Active Directory Overview Training

3,755 views

Published on

  • Be the first to comment

Active Directory Overview Training

  1. 1. Welcome! <ul><li>Welcome </li></ul>
  2. 2. Introduction <ul><li>Presenter- Jon Zelle </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>HTTP://WWW.Trainingchannel.com </li></ul></ul><ul><ul><li>Certifications and experiences </li></ul></ul>
  3. 3. Today’s Agenda <ul><li>Morning Session breakdown </li></ul><ul><ul><li>Resource Review </li></ul></ul><ul><ul><li>Active Directory Overview </li></ul></ul><ul><ul><li>Active Directory Replication Process </li></ul></ul><ul><ul><li>Securing and Delegating Control to AD Objects </li></ul></ul><ul><ul><li>Questions and Answer time </li></ul></ul>
  4. 4. Today’s Agenda cont. <ul><li>Afternoon Session breakdown </li></ul><ul><li>Managing Network Resources </li></ul><ul><li>Managing Resource Access using security groups </li></ul><ul><li>Group Policy Implementation </li></ul><ul><li>Desktop Management using Policy Based Administration </li></ul><ul><li>Questions and Answers </li></ul>
  5. 5. Breaks and Questions <ul><li>Session Breaks </li></ul><ul><ul><li>One in the morning and one in the afternoon </li></ul></ul><ul><ul><li>Lunch schedule – Lunch time around 12pm, lunch will also be provided to attendees </li></ul></ul><ul><ul><li>Questions and Answers – time for this will occur before each break and at the end of the day </li></ul></ul>
  6. 6. Overview of your new Book! <ul><li>Managing a Windows 2000 Network Environment </li></ul><ul><li>CD Resources </li></ul><ul><li>Online Resources </li></ul>
  7. 7. Managing a Windows 2000 Network Environment <ul><li>Your book contains TONS of good information </li></ul><ul><ul><li>Chapter 1 , &quot;Networking with Windows 2000,&quot; describes the Windows 2000 networking architecture and introduces the primary Windows 2000 network administration tool, Microsoft Management Console. </li></ul></ul><ul><ul><li>Chapter 2 , &quot;Managing Client and Server Computers,&quot; examines the procedures for installing new hardware on a Windows 2000 computer, updating the operating system, obtaining and managing client access licenses, and troubleshooting problems that prevent the system from booting. </li></ul></ul><ul><ul><li>Chapter 3 , &quot;Managing Storage Resources,&quot; describes how to use the Windows 2000 storage subsystem, including basic and dynamic disks, and the various types of data storage techniques the operating system provides. You also learn how to manage your server disk space by imposing storage quotas on your network users and managing the compression and encryption of files and folders. </li></ul></ul><ul><ul><li>Chapter 4 , &quot;Managing NTFS Permissions,&quot; examines how to protect the files stored on your server drives using the permissions provided by the NTFS file system. </li></ul></ul>
  8. 8. Managing a Windows 2000 Network Environment <ul><ul><li>Chapter 5 , &quot;Sharing Drives and Printers,&quot; contains procedures for sharing drives and printers with network users and describes how to use permissions to control access to those shared resources. </li></ul></ul><ul><ul><li>Chapter 6 , &quot;Monitoring Server Health and Security,&quot; describes how to use Windows 2000 tools such as the Performance console and Event Viewer to monitor the continued operation of your servers and your users' activities. </li></ul></ul><ul><ul><li>Chapter 7 , &quot;Managing Active Directory User and Computer Objects,&quot; contains procedures describing how to create and maintain user objects in Active Directory, as well as create the various types of user profiles. </li></ul></ul><ul><ul><li>Chapter 8 , &quot;Managing Active Directory Group Objects,&quot; examines the theory and practice behind the use of group objects to organize your users and simplify the process of assigning access permissions. </li></ul></ul>
  9. 9. Managing a Windows 2000 Network Environment <ul><ul><li>Chapter 9 , &quot;Using Group Policies,&quot; describes how to use group policies to control the users and computers on your network. </li></ul></ul><ul><ul><li>Chapter 10 , &quot;Managing Resources with Active Directory Service,&quot; examines the process of publishing shared folders and printers in Active Directory, redirecting special folders, and using group policies to deploy software on your network. </li></ul></ul><ul><ul><li>Chapter 11 , &quot;Replicating Active Directory,&quot; contains information about the Active Directory replication process and how to create and configure site objects and their replication policies. </li></ul></ul><ul><ul><li>Chapter 12 , &quot;Active Directory Service Administration,&quot; teaches how to work with Active Directory objects by searching for them, moving them around the directory tree, and delegating control of specific objects to other administrators. </li></ul></ul>
  10. 10. Managing a Windows 2000 Network Environment <ul><ul><li>Chapter 13 , &quot;TCP/IP Administration,&quot; introduces the basics of TCP/IP communications and describes how to configure a Microsoft TCP/IP client and use the utilities included with it. </li></ul></ul><ul><ul><li>Chapter 14 , &quot;Dynamic Host Configuration Protocol,&quot; explores the theory and practice of using DHCP to automatically assign TCP/IP configuration parameters to the computers on your network. </li></ul></ul><ul><ul><li>Chapter 15 , &quot;Windows Name Resolution,&quot; describes the various mechanisms that Windows systems use to resolve computer names into IP addresses, including the Windows Internet Naming System (WINS). </li></ul></ul><ul><ul><li>Chapter 16 , &quot;Domain Name System,&quot; introduces the underlying principles of the Domain Name System (DNS) and describes the procedures for deploying Microsoft DNS Server on your network. </li></ul></ul>
  11. 11. Managing a Windows 2000 Network Environment <ul><ul><li>Chapter 17 , &quot;Managing Internet Information Services,&quot; describes how to create Web and FTP sites for your intranet or the Internet using Internet Information Services. </li></ul></ul><ul><ul><li>Chapter 18 , &quot;Remote Client Access,&quot; examines various alternative methods for connecting users to your network from long distances and with additional security. </li></ul></ul><ul><ul><li>Chapter 19 , &quot;Disaster Recovery and Prevention,&quot; describes backing up your network to prevent data loss due to natural disasters, drive failures, viruses, and so on. </li></ul></ul><ul><ul><li>Appendix , &quot;Questions and Answers,&quot; lists all of the exercise questions and review questions from the book, showing the page number where the question appears and the suggested answer. </li></ul></ul><ul><ul><li>The Glossary provides definitions for many of the terms and concepts presented in this training kit. </li></ul></ul>
  12. 12. CD Resources <ul><li>Your book contains 2 CD’s </li></ul><ul><ul><li>Windows 2000 Server 120-Day Evaluation </li></ul></ul><ul><ul><li>E-Book version of the book </li></ul></ul><ul><ul><ul><li>E-Book is searchable </li></ul></ul></ul><ul><ul><ul><li>Online Glossary </li></ul></ul></ul>
  13. 13. Additional Resources <ul><li>Some of My Favorite Internet spots </li></ul><ul><ul><li>Technet.microsoft.com </li></ul></ul><ul><ul><li>Msdn.microsoft.com </li></ul></ul><ul><ul><li>www.labmice.com </li></ul></ul><ul><ul><li>www.ntfaq.com </li></ul></ul><ul><ul><li>www.sysinternals.com </li></ul></ul>
  14. 14. More resources <ul><li>Here are two great papers around designing and implementing sound group policy within an organization:  </li></ul><ul><li>http://www.microsoft.com/technet/ittasks/maintain/s1impgp.asp </li></ul><ul><li>http://www.microsoft.com/technet/ittasks/maintain/s2impgp.asp </li></ul><ul><li>The Group Policy Management Console is available for download! GPMC is the tool we’ve all been asking and waiting for, bringing all the information and tools for creating, deploying, and managing group policy into one management console. Remember, it works in both Windows 2000 AD and Windows Server 2003 AD environments. Get it here: http://www.microsoft.com/downloads/ details.aspx?FamilyID =f39e9d60-7e41-4947-82f5-3330f37adfeb&DisplayLang=en </li></ul>
  15. 15. More Resources <ul><li>Group Policy “Portals” (Microsoft.com and TechNet) </li></ul><ul><li>http://www.microsoft.com/ technet/grouppolicy </li></ul><ul><li>http://www.microsoft.com/ grouppolicy </li></ul><ul><li>Group Policy Settings Spreadsheet </li></ul><ul><li>http:// go.microsoft.com/fwlink/?LinkId =15165 </li></ul>
  16. 16. Active Directory Overview
  17. 17. Using Active Directory for Centralized Management <ul><li>Active Directory: </li></ul><ul><ul><li>Enables a single administrator to manage resources centrally </li></ul></ul><ul><ul><li>Allows administrators to locate information easily </li></ul></ul><ul><ul><li>Allows administrators to group objects into organizational units </li></ul></ul><ul><ul><li>Uses Group Policy to specify policy-based settings </li></ul></ul>OU1 Domain Computers Users OU2 Users Printers Computer1 User1 Printer1 User2 Domain OU2 OU1 User1 Computer1 Printer1 User2 Search
  18. 18. Delegating Administrative Control <ul><li>Assign Permissions: </li></ul><ul><ul><li>For specific organizational units to other administrators </li></ul></ul><ul><ul><li>To modify specific attributes of an object in a single organizational unit </li></ul></ul><ul><ul><li>To perform the same task in all organizational units </li></ul></ul><ul><li>Customize Administrative Tools to: </li></ul><ul><ul><li>Map to delegated administrative tasks </li></ul></ul><ul><ul><li>Simplify interface design </li></ul></ul>Domain Admin1 Admin2 Admin3 OU2 OU3 OU1
  19. 19. Overview <ul><li>Overview of Active Directory </li></ul><ul><li>Active Directory Logical Structure </li></ul><ul><li>Active Directory Physical Structure </li></ul>
  20. 20. <ul><li>Overview of Active Directory </li></ul><ul><li>What Is Active Directory? </li></ul><ul><li>Active Directory Objects </li></ul><ul><li>Active Directory Schema </li></ul><ul><li>Lightweight Directory Access Protocol (LDAP) </li></ul><ul><li>Groups in Active Directory </li></ul><ul><li>Active Directory Support for Client Computers </li></ul>
  21. 21. What Is Active Directory? Directory Service Functionality <ul><li>Organize </li></ul><ul><li>Manage </li></ul><ul><li>Control </li></ul>Resources Centralized Management <ul><li>Single point of administration </li></ul><ul><li>Full user access to directory resources by logging on once </li></ul>
  22. 22. Active Directory Objects <ul><li>Objects represent network resources </li></ul><ul><li>Attributes define information about an object </li></ul>Attributes First Name Last Name Logon Name Attributes Printer Name Printer Location Active Directory Printers Printer1 Printer2 Suzan Fine Users Don Hall Attribute Value Objects Printers Users Printer3
  23. 23. Active Directory Schema Object Class Examples Computers Users Printers Properties 10/02/03 Sales CN=Wendy Kahn, OU= Beth Example Properties Defined in the Schema Naming Context of Active Directory Stored in the Domain Naming Context of Active Directory Attributes of Users: accountExpires department distinguishedName middleName Example Attributes
  24. 24. Lightweight Directory Access Protocol <ul><li>LDAP provides a way to communicate with Active Directory by specifying unique naming paths for each object in the directory </li></ul><ul><li>LDAP naming paths include: </li></ul><ul><ul><li>Distinguished names </li></ul></ul><ul><ul><li>Relative distinguished names </li></ul></ul>CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft Suzan Fine
  25. 25. Groups in Active Directory Global Group <ul><li>Members from own domain only </li></ul><ul><li>Use for access to resources in any domain </li></ul>Domain Local Group <ul><li>Members from any domain in the forest </li></ul><ul><li>Use for access to resources in own domain </li></ul>Universal Group <ul><li>Members from any domain in the forest </li></ul><ul><li>Use for access to resources in any domain </li></ul>
  26. 26. <ul><li>Active Directory Logical Structure </li></ul><ul><li>Domains </li></ul><ul><li>Organizational Units </li></ul><ul><li>Trees and Forests </li></ul><ul><li>Global Catalog </li></ul>
  27. 27. Domains <ul><li>A domain is a security boundary </li></ul><ul><ul><li>A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains </li></ul></ul><ul><li>A domain is a unit of replication </li></ul><ul><ul><li>Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain </li></ul></ul>Windows 2000 Domain Replication User1 User2 User1 User2
  28. 28. Organizational Units Organizational Units Organizational structure Sales Vancouver Repair Users Sales Computers Network administrative model <ul><li>Use organizational units to group objects into a logical hierarchy that best suits the needs of your organization </li></ul><ul><li>Delegate administrative control over the objects within an organizational unit by assigning specific permissions to users and groups </li></ul>
  29. 29. Trees, Forests, and Two-Way Transitive Trusts contoso.msft (root) au. contoso.msft asia. contoso.msft Tree Two-Way, Transitive Trusts au. nwtraders.msft asia. nwtraders.msft nwtraders.msft Forest Tree Two-Way, Transitive Trust
  30. 30. Global Catalog Global Catalog Queries Group membership when user logs on Global Catalog Server Global Catalog Subset of the attributes of all objects Domain Domain Domain Domain Domain Domain
  31. 31. <ul><li>Active Directory Physical Structure </li></ul><ul><li>The Active Directory physical structure is made up of: </li></ul><ul><li>Domain Controllers </li></ul><ul><li>Sites </li></ul>
  32. 32. Domain Controllers Domain Controllers <ul><li>Domain Controllers: </li></ul><ul><ul><li>Host the SYSVOL folder </li></ul></ul><ul><ul><li>Participate in Active Directory replication </li></ul></ul><ul><ul><li>Perform single master operations roles in a domain </li></ul></ul>Domain Controller Domain Controller Domain Replication User1 User2 User1 User2 = A writeable copy of the active directory database
  33. 33. Sites Sites <ul><li>Sites: </li></ul><ul><ul><li>Optimize replication traffic </li></ul></ul><ul><ul><li>Enable users to log on to a domain controller by using a reliable, well-connected network connection </li></ul></ul>Site IP subnet IP subnet Los Angeles Seattle Chicago New York
  34. 34. Active Directory Replication
  35. 35. Overview <ul><li>Introduction to Active Directory Replication </li></ul><ul><li>Replication Components and Processes </li></ul>
  36. 36. Introduction to Active Directory Replication Multi-master replication with a loose convergence Replication Domain Controller B Domain Controller C Domain Controller A
  37. 37. <ul><li>Replication Components and Processes </li></ul><ul><li>How Replication Works </li></ul><ul><li>Replication Latency </li></ul><ul><li>Resolving Replication Conflicts </li></ul><ul><li>Single Master Operations </li></ul>
  38. 38. How Replication Works <ul><li>Active Directory Update </li></ul>Replication Originating Update Domain Controller A Domain Controller B Domain Controller C Replicated Update Replicated Update <ul><li>Move </li></ul><ul><li>Delete </li></ul><ul><li>Add </li></ul><ul><li>Modify </li></ul>
  39. 39. Replication Latency Replication Domain Controller A Change Notification Change Notification Domain Controller C Domain Controller B Replicated Update Replicated Update <ul><li>Default replication latency (change notification) = five minutes </li></ul><ul><li>When no changes, scheduled replication = one hour </li></ul><ul><li>Urgent replication = immediate change notification </li></ul>Originating Update
  40. 40. Resolving Replication Conflicts <ul><li>Conflicts may arise because of: </li></ul><ul><li>Attribute value </li></ul><ul><li>Adding/moving under a deleted container object or the deletion of a container object </li></ul><ul><li>Sibling name </li></ul>Domain Controller A Originating Update Domain Controller B Conflict Originating Update Stamp Stamp Conflict Version Number Timestamp Server GUID Stamp
  41. 41. Single Master Operations <ul><li>Only a domain controller that holds a specific operations master role can perform associated Active Directory changes </li></ul><ul><li>Changes made by an operations master are replicated to other domain controllers </li></ul><ul><li>Any domain controller can hold an operations master role </li></ul><ul><li>Operations master roles can be transferred to other domain controllers </li></ul>Single Master Operations Operations Master Replication
  42. 42. <ul><li>Using Sites to Optimize Active Directory Replication </li></ul><ul><li>What Are Sites? </li></ul><ul><li>Replication Within Sites </li></ul><ul><li>Replication Between Sites </li></ul>
  43. 43. What Are Sites? <ul><li>The first site is set up automatically, and is called Default-First-Site-Name </li></ul><ul><li>Sites can consist of zero, one, or more subnets </li></ul><ul><li>Sites are used to control replication traffic, logon traffic, and application traffic </li></ul>AD Sites and Services C onsole W indow H elp A ctive V iew Tree Active Directory Sites and Services Sites Default-First-Site-Name Servers Inter-Site Transports Subnets Site Inter-Site Transport Container Site Subnets Container Name Type Redmond-Site Default-First-Site-Name Inter-Site Transports Redmond-Site Subnets DENVER NTDS Settings
  44. 44. Replication Within Sites <ul><li>Replication within sites: </li></ul><ul><li>Assumes fast and highly reliable network links </li></ul><ul><li>Does not compress replication traffic </li></ul><ul><li>Uses a change notification mechanism </li></ul>IP Subnet Domain Controller A Domain Controller B IP Subnet Site Replication
  45. 45. Replication Between Sites <ul><li>Replication between sites: </li></ul><ul><li>Occurs on a manually defined schedule </li></ul><ul><li>Is designed to optimize bandwidth </li></ul><ul><li>Contains one or more replicas in each site that act as bridgeheads </li></ul>Site IP Subnet IP Subnet Bridgehead Server Replication Site IP Subnet IP Subnet Bridgehead Server Replication Replication
  46. 46. Question Time! <ul><li>? </li></ul>
  47. 47. <ul><li>Break Time </li></ul>
  48. 48. Securing and Delegating to AD Objects
  49. 49. Overview <ul><li>Introduction to Delegating Administrative Control </li></ul><ul><li>Controlling Access to Active Directory Objects </li></ul><ul><li>Delegating Administrative Control of Active Directory Objects </li></ul><ul><li>Examining Computer Accounts </li></ul><ul><li>Customizing MMC Consoles </li></ul><ul><li>Setting Up Taskpads </li></ul><ul><li>Best Practices </li></ul>
  50. 50. Introduction to Delegating Administrative Control <ul><li>Decentralize administration </li></ul><ul><li>Assign permissions to organizational unit </li></ul><ul><li>Delegate the following types of control: </li></ul><ul><ul><li>Assign all permissions for an organizational unit </li></ul></ul><ul><ul><li>Assign permissions to modify specific attributes </li></ul></ul>Introduction to Delegating Administrative Control Domain OU1 OU2 OU3 Admin1 Admin2 Admin3
  51. 51. <ul><li>Controlling Access to Active Directory Objects </li></ul><ul><li>Active Directory Permissions </li></ul><ul><li>Controlling Inheritance of Permissions </li></ul><ul><li>Setting Active Directory Permissions </li></ul>
  52. 52. Active Directory Permissions <ul><li>Permissions: </li></ul><ul><ul><li>Can be allowed or denied </li></ul></ul><ul><ul><li>Can be implicitly or explicitly denied </li></ul></ul><ul><ul><li>Can be set as standard or special permission </li></ul></ul>Access Control Settings for Domain Controllers Permissions Owner Permission En t ries: Type Name Permission Allow Allow Allow Allow Allow Authenticated Users Special Domain Admins… SYSTEM Administrators… Enterprise Admins… Special Full Control Special Full Control This permission is defined directly on this object. This permission is not inherited by child objects. A d d... R emove V iew/Edit... Auditing Apply to This object only This object only This object only This object and all child… This object and all child… Allow in h eritable permissions from parent to propagate to this object.
  53. 53. Controlling Inheritance of Permissions <ul><li>Objects inherit permissions that exist at the time of creation </li></ul><ul><li>Inheritance of permissions can be blocked </li></ul><ul><ul><li>Copy previously inherited permissions to the object </li></ul></ul><ul><ul><li>Remove previously inherited permissions from the object </li></ul></ul>Full Control Full Control OU OU OU Full Control Read Full Control OU OU OU Read
  54. 54. Setting Active Directory Permissions Special Permissions Standard Permissions Users Properties General Objects Security Name Everyone Add... Remove Administrators (domain_nameAcct... Allow inheritable permissions from parent to propagate to this object. Advanced... OK Cancel Apply Full Control Read Write Create all child objects Delete all child objects Authenticated Users Allow Deny
  55. 55. <ul><li>Delegating Administrative Control of Active Directory Objects </li></ul><ul><li>Overview of Delegating Administrative Control </li></ul><ul><li>Using the Delegation of Control Wizard </li></ul><ul><li>Guidelines for Delegating Administrative Control </li></ul>
  56. 56. Overview of Delegating Administrative Control <ul><li>Delegation of administration means: </li></ul><ul><ul><li>Changing properties on a particular container </li></ul></ul><ul><ul><li>Creating and deleting objects of a specific type under an organizational unit </li></ul></ul><ul><ul><li>Updating specific properties on objects of a specific type under an organizational unit </li></ul></ul>Domain OU1 OU2 OU3 Admin1 Admin2 Admin3
  57. 57. Using the Delegation of Control Wizard Tasks for delegating control to users or groups Start the Delegation of Control Wizard 1 Select groups to which to delegate control 2 Assign tasks to delegate 3 Select Active Directory object type 4 Assign permissions to users or groups 5
  58. 58. Guidelines for Delegating Administrative Control Assign control at the organizational unit level Use the Delegation of Control Wizard Track the delegation of permission assignments Delegate control to groups
  59. 59. <ul><li>Examining Computer Accounts </li></ul><ul><li>Overview of Computer Accounts </li></ul><ul><li>Managing Computer Accounts </li></ul>
  60. 60. Overview of Computer Accounts <ul><li>Functions of Computer Accounts </li></ul><ul><li>Computer Account Passwords </li></ul>Computer contoso.msft Accounting Builtin Computers Domain Controllers Sales Human Resources Information Security
  61. 61. Managing Computer Accounts <ul><li>Resetting Computer Accounts </li></ul><ul><li>Pre-Creating Computer Accounts </li></ul><ul><li>User Ability/Rights for Creating Computer Accounts </li></ul>
  62. 62. <ul><li>Customizing MMC Consoles </li></ul><ul><li>Creating Customized MMC Consoles </li></ul><ul><li>Distributing Customized MMC Consoles </li></ul><ul><li>Installing Windows 2000 Snap-ins </li></ul>
  63. 63. Creating Customized MMC Consoles Tasks for customizing MMC consoles Open MMC 1 Add and configure the required snap-ins in the MMC console 2 Configure the MMC console mode 3 Configure the MMC console view 4 Save the MMC console 5 To prevent a console from being changed, do not assign the NTFS Write permission to the file
  64. 64. Distributing Customized MMC Consoles <ul><li>To use a distributed MMC console: </li></ul><ul><li>The administrator must have the Read permission for the console </li></ul><ul><li>Snap-ins must be installed on all computers where the administrator uses the console </li></ul>Group Policy Shared Folder E-Mail
  65. 65. Installing Windows 2000 Snap-ins <ul><li> Snap-ins: </li></ul><ul><ul><li>Are contained in Windows 2000 Administrative Tools </li></ul></ul><ul><ul><li>Are required for remote administration from a client computer running Windows 2000 Professional </li></ul></ul>Administer Windows 2000 Administration Tools (Adminpak.msi ) Windows 2000 Professional Install
  66. 66. <ul><li>Setting Up Taskpads </li></ul><ul><li>What Is a Taskpad? </li></ul><ul><li>Creating and Configuring a Taskpad </li></ul><ul><li>Adding Tasks in a Taskpad </li></ul>
  67. 67. What Is a Taskpad? <ul><li>A Taskpad: </li></ul><ul><li>Is a customized administrative tool </li></ul><ul><li>Contains tasks that are shortcuts to specific commands in an MMC console </li></ul><ul><li>Provides advantages: </li></ul><ul><ul><li>Makes it easier for novice users to perform their jobs </li></ul></ul><ul><ul><li>Makes complex tasks easier </li></ul></ul>
  68. 68. Creating and Configuring a Taskpad To create a taskpad: Create a customized MMC console 1 Create a taskpad 2 Configure a task in the taskpad 3 Customize the taskpad view 4
  69. 69. Adding Tasks in a Taskpad <ul><li>Each task is a shortcut to a command in the MMC console </li></ul>contoso.msft Accounting Builtin Computers Domain Controllers Sales Human Resources Manila Kim Yoshida Luis Bonifaz Associate with an item in the console tree Associate with an item in the details pane New user Disable account Start a shortcut menu command
  70. 70. Best Practices Delegate administration at the container level Delegate control as high in the hierarchy as practical Delegate control to a group Provide training for users
  71. 71. Question Time! <ul><li>? </li></ul>
  72. 72. Lunch Time! <ul><li>Break Time </li></ul>
  73. 73. Managing Shared Network Resources
  74. 74. Overview <ul><li>Introduction to Publishing Resources </li></ul><ul><li>Setting Up and Managing Published Printers </li></ul><ul><li>Implementing Printer Locations </li></ul><ul><li>Maintaining Printer Resources </li></ul><ul><li>Setting Up and Managing Published Shared Folders </li></ul><ul><li>Monitoring Access to Shared Folders </li></ul><ul><li>Troubleshooting User Access to Network File Resources </li></ul><ul><li>Troubleshooting Published Resources </li></ul><ul><li>Best Practices </li></ul>
  75. 75. <ul><li>Introduction to Publishing Resources </li></ul><ul><li>What Are Published Resources? </li></ul><ul><li>Comparing Published Objects with Shared Resources </li></ul><ul><li>Using Groups for Object and Resource Access </li></ul>
  76. 76. What Are Published Resources? <ul><li>Publish resources: </li></ul><ul><li>That do not already exist in Active Directory </li></ul><ul><li>That are relatively static and change infrequently </li></ul><ul><li>To enable administrators and users to locate resources even if the physical location of resources changes </li></ul>Published Resource Server1 Resource Active Directory Publish to Active Directory
  77. 77. Comparing Published Objects with Shared Resources Comparing Published Objects with Shared Resources Published Object in Active Directory Shared Resources Accounting Properties General Managed By Object Security Name A d d… R emove P ermission: Allow Deny Full Control Read Write Administrators (NWTRADERS….. Authenticated Users Domain Admins (NWTRADERS… Enterprise Admins (NWTRADER… Pre-Windows 2000 Compatible A… Accounting Properties General Web Sharing Sharing Security Name A d d… R emove P ermission: Allow Deny Full Control Modify Read & Execute List Folder Contents Read Write Administrators (NWTRADERS… CREATOR OWNER Everyone Printer1 Accounting OU2 OU1 Namerica Accounting Sales
  78. 78. Using Groups for Object and Resource Access <ul><li>Group Planning Strategy </li></ul>Assign Users to Global Groups Assign Global Groups to Domain Local Groups and then Grant Permissions A G DL P G <ul><li>Expanding the Group Planning </li></ul><ul><li>Strategy </li></ul>Assign Users to Global Groups Assign Global Groups to Universal Groups Assign Universal Groups to Domain Local Groups and then Grant Permissions A G DL P A G U DL P U A G DL P
  79. 79. <ul><li>Setting Up and Managing Published Printers </li></ul><ul><li>Introduction to Printer Publishing </li></ul><ul><li>Managing Printer Publishing </li></ul><ul><li>Publishing Printers on Computers Not Running Windows 2000 </li></ul><ul><li>Managing Published Printers </li></ul>
  80. 80. Introduction to Printer Publishing <ul><li>Default behavior of printers </li></ul><ul><li>Any printer shared by a Windows 2000-based print server is automatically published in Active Directory </li></ul><ul><li>A printer is automatically removed from Active Directory when a Windows 2000 print server is removed from the network </li></ul><ul><li>Each print server is responsible for its printers being published in Active Directory </li></ul><ul><li>Windows 2000 automatically updates the printer object’s attributes in Active Directory </li></ul>Published Printer
  81. 81. Managing Printer Publishing <ul><li>Viewing Printer Objects in Active Directory </li></ul><ul><ul><li>On the View Menu, click Users, Groups, and Computers as containers </li></ul></ul><ul><li>Controlling Printer Publishing </li></ul><ul><ul><li>Select or clear the List in the Directory check box </li></ul></ul><ul><ul><li>Configure the Automatically publish new printers in Active Directory Group Policy setting </li></ul></ul><ul><li>Managing Orphaned Printers </li></ul><ul><ul><li>Active Directory removes orphaned printer objects through the orphan pruner process </li></ul></ul><ul><ul><li>Orphan pruner deletes printer objects for nonexistent printers at frequent intervals </li></ul></ul>
  82. 82. Publishing Printers on Computers Not Running Windows 2000 Install and share a printer 1 Publish the printer in Active Directory, by using Active Directory Users and Computers 2 To publish a printer on a computer that is not running Windows 2000: Active Directory Published Printer Printer Install and Share Publish
  83. 83. Managing Published Printers <ul><li>Move related printers that are installed on multiple computers into a single organizational unit </li></ul><ul><li>Perform other administrative tasks on the published printers </li></ul>Active Directory Users and Computers Printer C onsole W indow H elp A ctive V iew Tree LONDON 1 objects nwtraders.msft Active Directory Users and Accounting Builtin Computers Domain Controllers LONDON Users Name Type Moves the current selection to another Open and manage the print queue Move printers within a domain Change print queue properties Install the printer on a computer Move Connect Open All Tasks Delete Rename Refresh Help Properties
  84. 84. <ul><li>Implementing Printer Locations </li></ul><ul><li>What Are Printer Locations? </li></ul><ul><li>Requirements for Printer Locations </li></ul><ul><li>Defining Location Names </li></ul><ul><li>Configuring Printer Locations </li></ul>
  85. 85. What Are Printer Locations? When a user searches for printers: Subnet Location Object Security L ocation: USA/Seattle/Building 1 B rowse… 192.168.30.0/20 Properties 1 1. Active Directory finds the subnet object that corresponds to the IP subnet in which the user’s computer is located PRIV0118 Properties Device Settings Printer Commands Font Selection General Sharing Ports Advanced Security PRIV0118 USA/Seattle/Building 1/Near 1134 L ocation: 2. Active Directory uses the value in the Location attribute of the subnet object to search for printers with the same value 2 3. Active Directory displays a list of printers whose Location value matches the Location value of the subnet object Name Location Model PRIV0080 PRIV0039 PRIV0118 CORP0071 CORP0032 CORP0099 CORP0026 CORP0051 USA/Seattle/Building 1/Near 1119 USA/Seattle/Building 1/Near 2005 USA/Seattle/Building 1/Near 1134 USA/Seattle/Building 1/Near COPY ROOM USA/Seattle/Building 1/Near 1280 USA/Seattle/Building 1/Near 1218 USA/Seattle/Building 1/Near 1218 USA/Seattle/Building 1/Near 1182 HP Color HP Laser HP Laser HP Laser HP Laser HP Color HP Laser HP Laser 3
  86. 86. Requirements for Printer Locations <ul><li>An Active Directory network with IP subnets </li></ul><ul><li>An IP addressing scheme that corresponds to the physical topology of the network </li></ul><ul><li>A subnet object for each site </li></ul><ul><ul><li>Represents an IP subnet in Active Directory </li></ul></ul><ul><ul><li>Contains a Location attribute that Active Directory uses to find printers in the same physical location as a client computer </li></ul></ul><ul><li>Client computers that can search Active Directory </li></ul>
  87. 87. Defining Location Names <ul><li>Each location name corresponds to an IP subnet </li></ul><ul><li>The values for the Location attribute for subnet objects and printers must use the same naming convention </li></ul><ul><li>Add more levels to the Location attribute for the printer to better define the physical location </li></ul>USA Denver Seattle Building 1 192.168.30.* Building 2 192.168.32.* USA/Seattle/Building 1 USA/Seattle/Building 2 Floor 2 192.168.10.* Floor 3 192.168.11.* USA/Denver/Floor 2 USA/Denver/Floor 3 Entire Directory USA Building 1 Denver Building 2 Seattle
  88. 88. Configuring Printer Locations Tasks Enable location tracking by using Group Policy 1 Create a subnet object in Active Directory 2 Set the Location attribute for the subnet object 3 Set the Location attribute for printers 4
  89. 89. <ul><li>Maintaining Printer Resources </li></ul><ul><li>Installing Printer Drivers </li></ul><ul><li>Troubleshooting Printers </li></ul>
  90. 90. Installing Printer Drivers <ul><li>The client computers running the following operating systems automatically download the printer driver </li></ul><ul><ul><li>Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP </li></ul></ul><ul><li>Other operating systems will require the printer driver to be updated manually </li></ul>
  91. 91. Troubleshooting Printers How to fix a print job that is stuck in the queue How to relocate a print queue to a new print device Err or Err or
  92. 92. Setting Up and Managing Published Shared Folders <ul><li>Publish a shared folder </li></ul><ul><ul><li>1. Share the folder </li></ul></ul><ul><ul><li>2. Publish the shared folder in Active Directory </li></ul></ul><ul><li>Add description and keywords to the shared folder object to facilitate search operations </li></ul><ul><li>Move the published shared folder object to another container or organizational unit whenever required </li></ul>Published Resource Server1 Shared Folder Active Directory Publish to Active Directory
  93. 93. <ul><li>Monitoring Access to Shared Folders </li></ul><ul><li>Introduction to Monitoring User Access to Shared Folders </li></ul><ul><li>Monitoring Shared Folders </li></ul><ul><li>Monitoring User Sessions </li></ul><ul><li>Monitoring Open Files </li></ul>
  94. 94. Introduction to Monitoring User Access to Shared Folders <ul><li>Monitor access to shared folders for </li></ul><ul><ul><li>Maintenance </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><li>Group membership required to monitor shared folders </li></ul><ul><ul><li>Administrators or System Operators for a domain </li></ul></ul><ul><ul><li>Administrators or Power Users for a member server, stand-alone server, or computer running Windows 2000 Professional </li></ul></ul>
  95. 95. Monitoring Shared Folders
  96. 96. Monitoring User Sessions Console1 - (Console RootComputer Management (Local)System ToolsFile Service ... C onsole W indow H elp Action View ADMIN Admin1 Win... 2 00h07m42s 00h00m37s No User1 Client50 Win... 0 00h00m12s 00h00,11s No Console Root Computer Management System Tools File Service Man Shares Sessions Open Files Storage Server Applications User Computer Type Open Files Connected Time Idle Time Guest
  97. 97. Monitoring Open Files
  98. 98. <ul><li>Troubleshooting User Access to Network File Resources </li></ul><ul><li>Troubleshooting Combined NTFS and Shared Folder Permissions </li></ul><ul><li>Troubleshooting User Access to File Resources by Tracing Group Membership </li></ul>
  99. 99. Troubleshooting Combined NTFS and Shared Folder Permissions Share Permissions Users Group Engineer Accountant FC NTFS Partition C: Accounting Full Control Engineering No Access Engineering Full Control Accounting No Access Users Read Only ACCTPKG ENGPKG FC FC Applications RO
  100. 100. Troubleshooting User Access to File Resources by Tracing Group Membership
  101. 101. Best Practices Publish frequently used shared folders and printers Define simple and easily recognizable printer location names Use easily recognizable descriptions and keywords Place published printers and folders in the organizational units that contain the user accounts Use DACLs on published resources to limit access Assign Read permissions on published objects to limited Groups
  102. 102. Questions
  103. 103. Implementing Group Policy
  104. 104. Overview <ul><li>Group Policy Structure </li></ul><ul><li>Working with Group Policy Objects </li></ul><ul><li>How Group Policy Settings Are Applied in Active Directory </li></ul><ul><li>Modifying Group Policy Inheritance </li></ul><ul><li>Troubleshooting Group Policy </li></ul><ul><li>Best Practices </li></ul>
  105. 105. <ul><li>Group Policy Structure </li></ul><ul><li>Introduction to Group Policy </li></ul><ul><li>Group Policy Objects </li></ul><ul><li>Types of Group Policy Settings </li></ul><ul><li>Group Policy Settings for Computers and Users </li></ul><ul><li>How Group Policy Is Applied </li></ul><ul><li>Examining Group Policy Object Links </li></ul>
  106. 106. Introduction to Group Policy <ul><li>You can use Group Policy to: </li></ul><ul><ul><li>Set centralized and decentralized policies </li></ul></ul><ul><ul><li>Ensure that users have their required environments </li></ul></ul><ul><ul><li>Control user and computer environments </li></ul></ul><ul><ul><li>Enforce corporate policies </li></ul></ul>Site Domain Organizational Unit Group Policy Administrator Sets Group Policy Initially Windows 2000 Applies Continually Users Computers
  107. 107. Group Policy Objects Group Policy Object <ul><li>Contains Group Policy settings </li></ul><ul><li>Content stored in two locations </li></ul><ul><li>Stored in domain controller shared SYSVOL folder </li></ul><ul><li>Provides Group Policy settings </li></ul><ul><li>Stored in Active Directory </li></ul><ul><li>Provides version information </li></ul>Group Policy Template Group Policy Container
  108. 108. Types of Group Policy Settings Types of Group Policy Settings Administrative Templates Registry-based Group Policy settings Security Settings for local, domain, and network security Software Installation Settings for central management of software installation Scripts Startup, shutdown, logon, and logoff scripts Remote Installation Services Settings that control the options available to users when running the Client Installation Wizard used by RIS Internet Explorer Maintenance Settings to administer and customize Microsoft Internet Explorer on Windows-based computers Folder Redirection Settings for storing users’ folders on a network server
  109. 109. Group Policy Settings for Computers and Users <ul><li>Group Policy Settings for Computers </li></ul><ul><ul><li>Processed when the operating system initializes and during the periodic refresh cycle </li></ul></ul><ul><ul><li>Use Computer Configuration node </li></ul></ul><ul><li>Group Policy Settings for Users </li></ul><ul><ul><li>Processed when users log on to the computer and during the periodic refresh cycle </li></ul></ul><ul><ul><li>Use User Configuration node </li></ul></ul>
  110. 110. How Group Policy Is Applied 4 Client computer starts, or user logs on, and the computer retrieves a list of GPOs that apply 1 Client computer connects to SYSVOL and locates the Registry.pol files 2 Client computer writes to the registry subtrees 3 Logon dialog box (for computer) or the desktop (for user) appears 4 1 GPO List Registry .pol GPT SYSVOL 2 Registry .pol HKEY_ CURRENT_ USER Registry .pol HKEY_ LOCAL_ MACHINE 3
  111. 111. Examining Group Policy Object Links <ul><li>Link one GPO to multiple sites, domains, or organizational units </li></ul><ul><li>Link multiple GPOs to one site, domain, or organizational unit </li></ul>Domain Organizational Unit GPO Domain GPO Site GPO Organizational Unit GPO Site
  112. 112. <ul><li>Working with Group Policy Objects </li></ul><ul><li>Creating Linked and Unlinked Group Policy Objects </li></ul><ul><li>Linking an Existing Group Policy Object </li></ul><ul><li>Specifying a Domain Controller for Managing Group Policy Objects </li></ul>
  113. 113. Creating Linked and Unlinked Group Policy Objects <ul><li>Creating Linked Group Policy Objects </li></ul><ul><ul><li>For sites, use Active Directory Sites and Services </li></ul></ul><ul><ul><li>For domains and organizational units, use Active Directory Users and Computers </li></ul></ul><ul><li>Creating Unlinked Group Policy Objects </li></ul><ul><ul><li>Add a Group Policy snap-in to the MMC console </li></ul></ul>
  114. 114. Linking an Existing Group Policy Object contoso.msft Properties General Managed By Object Security Group Policy Current Group Policy Object Links for contoso.msft Group Policy Object Links No Override Disabled Default Domain Policy Account Lockout Policy Passwords Policy Group Policy Objects higher in the list have the highest priority. This list obtained from: London.contoso.msft New Options... Add... Delete... Edit Properties Up Down Add a Group Policy Object Link Domains/OUs Sites All Look in: Group Policy Objects linked to this container: Name Domain Domain Controllers.nwtraders.msft Accounting.nwtraders.msft Human Resources.nwtraders.msft Default Domain Policy Redirect My Document Policy Logon Attempts Policy Passwords Policy Start Menu Policy OK Cancel contoso.msft To link an existing GPO Select container in which GPO resides Select GPO to link Select appropriate tab
  115. 115. Specifying a Domain Controller for Managing Group Policy Objects <ul><li>Options for Selecting a Domain Controller </li></ul><ul><ul><li>The one with the Operations Master token for the PDC emulator </li></ul></ul><ul><ul><li>The one used by the Active Directory snap-ins </li></ul></ul><ul><ul><li>Any available domain controller </li></ul></ul><ul><li>Methods for Specifying a Domain Controller </li></ul><ul><ul><li>Use the DC Options command on the View menu in the Group Policy snap-in </li></ul></ul><ul><ul><li>Enable a Group Policy setting </li></ul></ul>
  116. 116. <ul><li>How Group Policy Settings Are Applied in Active Directory </li></ul><ul><li>Group Policy Inheritance </li></ul><ul><li>Controlling the Processing of Group Policy </li></ul><ul><li>Group Policy and Slow Network Connections </li></ul><ul><li>Resolving Conflicts Between Group Policy Settings </li></ul><ul><li>Discussion: How Group Policy Is Applied </li></ul>
  117. 117. Group Policy Inheritance Windows 2000 Applies GPO Settings in a Specific Order 3 2 Organizational Unit: Sales 1 Site Domain Inside Sales Outside Sales
  118. 118. Controlling the Processing of Group Policy <ul><li>Refreshing Group Policy at Established Intervals </li></ul><ul><ul><li>Five minutes for domain controllers </li></ul></ul><ul><ul><li>90 minutes for computers running Windows 2000 Professional, Windows XP Professional or for member servers running Windows 2000 Server </li></ul></ul><ul><li>Processing Unchanged Group Policy Settings </li></ul><ul><ul><li>You can configure each client-side extension to process unchanged Group Policy settings </li></ul></ul>
  119. 119. Group Policy and Slow Network Connections <ul><li>Group Policy </li></ul><ul><ul><li>Can detect a slow network connection </li></ul></ul><ul><ul><li>Uses an algorithm to determine whether a link should be considered slow </li></ul></ul><ul><ul><li>Sets a flag to indicate a slow link to the client-side extensions </li></ul></ul>
  120. 120. Resolving Conflicts Between Group Policy Settings <ul><li>All Group Policy settings take effect unless there are conflicts </li></ul><ul><li>The last setting processed applies </li></ul><ul><ul><li>When settings from different GPOs in the Active Directory hierarchy conflict, the child container GPO settings apply </li></ul></ul><ul><ul><li>When settings from GPOs linked to the same container conflict, the settings for the GPO highest in the GPO list apply </li></ul></ul>
  121. 121. Discussion: How Group Policy Is Applied ? What are the resultant Group Policy settings for the organizational unit? Organizational Unit Site Domain GPO1 Ensures that Favorites appears on the Start menu GPO2 Requires a password of 11characters. GPO4 Removes Favorites from the Start menu and adds the Windows Update icon GPO3 Removes the Windows Update icon
  122. 122. <ul><li>Modifying Group Policy Inheritance </li></ul><ul><li>Enabling Block Inheritance </li></ul><ul><li>Enabling the No Override Option </li></ul><ul><li>Filtering Group Policy Settings </li></ul><ul><li>Discussion: Changing Group Policy Inheritance </li></ul>
  123. 123. Enabling Block Inheritance <ul><li>Block Inheritance: </li></ul><ul><ul><li>Stops inheritance of all GPOs from all parent containers </li></ul></ul><ul><ul><li>Cannot selectively choose which GPOs are blocked </li></ul></ul>Sales Production Domain GPOs No GPO settings apply
  124. 124. Enabling the No Override Option <ul><li>No Override: </li></ul><ul><ul><li>Overrides Block Policy Inheritance </li></ul></ul><ul><ul><li>Is applicable to links and not to GPOs </li></ul></ul><ul><ul><li>Cannot stop No Override </li></ul></ul>Sales Production Domain Domain GPO settings apply No Override GPO Settings Conflicting GPO Settings
  125. 125. Filtering Group Policy Settings Sales Production Domain GPO Deny Apply Group Policy Mengph Kimyo Group Allow Read and Apply Group Policy
  126. 126. Discussion: Changing Group Policy Inheritance How do you set up your GPOs? ? <ul><li>Required Settings </li></ul><ul><li>Anti-virus application on all computers </li></ul><ul><li>Office XP on all computers except for Payroll </li></ul><ul><li>Accounting application on all computers in Payroll, except for those used by Payroll administrators </li></ul>Payroll Sales Contoso.com
  127. 127. Troubleshooting Group Policy Cannot access or open the Group Policy Object Group Policy settings not taking effect as expected Tools for troubleshooting Err or Err or Err or
  128. 128. Best Practices Disable unused portions of a Group Policy object Use the Block Inheritance and No Override features sparingly Use common sense naming conventions Minimize the number of Group Policy objects Filter policies based on security group membership Avoid cross-domain Group Policy assignments
  129. 130. Question Time! <ul><li>? </li></ul>
  130. 131. <ul><li>Take a Break </li></ul>
  131. 132. Using Group Policy to Manage the Desktop Environment
  132. 133. Overview <ul><li>Introduction to Managing User Environments </li></ul><ul><li>Using Administrative Templates in Group Policy </li></ul><ul><li>Assigning Scripts by Using Group Policy </li></ul><ul><li>Using Group Policy to Redirect Folders </li></ul><ul><li>Troubleshooting User Environment Management </li></ul><ul><li>Introduction to Managing Software Deployment </li></ul><ul><li>Deploying Software </li></ul><ul><li>Managing Software </li></ul><ul><li>Identifying Solutions to Software Deployment Problems </li></ul><ul><li>Best Practices </li></ul>
  133. 134. Introduction to Managing User Environments <ul><li>Control user desktops, user interfaces, and network access </li></ul><ul><li>Use Group Policy settings </li></ul><ul><li>Apply Group Policy to a site, domain, or organizational unit </li></ul><ul><ul><li>User environment settings automatically apply to a new user or computer </li></ul></ul>Manage User Environments Administrative Templates Settings Script Settings Redirecting User Folders Security Settings HKEY_LOCAL_MACHINE HKEY_CURRENT_USER Registry My Documents
  134. 135. <ul><li>Using Administrative Templates in Group Policy </li></ul><ul><li>Types of Administrative Template Settings </li></ul><ul><li>Settings for Securing the Desktop </li></ul><ul><li>Settings for Securing User Access to Network Resources </li></ul><ul><li>Settings for Securing User Access to Administrative Tools and Applications </li></ul><ul><li>Implementing Administrative Templates </li></ul>
  135. 136. Types of Administrative Template Settings Setting Type Controls Available for Windows Components The parts of Windows 2000 and its tools and components to which users can gain access, including MMC System Logon and logoff, Group Policy, refresh intervals, disk quotas, and loopback policy Network The properties of network connections and dial-in connections Printers Printer settings that can force printers to be published in Active Directory and disable Web-based printing Start Menu & Taskbar Settings that control the appearance and access to the Start menu and the taskbar Desktop The Active Desktop, including what appears on desktops, and what users can do with the My Documents folder Control Panel The use of Add/Remove Programs, Display, and Printers
  136. 137. Settings for Securing the Desktop <ul><li>Hide all icons on desktop </li></ul><ul><li>Don’t save settings at exit </li></ul><ul><li>Hide these specified drives in My Computer </li></ul><ul><li>Remove Run menu from Start menu </li></ul><ul><li>Prohibit access to Display in Control Panel </li></ul><ul><li>Disable and remove links to Windows Update </li></ul>Common Group Policy Settings for Securing the Desktop <ul><li>Disable changes to Taskbar and Start Menu settings </li></ul><ul><li>Disable/Remove the Shut Down command </li></ul>
  137. 138. Settings for Securing User Access to Network Resources <ul><li>Hide My Network Places icon on desktop </li></ul><ul><li>Remove the Map Network Drive and Disconnect Network Drive options </li></ul><ul><li>Tools menu: Disable Internet Options… menu option </li></ul>Common Group Policy Settings for Securing User Access to Network Resources
  138. 139. Settings for Securing User Access to Administrative Tools and Applications <ul><li>Remove Search menu from Start menu </li></ul><ul><li>Remove Run command from Start menu </li></ul><ul><li>Disable Task Manager </li></ul><ul><li>Run only allowed Windows applications </li></ul><ul><li>Remove the Documents menu from the Start menu </li></ul><ul><li>Disable changes to Taskbar and Start Menu settings </li></ul>Common Group Policy Settings for Securing the Desktop <ul><li>Hide common program groups in Start menu </li></ul>
  139. 140. Implementing Administrative Templates <ul><li>Selecting the State to Configure a Setting </li></ul><ul><li>Accessing an Administrative Template Setting </li></ul>Hide My Network Places icon on desktop Properties Policy Explain Hide My Network Places icon on desktop Not Configured Enabled Disabled Contains information about what this policy can do Applies the setting Prevents the setting Ignores the setting (default)
  140. 141. <ul><li>Introduction to Group Policy Script Settings </li></ul><ul><li>Applying Script Settings in Group Policy </li></ul><ul><li>Assigning Group Policy Script Settings </li></ul><ul><li>Assigning Scripts by Using Group Policy </li></ul>
  141. 142. Introduction to Group Policy Script Settings <ul><li>You can use Group Policy script settings to: </li></ul><ul><ul><li>Run pre-existing scripts </li></ul></ul><ul><ul><li>Run scripts that perform tasks you cannot configure by using other Group Policy settings </li></ul></ul><ul><ul><li>Use scripts to clean up desktops when users log off and shut down computers </li></ul></ul>Computer User Startup/Shutdown Logon/Logoff Scripts Computer Configuration User Configuration Startup/Shutdown Logon/Logoff
  142. 143. Applying Script Settings in Group Policy Windows processes multiple scripts from top to bottom Processing Order When a user starts a computer and logs on: a. Startup scripts run b. Logon scripts run 1 When a user logs off and shuts down a computer: a. Logoff scripts run b. Shutdown scripts run 2
  143. 144. Assigning Group Policy Script Settings Logon Properties Scripts Logon Scripts for Log On Script [AUCKLAND.contoso.msft] Name Parameters Development.vbs Information Services.vbs U p Do w n A d d... E dit... R emove S how Files... OK Cancel A pply To view the script files stores in this Group Policy Object, press the button below. Copy the script to the appropriate GPT Add the script to the appropriate GPO
  144. 145. <ul><li>Folder Redirection Overview </li></ul><ul><li>Selecting the Folders to Redirect </li></ul><ul><li>Redirecting Folders to a Server Location </li></ul><ul><li>Using Group Policy to Redirect Folders </li></ul>
  145. 146. Folder Redirection Overview <ul><li>Advantages of folder redirection: </li></ul><ul><ul><li>Data is always available </li></ul></ul><ul><ul><li>Data is centrally stored </li></ul></ul><ul><ul><li>Files are not saved on the client computer </li></ul></ul>Redirected Personal Folders My Documents My Documents Documents are stored on the server but appear to be stored locally
  146. 147. Selecting the Folders to Redirect Folder Contains Reason to redirect My Documents Users’ personal work data Users can access their data from any computer, and this data can be backed up and managed centrally Start Menu Folders and shortcuts on the Start menu Users’ Start menus are standardized Desktop All files and folders that users place on the desktop Users have the same desktop regardless of the computer to which they log on Application Data User-specific data stored by applications Applications use the same user-specific data for users regardless of the computer to which the user logs on
  147. 148. Redirecting Folders to a Server Location Use the % username% variable Desktop Properties Target Settings You can specify the location of the Desktop folder No administrative policy specified S etting: OK Cancel A pply The Group Policy Object will have no effect on the location of this folder. Desktop Properties Target Settings You can specify the location of the Desktop folder Basic – Redirect everyone’s folder to the dame loc S etting: OK Cancel A pply This folder will be redirected to the specified location. An example target path is: ervershareusername%. T arget folder location ondondesktopsusername% B rowse Desktop Properties Target Settings You can specify the location of the Desktop folder Advanced – Specify locations for various user grou S etting: OK Cancel A pply This folder will be redirected to different locations based on the security group membership of the users. An example target path is ervershareusername% Security G roup Membership Group NWTRADERSacct ondonacctusername% NWTRADERSsales ondonsalesusername% Path A d d E dit R emove
  148. 149. Troubleshooting User Environment Management <ul><li>Registry Settings Are Not Applied </li></ul><ul><li>Scripts Do Not Execute </li></ul><ul><li>Folders Are Not Being Redirected </li></ul>
  149. 150. <ul><li>Introduction to Managing Software Deployment </li></ul><ul><li>Software Management Technologies </li></ul><ul><li>The Software Life Cycle </li></ul>
  150. 151. Software Management Technologies Windows Installer <ul><li>Service allows for: </li></ul><ul><li>Custom installations </li></ul><ul><li>Resilient applications </li></ul><ul><li>Clean removal </li></ul><ul><li>Users to only need read access to installation folders </li></ul>Software Installation and Maintenance <ul><li>Install applications on user computers </li></ul><ul><li>Upgrade the application or automatically apply software patches or service packs </li></ul><ul><li>Remove applications </li></ul>Group Policy objects can:
  151. 152. The Software Life Cycle Preparation Packages are acquired 1 Deployment Packages are installed 2 Maintenance Packages are upgraded 3 Removal Packages are removed 4
  152. 153. <ul><li>Deploying Software </li></ul><ul><li>Deploying a New Application </li></ul><ul><li>Assigning Software Packages </li></ul><ul><li>Publishing Software Packages </li></ul>
  153. 154. Deploying a New Application Create or modify a GPO Acquire a Windows Installer package file Place the package on a software distribution point Select a deployment option 2 1 8 3-7 Steps
  154. 155. Assigning Software Packages The application is installed the first time the user starts the application Assigning to a User Start The application is installed the next time the computer is started Assigning to a Computer
  155. 156. Publishing Software Packages The application is installed when the user selects it from Add/Remove Programs in Control Panel Add/Remove Programs The application is installed when the user double-clicks an unknown file type Document Invocation
  156. 157. <ul><li>Managing Software </li></ul><ul><li>Deploying a Mandatory Upgrade </li></ul><ul><li>Deploying an Optional Upgrade </li></ul><ul><li>Redeploying Software </li></ul><ul><li>Removing Software </li></ul>
  157. 158. Deploying a Mandatory Upgrade Version 2.0 of the program is deployed as a mandatory upgrade Users are running version 1.0 of a program 1.0 2.0 Users are able to use only version 2.0 of the program 2.0 Example
  158. 159. Deploying an Optional Upgrade Version 2.0 of the program is deployed as an optional upgrade Users are running version 1.0 of a program 1.0 2.0 Users may now use either version of the program 2.0 1.0 Example
  159. 160. Redeploying Software The software patch is on the server The Group Policy object is redeployed The user logs on and invokes the application The software patch is applied Patch Example 2 1 4 3 Patch
  160. 161. Removing Software Forced Removal Software is automatically deleted from a computer, and cannot be reinstalled Removal Process Only software that was installed from a Windows Installer package file can be removed through Group Policy Optional Removal Software is not deleted from a computer, but can no longer be installed
  161. 162. Identifying Solutions to Software Deployment Problems Verify that the application appears in Add/Remove Programs Verify user access to the network distribution point Look for Group Policy conflicts
  162. 163. <ul><li>Best Practices </li></ul><ul><li>Best Practices for Managing Group Policy </li></ul><ul><li>Best Practices for Folder Redirection </li></ul><ul><li>Best Practices for Software Installation and Management </li></ul>
  163. 164. Best Practices for Managing Group Policy Use Windows XP .adm Files to Manage a Mixed Environment Apply the Same Policies to Windows XP and Windows 2000 Test Settings Before Deployment Only use GPOs for Editing the Registry
  164. 165. Best Practices for Folder Redirection Enable Client-Side Caching Incorporate %Username% Variable My Pictures Follow My Documents Policy Removal Considerations
  165. 166. Best Practices for Software Installation and Management Use Application Categories Use Transform Files for Packages Use Only One Deployment Option per Group Policy Repackage Existing Software Deploy Software as High in the Hierarchy as Possible
  166. 168. Question Time! <ul><li>? </li></ul>
  167. 169. <ul><li>Time to go home! </li></ul>

×