PAGE
5 2002/03/03
Group Policy Snap-in Namespace
The root node of the Group Policy snap-in is displayed as the name of the GPO and the domain to
which it belongs
GPO Name [DomainName] Policy
For example: Default Domain Controllers Policy [server1.Microsoft.com] Policy
How Group Policy Affects Startup and Logon
The following sequences shows the order in which computer configuration and user configuration
and user configuration settings are applied when a computer starts and a user logs on:
The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal
Naming convention Provider (MUP) are started. An ordered list of GPOs is obtained for the
computer.
Whether a computer is part of a Windows 2000 domain, and is therefore subject to group policy
through Active Directory.The location of the computer in Active Directory. If the list of GPOs has
not changed, then no processing is done.
Computer configuration settings are processed. This occurs synchronously by default, and in the
following order: Local GPO, site GPOs, domain GPOs, OU GPOs, and so on.
Startup scripts run.
The user presses Ctrl+Alt+
governed by the group policy settings in effect. An ordered list of GPOs is obtained for the user.
The list contents may depend on these factors:
Whether the user is part of a Windows 2000 domain, and is therefore subject to group policy through
Active Directory. Whether loopback is enabled, and the state (Merge or Replace) of the
loopback policy setting. The location of the user in Active Directory If the list of GPOs to be
applied has not changed, then no processing is done. You can use a policy setting to change this
behavior.
======================================================================
winads12.html PAGE
6 2002/03/03
User configuration settings are processed. This occurs synchronously by default, and in the following
order: local GPOs, site GPOs, domain GPOs, OU GPOs and so on. No user interface is displayed
while user policies are being processed.
Logon scripts run. Unlike Windows NT 4.0 scripts, group policy-based logon scripts are run hidden
and asynchronously by default. The user object script runs last.
The operating system user interface prescribed by group policy appears.
How group Policy is Processed
Group policy settings are processed in the following order: (L S D O)
Processing is synchronous; the administrator specifies the order of GPOs linked
to the site.
administrator specifies the order of GPOs linked to a domain.
processed first, followed by GPOs linked to its child OU, and so on.
This order name means that the GPO is processed first, and GPOs linked to the OU of which the
computer or user is a direct member are processed last, over writing the earlier GPOs. For example,
you set up a domain GPO to allow anyone to log on interactively. However, an OU GPO, set up for
the domain controller, prevents everyone from logging on except for certain administrative groups.
Exceptions to the Processing Order
The default order of processing group policy settings is subject to the following exceptions:
A computer that is a member of a workgroup processes only the local GPO.
No Override. Any GPO linked to a site, domain, or OU (not the local GPO) can be set to No Override
with respect to that site, domain or OU, so that none of its policy settings can be overridden.
======================================================================
winads12.html PAGE
7 2002/03/03
Block Policy Inheritance. At any site, domain, or OU, group policy inheritance can be selectively marked
as Block Policy Inheritance. However, GPO links set to No Override are always applied and cannot
be blocked.
Loopback setting. Loopback is an advanced group policy setting that is useful on computers in certain
closely managed environments such as kiosks, laboratories, classrooms, and reception areas. By default,
a user’s settings come from a GPO list that depends on the user’s location in Active Directory. The
ordered list goes from site-linked to domain-linked to OU-linked GPOs, with inheritance determined
by the location of the user in Active Directory, and in an order specifies by the administrator at each level.
Loopback can be Not Configured, Enabled, or Disabled, as can any other group policy setting.
In the Enabled state, loopback can be set to Merge or Replace mode.
Replace. In this case, the GPO list fro the user is replaced in its entirety by the GPO list already
obtained for the computer at computer startup.
Merge. In this case, the GPO list is concatenated. The GPO list obtained for the computer at
computer startup is appended to the GPO list obtained for the computer is applied later, it has
precedence if it conflicts with settings in the user’s list.
Group Policy Inheritance
In general, group policy is passed down from parent to child containers. If you have assigned a separate
group policy to a parent container, that group policy applies to all containers beneath the parent container,
including the user and computer objects in the container.
If a parent OU has policy settings that are not configured, the child OU doesn’t inherit them. Policy s
settings that are disabled are inherited as disabled.
If a parent policy and a child policy are compatible, the child inherits the parent policy, and the child’s
setting is also applied.
If a policy configured for a parent OU is incompatible with the same policy configured for a child OU,
the child does not inherit the policy settings from the parent. The setting in the child is applied.
Using Security Groups to Filter Groups Policy
======================================================================
winads12.html PAGE
8 2002/03/03
Because you can link more than one GPO to a site, domain, or OU, you may need to link GPOs
associated with other directory objects. By setting the appropriate permissions for security groups,
you can filter groups policy to influence only the computers and users you specify.
Lesson Summary:
computers, sites, domains, and OUs to define settings of various components that make up the
users’ desktop environment.
which are collections of group policy settings.
configuration settings. Both computer and user settings include Software Settings, Windows
Settings and Administrative Templates.
GPOs, domain GPOs, and OU GPOs.
Lesson 2:
Group Policy Implementation Planning
Before implementing group policies, you should create a plan to manage them. You can plan your
GPO settings and GPO implementation methods to provide the most efficient group policy
management for you organization.
Designing GPOs
by Setting Type
You can create GPOs based on the type of settings they contain. There are three main GPO setting
designs:
Single Policy Type. Includes GPOs that deliver a single type of group policy setting for
example, a GPO that includes only security settings.
Multiple Policy Type. Includes GPOs that deliver multiple types of group policy
settings for example.
Dedicated Policy Type. Includes GPOs dedicated to either
computer configuration or user configuration group policies.
======================================================================
winads12.html PAGE
9 2002/03/03
Single Policy Type
The goal is to separate each type of group policy settings into a separate GPO. To do this, create a
GPO for software management settings, a GPO for user documents and settings, a GPO for software
policies, etc.
Multiple Policy Type
With this approach, the goal is to include multiple types of group policy settings in a single GPO.
Dedicated Policy Type
With this approach, the goal is to include all user configuration group policy settings in one GPO
and all computer configuration group policy settings in separate GPO. This model increases the
number of GPOs that must be processed at logon, thereby lengthening logon time, but it can aid
in troubleshooting.
GPO Implementation Strategies
When planning an Active Directory structure, consider how group policy will be implemented for
the organization. Delegation of authority, separation of administrative duties, central versus
decentralized administration, and design flexibility are important factors to be considered when
designing group policy and selecting which scenarios to adapt for an organization.
Layered Vs. Monolithic GPO Design
These design strategies provide decentralized (layered) and centralized (monolithic) locations for
policy settings within GPOs.
Layered GPO Design
With a layered GPO approach, the goal is to include a specific policy setting in a few GPOs as
possible.
To achieve this goal, create a base GPO to be applied to the domain that contains policy settings
for as many users and computers in the domain as possible.
======================================================================
winads12.html PAGE
10 2002/03/03
Next, create additional GPOs tailored to the common requirements to each corporate group,
such as engineering, sales, marketing, executives, and administrative assistants, and apply them
to the appropriate OUs.
Monolithic GPO Design
With a monolithic GPO approach, the goal is to use very few GPOs (ideally only one) for any given
user or computer. All the policy settings required for a given site, domain, or OU should be
implemented within a single GPO. If the site, domain, or OU has groups of users or computers
with different policy requirements, consider subdividing the container into OUs and applying
separate GPOs to each OU rather than to the parent.
A change in the monolithic design involves more administration than the layered approach because
the settings may need to be changed in multiple GPOs, but logon time will be shorter.
Functional Roles Vs. Team Design
Active Directory’s OU structure was designed to facilitate ease of administration and delegation
of authority. The OU structure may represent the functional roles within the organization or it
may not. When designing group policy by delegating control to the OU levels. If the OU
architecture does not represent group organization, then use OU delegation of control, but also
choose to use groups as a filtering mechanism for applying group policy.
Functional Roles Design
With this approach, the goal is use an OU structure that reflects the functional roles within the
organization for applying group policy. A minimum number of GPOs is used, with each tailored
to a group’s specific needs.
This model is best suited for organizations designed according to functional roles, groups of users
organized according to users’ occupations such as engineering, sales, marketing, and so on.
Team Design
With this approach, the goal is to use groups as a filtering mechanism in applying group policy
in an organization that uses the virtual team concept.
======================================================================
winads12.html PAGE
11 2002/03/03
To do this, create GPOs for each virtual team. As users can exist in only one OU at a time, it is
best to create a single GPO at the top of the hierarchy that filters down to each OU. The, create
GPOs for each tem as necessary. This approach eliminates complexity by strategically applying
the GPOs at only one location, allowing administrators to centrally administer the GPOs and
minimizing the GPO-to-OU assignments.
OU Delegation with Central or Distributed Control
The administration of OUs can be delegated and OU administrators may need to be allowed to
block group policies that have been assigned to their OUs at higher organizational level. This
can be accomplished using a central or distributed control design.
Central Control Design
To do this, use the No Override option on OUs. For example, create a GPO including only
security settings for a domain, and then set the No Override option so that all child OUs are
affected by the security options specifies at the domain level.
This model is best suited for organizations that choose to delegate administration of OUs, but
would like to enforce certain group policies throughout the domain.
Distributed Control Design
With this approach, administrators of OUs are allowed to block group policies from being
applied to their OU.
To do this, create GPOs for each OU. Set ACL permissions allowing OU administrator full
control over GPOs.
This model is best suited for organizations that choose to minimize the number of domains but
do not want to sacrifice autonomous administration of OUs. It allows administrators to enforce
certain group policies throughout the domain.
Lesson Summary:
group policies.
======================================================================
winads12.html PAGE
12 2002/03/03
in the organization have common security concerns and changes to group policy are frequent.
computers can be classified into a small number of groups for policy assignment.
method of managing group policy in a dynamic environment with an OU architecture that
does not reflect the team structure.
administration of OUs, but would like to enforce certain group policies throughout the domain.
Lesson 3:
Implementing Group Policy
The group policy’s are implemented by using a Group Policy Snap-in.
Implementing Group Policy
The tasks for implementing group policy are:
Delegating Administrative Control of a GPO
After you create a GPO, it is important to determine which groups of administrators have
access permissions to the GPO. The default permissions on GPOs are shown below:
======================================================================
winads12.html PAGE
13 2002/03/03
======================================================================
Security Group Default
Settings
======================================================================
Authenticated Users Read, Apply Group Policy, Special Permissions
CREATOR OWNER Special Permissions
Domain Administrators Read, Write, Create All Child Objects, Delete All
Child Objects, Special Permissions.
Child Objects, Special Permissions.
SYSTEM Read, Write, Create All Child Objects, Delete All
Child Objects, Special Permissions.
=======================================================================
By default, the Default Domain Policy GPO cannot be deleted by any administrator. This prevents
the accidental delegation of this GPO, which contains important required settings for the domain.
Disabling Unused Group Policy Settings
If a GPO has, under the Computer Configuration or User Configuration node of the console, only settings
that are Not Configured, then you can avoid processing those settings by disabling the node.
Indicating GPO Processing Exceptions
GPOs are processed according to the Active Directory hierarchy: local GPO, site GPOs, domain GPOs,
and OU GPOs. However, default order for processing GPO group policy settings may be changed by
modifying the order of GPOs for an object, specifying the Block Policy Inheritance option, specifying the
No Override option, or by enabling the Loopback setting.
Filtering GPO Scope
The policies in a GPO apply only to users who have Read permission for that GPO. You can filter
the scope of a GPO by creating security groups and then assigning Read permission to the selected
groups. Thus, you can prevent a policy from applying to a specific group by denying the group Read
permission to the GPO. Linking a GPO
======================================================================
winads12.html PAGE
14 2002/03/03
By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was
created. Therefore, its settings apply to that site, domain, or OU. Use the Group Policy tab for the
site, domain, or OU properties to link a GPO to additional sites, domains, or OUs.
Modifying Group Policy
The tasks for modifying group policy are:
Removing a GPO Link
Removing a GPO link simply unlinks the GPO from the specified site, domain, or OU. The GPO
remains in Active Directory until it is deleted.
Deleting a GPO
If you delete a GPO, it is removed from Active Directory, and any sites, domains, or OUs, to which
it is linked will no longer be affected by it. You may wish to take the less drastic step of removing
the GPO link, which disassociates the GPO from its OU but leaves the GPO intact in Active
Directory.
Editing a GPO and GPO Settings
To edit a GPO or its settings, follow the procedures outlined earlier in this lesson for creating a
GPO and for specifying group policy settings.
Lesson Summary:
administrative control of the GPO, specify group policy settings for the GPO, disable unused
group policy settings, indicate GPO processing exceptions, filter the scope of the GPO, and
link the GPO to a site, domain, or OU.
======================================================================
winads12.html PAGE
15 2002/03/03
Lesson 4:
Managing Software Using Group Policy
The software Installation extension, a software management feature of Windows 2000, is the
administrator’s primary tool for managing software within an organization. Managing software
using Software Installation provides your users with immediate access to the software they need
to perform their jobs and ensures that users have an easy and consistent experience when
working with software throughout its life cycle. C:\WINNT\System32 (admin.pkg).
Software Management Tools
Three tools provided with Windows 2000 Server for software installation and maintenance.
====================================================================
Tool Role
====================================================================
The Software Installation Used by administrators to manage software
Extension of the
Group
Policy snap-in
Windows Installer Installs software packaged in Windows Installer
Files.
Add/Remove Programs Used by users to manager software on their own
In Control Panel computers
=====================================================================
The Software Installation Extension
The Software Installation extension is the administrator’s primary tool for managing software within
an organization. Software Installation works in conjunction with Group policy and Active Directory,
establishing a group policy-based software management system that allows you to centrally manage.
for software. You can update a version of the software or replace it. You can even upgrade
the operating system using service packs.
======================================================================
winads12.html PAGE
16 2002/03/03
Using Software Installation, you can centrally manage the installation of software on a client computer
by assigning applications to users or computers or by publishing applications for users. Assign
required or mandatory software to users or to computers. Publish software that users might find
useful to perform their jobs.
Assigning Applications
When you assign an application to a users, the application is advertised to the user the next time he
or she logs on to a workstation. The application advertisement follows the user regardless of which
physical computer he or she actually uses. The application can be activated when you select the
Start menu, or when you log on.
When you assign an application to the computer, the application is advertised, and the installation is
performed when it is safe to do so.
Publishing Applications
When you publish the application to users, the application does not appear installed on the users’
computers. No shortcuts are visible on the desktop or Start Menu, and no changes are made to
the local registry on the users’ computers. Instead, published applications store their advertisement
attributes in Active Directory. The application is then available for the user to install using
Add/Remove Programs in Control Panel or by clicking a file associated with the application
(such as .xls file for Microsoft Excel).
How Software Installation Works
The Software Installation extension uses Windows Installer technology to systematically maintain
software. Windows Installer is a service that allows the operating system to manage the installation
process. Windows Installer is composed of three key parts:
of the software in accordance with the information in the Windows Installer package.
======================================================================
winads12.html PAGE
17 2002/03/03
installed state of the application.
Windows Installer to install or remove additional features of the application after the
initial installation is complete.
Because Software Installation leverages Windows Installer, users can take advantage of self-repairing
applications. Windows Installer notes when a program file is missing and immediately reinstalls the
damaged or missing files, thereby fixing the application. The file has an .msi extension.
You can only deploy software using the Software Installation extension if the file type fits one of the
following categories:
Native Windows Installer Package (.msi) files are developed as a part of the application and take
full advantage of the Windows Installer.
Repackaged application (.msi) files allow you to repackage applications that do not have a native
Windows Installer package in much the same way that you repackage software today to customize
installations. An existing setup program, an application (.zap) file installs an application by using its
original SETUP.EXE program.
In addition, you can make modifications to customize the installation of a Windows Installer package
at the time of assignment or publication. Modifications are saved with the .mst file extension.
Other files you may encounter during Software Installation are:
assignment or publication of a package.
Customizing Windows Installer Packages
You can customize Windows Installer applications by using modifications, also called transforms.
The Windows Installer package format provides for customization by allowing you to “transform”
the original package using authoring and repackaging tools. Some applications also provide wizards
or templates that permit a user to create modifications.
======================================================================
winads12.html PAGE
18 2002/03/03
Implementing Software Installation
The tasks for implementing software installation are:
Planning and Preparing a Software Installation
When planning a software installation
Review your organization’s software requirements on the basis of your overall organizational
structure within Active Directory and your available GPOs
Determine how you want to deploy your applications.
Create a pilot to test how you want to assign or publish software to users or computers.
Prepare your software using a format that allows you to manage it based on what your
organization requires, and test all of the Windows Installer packages or repackaged software.
======================================================================
Strategy Considerations
======================================================================
Create OUs based on Allows you to target applications to the appropriate
Software management set of users. Group policy security settings are not
Needs. Required to target the appropriate set of users.
Deploy software close to This reduces administration because you can deploy
The root in the Active a single GPO rather than having to re-create that
Directory tree. Object in multiple containers deep in the Active
Directory tree.
Deploy multiple The logon process is faster because a single GPO
Applications with a single deploying 10 applications processes faster then
GPO. 10 GPOs each deploying one application.
Publish or assign one Makes it easier to determine which instance of
Application. The application applies to the user or computer.
======================================================================
winads12.html PAGE
19 2002/03/03
Software licenses are required for software written by independent software vendors and distributed
using software distribution points (SDPs). It is your responsibility to match the number of users who
can access software to the number of licenses you have on hand.
NOTE: Some software supports special commands to facilitate the creation of an SDP. For example,
Microsoft Office 2000 should be prepared by running SETUP /A from a command prompt. This allows
you to enter the software key once for all users, and the network share (SDP) location to copy the files to.
Other software might have other ways to expand any compressed files from the distribution media and
transfer the files to the appropriate location.
Specifying Software Installation Defaults
A GPO can contain several settings that affect how an application is installed, managed, and removed.
You can globally define the default settings for the new packages within the GPO in the General tab
of the Software Installation Properties dialog box.
Deploying Software Applications
Given that software can be either assigned or published, and targeted to users or computers, you can
establish a workable combination to meet your software management goals.
Software Deployment Approaches
======================================================================
Publish
(User only) Assign (User) Assign (Computer)
======================================================================
After deployment The next logon The next logon The next time
The software is the computer
Available for starts.
Installation after:
Typically the user Add/Remove Start menu or The software is
Installs the software Programs in Desktop shortcut already installed
From: Control Panel (the software auto-
matically installs
when the
computer reboots).
======================================================================
winads12.html PAGE
20 2002/03/03
If the software is Yes, if Auto-install Yes Does not apply;
Not installed, and the is turned on) the software is
User opens a file already
Associated with the installed.
Software, does the
Software install?
Can the user remove the Yes, and the user Yes, and the No, only the
Software using Add/ can choose to install software is local admini.
Remove Programs in it again from Add/ available for can remove
Control Panel? Remove Programs in installation the software;
Control Panel again from the a user can
Typical install run a repair
Points. On the
Software.
Supported Windows Installer Windows Windows
Installation files: packages, .zap files Installer Installer
Packages packages.
=======================================================================
Modifications, or .mst files, are customizations applied to Windows Installer packages. A modification
must be applied at the time of assignment or publication, not at the time of installation.
Assigning Applications
Assign an application when you want everyone to have the application on his or her computer. An
Application can be assigned to both computers and users.
Publishing Applications
Publish an application when you want the application to be available to people managed by the GPO,
should they want the application. With published applications it is up to each person to decide whether
or not to install the published application. An application can only be published to users.
Deploying Applications with Modifications
Modifications are associated with the Windows Installer package at deployment time rather than
when the Windows Installer is actually using the package to install or modify the application.
Modifications (.mst files) are applied to Windows Installer packages (which have the .msi extension)
in an order specified by the administrator. This order must be determined before the application
is assigned or published.
======================================================================
winads12.html PAGE
21 2002/03/03
IMPORTANT: Do not click OK until you have finished configuring the modifications. When
you click OK, the package is assigned or published immediately. If the modifications are not
properly configured you will have to uninstall the package or upgrade the package with a correctly
configured version.
Setting Automatic Installation Options
To determine which application users install when they select a file, you can select a file extension
and configure a priority for installing applications associated with the file extension using the File
Extensions tab in the Software Installation Properties dialog box.
File extensions associations are managed on a per-GPO basis. Changing the priority order in a
GPO affects only those users who have the GPO applied to them.
Setting Up Applications Categories
You can organize assigned and published applications into logical categories to make it easier for
users to locate the appropriate application from within Add/Remove Programs in Control Panel.
Windows 2000 does not ship with any predefined categories.
Removing Applications
At some point, users may no longer require an application, so you may need to remove it. The
following two scenarios are addressed through the removal choices set within the Software
Installation extension:
the software version form Software Installation without forcing the (physical) removal
of the software from the computers of users who are still using the software.
on or the next time the user logs on. Users cannot install or run the software.
======================================================================
winads12.html PAGE
22 2002/03/03
Lesson Summary:
assigning applications to users or computers or by publishing applications for users.
Assign required or mandatory software to users or to computers. Publish software
that user might find useful to perform their jobs.
maintain software.
SDP, specifying software installation defaults, deploying software applications, setting
automatic installation options, setting up application categories, setting software
application properties, and maintaining software applications.
Lesson 5:
Managing Special Folders Using Group Policy
Folder Redirection
You use the Folder Redirection extension to the Group Policy snap-in to redirect certain Windows 2000
Special Folders to network locations. Special folders such as My Documents and My Pictures are
located in C:\Documents and Settings (where C:\ is the name of your system drive).
Windows 2000 allows the following special folders to be redirected:
Advantages of Redirecting the My Documents Folder
The following benefits pertain to redirecting any folder, but redirecting My Documents can be
particularly advantageous because this folder tends to become large over time.
always available. When roaming user profiles are used, only the network path to the
My Documents folder is part of the roaming user profile, not the My Documents folder
itself.
======================================================================
winads12.html PAGE
23 2002/03/03
group policy to set disk quotas, limiting the amount of space taken up by user’s special folders.
from the hard disk holding the operating system files. This makes the user’s data safer if the
operating system needs to be reinstalled.
Default Special Folder Locations
The default locations for special folders that have not been redirected depend on the operating
system that was in place previously.
C:\Documents and Settings
Systemroot\Profiles
Systemroot\System\Profiles
Setting Up Folder Redirection
There are two ways to set up folder redirection:
Redirect special folders to a location according to security group membership.
Redirect special folders to one location for everyone in the site, domain, or OU.
NOTE: The default (My Pictures following My Documents) is recommended unless you have a
specific reason (such as file share scalability) for separating My Pictures from My Documents.
If they are separated, a shortcut takes the place of the My Pictures folder in My Documents.
======================================================================
winads12.html PAGE
24 2002/03/03
Lesson Summary:
special folders to a location according to security group membership, or redirect special
folders to one location for everyone in the site, domain, or OU.
Lesson 6:
Troubleshooting Group Policy
**** See the tables page 444-458 ****
Group Policy Best Practices
Configuration node of the console, only settings that are Not Configured, you can avoid
processing those settings by disabling the node. This expedites startup and logon for
those users and computer subject to the GPO.
these features makes it difficult to troubleshoot group policy.
The more GPOs applied to a user, the longer it takes to start up and log on.
directing that a particular GPO be applied to them can avoid the associated logon delay,
because the GPO will not be processed for those users.
configuration to be the same regardless of who logs on.
policy is obtained from another domain.
Software Installation Practices
Specify application categories for your organization. Using categories makes it easier for users to
find an application in Add/Remove Programs in Control Panel. Make sure Windows Installer
packages include modifications before they are published or assigned. Remember that modifications
are applied to packages at the time of assignment or publication.
======================================================================
winads12.html PAGE
25 2002/03/03
Assign or publish just once per GPO. A Windows Installer package should be assigned or published
no more than once in the same GPO. Take advantage of authoring tools. Developers familiar with
the files, registry entries, and other requirements for an application to work properly can author native
Windows Installer packages using tools available from various software vendors.
Repackage existing software. You can use commercially available tools to create Windows Installer
packages for software that does not include natively authored .msi files. Use SMS and Dfs. SMS and
the Windows 2000 Distributed File System Dfs are helpful in managing the SDPs (the network shared
from which users install their managed software).
Assign or publish close to the root in the Active Directory hierarchy. Because group policy settings apply
by default to child Active Directory containers, it is efficient to assign or publish by linking a GPO to a
parent OU or domain. Use security descriptors (ACEs) on the GPO for finer control over who receives
the software.
Use Software Installation properties for widely scoped control. This spares administrative keystrokes
when assigning or publishing a large number of packages with similar properties in a single GPO for
example, when all the software is published and it all comes from the same SDP. Use Windows
Installer package properties for fine control. Use the package properties for assigning or publishing a
single package.
Folder Redirection Practices
Incorporating %username% into fully qualified UNC Paths. This allows users to have their own
folders. For example, \\server\share\%username%\My Documents.
Having My Pictures follow My Documents. This is advisable unless there is a compelling reason
not to. Policy removal considerations. Accepting Defaults. In general accept the default
Folder Redirection settings.