Module 7 - Managing User Desktop With Group Policy

07/06/13
Module 7: Managing User Desktop with Group Policy
Module7:ManagingUserDesktopwithGroupPolicy
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: ImplementAdministrativeTemplates ManageAdministrativeTemplatesandCentralStore ConfigureGroupPolicyPreferences ManageGroupPolicyPreferences ManageSoftwarewithGPSI ManageSoftwarewithGPSI
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=9&FontSize=3&FontType=segoe
1/83
07/06/13
InanenvironmentmanagedbyawellimplementedGroupPolicyinfrastructure,little ornoconfigurationneedstobemadebydirectlytouchingadesktop.Theentire configurationisdefined,enforced,andupdatedbyusingthesettingsinGroupPolicy objects(GPOs)thataffectaportionoftheenterpriseasbroadasanentiresiteora domain,orasnarrowasasingleorganizationalunit(OU)oragroup.Inthismodule, youwilllearnwhatGroupPolicyis,howitworks,andhowbesttoimplementitin yourorganization.Inthismodule,youwilllearnhowtoconfiguredesktop environmentsbyusingAdministrativetemplatesandGroupPolicyPreferences.You willalsoseehowtoproperlyscopeGroupPolicy.Inaddition,youwilllearnhowto deploysoftwarebyusingGroupPolicy.
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=9&FontSize=3&FontType=segoe 2/83
07/06/13
Aftercompletingthismodule,youwillbeableto: DescribeAdministrativetemplates. UnderstandandconfigureGroupPolicypreferences. DeploysoftwarebyusingGroupPolicy.
Lesson 1: Implement Administrative Templates
AdministrativeTemplatesallowyoutocontroltheenvironmentoftheoperating
07/06/13
systemanduserexperience.TherearetwosetsofAdministrativeTemplates:onefor usersandoneforcomputers.UsingtheadministrativetemplatesectionsoftheGPO, youcandeployhundredsofmodificationstotheregistry.
Objectives
Aftercompletingthislesson,youwillbeableto: DescribeAdministrativeTemplatesandhowtheywork. Describemanagedsettings,unmanagedsettings,andpreferences. DescribeCentralStore.
What Are Administrative Templates?
4/83
07/06/13
Anadministrativetemplateisatextfilethatspecifiestheregistrychangetobemade andthatgeneratestheuserinterfacetoconfiguretheAdministrativeTemplatespolicy settingsintheGPME.Thescreenshothereshowsthepropertiesdialogboxforthe PreventAccessToRegistryEditingToolspolicysetting.
5/83
07/06/13
Thefactthatthesettingexistsandthatitprovidesadropdownlistwithwhichto disableRegedit.exefromrunningsilentlyisdeterminedinanadministrativetemplate. Theregistrysettingthatismadebasedonhowyouconfigurethepolicyisalso definedintheadministrativetemplate. Somesoftwarevendorsprovideadministrativetemplatesasamechanismtomanage theconfigurationoftheirapplicationcentrally.Forexample,youcanobtain administrativetemplatesforallrecentversionsofMicrosoft Officefromthe MicrosoftDownloadsCenter.Youcanalsocreateyourowncustomadministrative templates.Atutorialoncreatingcustomadministrativetemplatesisbeyondthescope ofthiscourse.
6/83
07/06/13
AdministrativeTemplateshavethefollowingcharacteristics: Theyareorganizedintosubfoldersthatdealwithspecificareasoftheenvironment, suchasnetwork,system,andWindows components. ThesettingsinthecomputersectionedittheHKEY_LOCAL_MACHINEhiveinthe registry,andsettingsintheusersectionedittheHKEY_CURRENT_USERhiveinthe registry. Somesettingsexistforbothuserandcomputer.Forexample,thereisasettingto preventWindowsMessengerfromrunninginboththeuserandthecomputer templates.Incaseofconflictingsettings,thecomputersettingprevails. SomesettingsareavailableonlytocertainversionsofWindowsoperatingsystems, suchasanumberofnewsettingscanbeappliedonlytotheWindows7family ofoperatingsystems.Doubleclickingthesettingswilldisplaythesupported versionsforthatsetting.
.ADM Files
InversionsofWindowspriortoWindowsVista ,anadministrativetemplatehadan .ADMextension..ADMfileshaveseveraldrawbacks.First,alllocalizationmustbe performedwithinthe.ADMfile.Thatis,ifyouwanttocreatean.ADMfiletohelp deployconfigurationinamultilingualorganization,youwouldneedseparate.ADM filesforeachlanguagetoprovideauserinterfaceforadministratorswhospeakthat
07/06/13
language.Ifyouweretodecidelatertomakeamodificationrelatedtotheregistry settingsmanagedbythetemplates,youwouldneedtomakethechangetoeach .ADMfile. Thesecondproblemwith.ADMfilesisthewaytheyarestored.An.ADMfileisstored aspartoftheGPTintheSYSVOL.Ifan.ADMfileisusedinmultipleGPOs,itis storedmultipletimes,contributingtoSYSVOLbloat.Therewerealsochallengesin maintainingversioncontrolover.ADMfiles. ToaddclassicadministrativetemplatestotheGPME,rightclicktheAdministrative TemplatesnodeandthenclickAdd/RemoveTemplates.
.ADMX/.ADML Files
InWindowsVista,Windows7,WindowsServer2008,andWindowsServer2008 R2,anadministrativetemplateisapairofXMLfiles,onewithan.ADMXextension thatspecifieschangestobemadetotheregistryandtheotherwithan.ADML extensionthatprovidesalanguagespecificuserinterfaceintheGPME.Whenchanges needtobemadetosettingsmanagedbytheadministrativetemplate,theycanbe madetothesingle.ADMXfile.AnyadministratorwhomodifiesaGPOthatusesthe templateaccessesthesame.ADMXfileandcallstheappropriate.ADMLfileto populatetheuserinterface. Toadd.ADMX/.ADMLadministrativetemplatestotheGPME,copythe.ADMXfileinto the%SystemRoot%\PolicyDefinitionsfolderonyourclientorinthecentralstore.
07/06/13
Copythe.ADMLfileintothelanguageandregionspecificsubfolder,suchasenus, of%SystemRoot%\PolicyDefinitionsonyourclientorinthecentralstore.Thecentral storewillbediscussedinthenexttopic.
No Need to Take Sides

.ADMand.ADMX/.ADMLadministrativetemplatescancoexist.Settingsgeneratedby .ADMfileswillappearundertheAdministrativeTemplatesnodeinanodelabeled ClassicAdministrativeTemplates(ADM).
Migrate Classic Administrative Templates to .ADMX

TheADMXMigratorenablesyoutoconvertADMfilestotheADMXformat.Formore information,see: ADMXMigrator http://go.microsoft.com/fwlink/?LinkId=99466 ADMXMigratordownload(Blog) http://go.microsoft.com/fwlink/?LinkId=113124
How Administrative Templates Work
9/83
07/06/13
IntheAdministrativeTemplatesnode,youwillfindseveralsettingsthatallowyouto controlmanyaspectsofWindows. Ontheslide,youcanseethePropertiesdialogboxforthePreventAccessTo RegistryEditingToolspolicysetting. Ifthissettingisenabledandtheusertriestostartaregistryeditor,amessage appears,explainingthatasettingpreventstheaction. NoteTopreventusersfromusingotheradministrativetools,usetheRun OnlySpecifiedWindowsApplicationssettingoruseSoftwareRestriction Policies,whicharebeyondthescopeofthiscourse.

07/06/13
PoliciesintheAdministrativeTemplatesnodemakechangestotheregistry.Settings providedintheComputerConfigurationnodewillmodifyregistryvaluesinthe HKEY_LOCAL_MACHINE(HKLM)keyonthemachinewhereGroupPolicyisapplied. SettingsintheAdministrativeTemplatesnodeintheUserConfigurationnodemodify registryvaluesintheHKEY_CURRENT_USER(HKCU)key. Inthecaseofthispolicysetting,thefollowingregistryvalueismodified:
H K C U \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ P o l i c i e s \ S y s t e m \ D i s a b l e R e g e d i t M o d e
IfyouchoosetorestrictRegeditfromrunningsilently,thatvalueissetto2.Ifyou choosetorestrictonlytheRegistryEditorUItool,thevalueissetto1.
Managed Settings, Unmanaged Settings, and Preferences
11/83
07/06/13
ThereisanuancetotheregistrypolicysettingsconfiguredbytheAdministrative Templatesnodethatisimportanttounderstandthedifferencebetweenmanaged andunmanagedpolicysettings. Amanagedpolicysettinghasthefollowingcharacteristics: Theuserinterface(UI)islocked,soausercannotchangethesetting.Managed policysettingsresultintheappropriateUIbeingdisabled.Forexample,ifyou configuretheScreensaverTimeoutpolicysetting,ausercannotchangethetimeout delay. Changesaremadeinoneoffourkeysintheregistryreservedformanagedpolicy

07/06/13
settings: HKLM\Software\Policies(computersettings) HKCU\Software\Policies(usersettings) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies(computersettings) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies(usersettings) Thesekeysaresecuredsothatonlyadministratorscanmakeachange.Together withUIlockout,thismeansthatnonadministrativeuserswillreceivethechange specifiedbythepolicysettingandcannotmodifythesettingontheircomputer. ChangesmadebyaGroupPolicysettingandtheUIlockoutarereleasediftheuser orcomputerfallsoutofscopeoftheGPO.Forexample,ifyoudeleteaGPO, managedpolicysettingsthathadappliedtoauserwillbereleased.Thismeans that,generally,thesettingresetstoitspreviousstate. Additionally,theUIinterfaceforthesettingisenabled.
Theregistrypolicysettingsthathavebeendiscussedsofarandthatareencountered inthepracticesofthistopicareexamplesofmanagedpolicysettings.Amanaged policysettingeffectsaconfigurationchangewhenthesettingisappliedbyaGPO. WhentheuserorcomputerisnolongerwithinthescopeoftheGPO,the configurationisreleasedautomatically.

07/06/13
Incontrast,anunmanagedpolicysettingmakesachangethatispersistentinthe registry.IftheGPOnolongerapplies,thesettingremains.Thisisoftencalled "tattooing"theregistry,inotherwords,makingapermanentchange.Toreversethe effectofthepolicysetting,youmustdeployachangethatrevertstheconfiguration tothedesiredstate.Additionally,anunmanagedpolicysettingdoesnotlocktheUI forthatsetting. Bydefault,theGPMEhidesunmanagedpolicysettingstodiscourageyoufrom implementingaconfigurationthatisdifficulttorevert.However,youcanmakemany usefulchangeswithunmanagedpolicysettings,particularlyforcustomadministrative templatestomanageconfigurationforapplications. Tocontrolwhichpolicysettingsarevisible,rightclickAdministrativeTemplates andclickFilterOptions,andthenselectfromtheManageddropdownlist. Laterinthismodule,youwillworkwithGroupPolicyPreferences.Whenachangeis madebyapreference,thechangeisnotforced,butratherrecommended.
Central Store
14/83
07/06/13
Aswaspreviouslystated,.ADMfilesarestoredaspartoftheGPOitselfintheGPT. WhenyoueditaGPOthatusesadministrativetemplatesinthe.ADMformat,the GPMEloadsthe.ADMfromtheGPTtoproducetheuserinterface.When .ADMX/.ADMLfilesareusedasadministrativetemplates,theGPOcontainsonlythe datathattheclientneedsforprocessingGroupPolicy,andwhenyouedittheGPO, theGPMEpullsthe.ADMXand.ADMLfilesfromthelocalworkstation. Thisworkswellforsmallerorganizations,butforcomplexenvironmentsthatinclude customadministrativetemplatesorthatrequiremorecentralizedcontrol,Windows Server2008introducesCentralStore.CentralStoreisasinglefolderinSYSVOLthat holdsallthe.ADMXand.ADMLfilesthatarerequired.AfteryouhavesetupCentral Store,theGPMErecognizesitandloadsalladministrativetemplatesfromCentral
07/06/13
Storeinsteadoffromthelocalmachine. Tocreateacentralstore: 1. CreateafoldercalledPolicyDefinitionsinthe\\FQDN\SYSVOL\FQDN\Policies path. Forexample,thecentralstoreforthecontoso.comdomainwouldbe.
\ \ c o n t o s o . c o m \ S Y S V O L \ c o n t o s o . c o m \ P o l i c i e s \ P o l i c y D e f i n i t i o n s
Ifyoulogontoadomaincontroller,locallyorbyusingRemoteDesktop,thelocal pathtothePolicyDefinitionsfolderis.
% S y s t e m R o o t % \ S Y S V O L \ d o m a i n \ P o l i c i e s \ P o l i c y D e f i n i t i o n s
2.
Copyall.ADMXfilesfromthe%SystemRoot%\PolicyDefinitionsfolderofa WindowsServer2008systemtothenewSYSVOLPolicyDefinitionsfolder.
3.
Copythe.ADMLfilesfromtheappropriatelanguagespecificsubfolderof %SystemRoot%\PolicyDefinitionsintothelanguagespecificsubfolderofthe
16/83
07/06/13
newSYSVOLPolicyDefinitionsfolder. Forexample,English(UnitedStates).ADMLfilesarelocatedin %SystemRoot%\PolicyDefinitions\enus.Copytheminto \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\enus. 4. Ifadditionallanguagesarerequired,copythefolderthatcontainsthe.ADML filestoCentralStore.
Whenyouhavecopiedall.ADMXand.ADMLfiles,thePolicyDefinitionsfolderonthe domaincontrollershouldcontainthe.ADMXfilesandoneormorefolderscontaining languagespecific.ADMLfiles. NoteYoucanusetheCentralStoreinamixedenvironmentwithclientsand serversrunningoperatingsystemsearlierthanWindowsVistaandWindows Server2008.However,youmustuseaWindowsVista,WindowsServer2008, orlatertomanageGroupPolicy.Thatis,youradministrativeworkstationmust berunningaversionofWindowsthatisableto
workwiththeCentralStore.TheGPOsyoucreatecanbeappliedtopreviousversions ofWindows.
Demonstration: Work with Settings and GPOs

07/06/13
GroupPolicyeditingtoolsinWindowsServer2008R2provideseveralnew functionalitiesthateaseconfigurationandmanagementofGPOs.Inthis demonstration,wewillreviewtheseoptions.
Filter Administrative Template Policy Settings

AweaknessoftheGroupPolicyeditingtoolsinpreviousversionsofWindowsisthe inabilitytosearchforaspecificpolicysetting.Withthousandsofpoliciestochoose from,itcanbedifficulttolocateexactlythesettingyouwanttoconfigure.Thenew GPMEinWindowsServer2008solvesthisproblemforAdministrativeTemplate settingsyoucannowcreatefilterstolocatespecificpolicysettings.
18/83
07/06/13
Tocreateafilter: 1. 2. RightclickAdministrativeTemplatesandclickFilterOptions. Tolocateaspecificpolicy,selecttheEnablekeywordfilterscheckbox,enter thewordswithwhichtofilterandselectthefieldswithinwhichtosearch.The screenshothereshowsanexampleofasearchforpolicysettingsrelatedtothe screensaver.
19/83
07/06/13
InthetopsectionoftheFilterOptionsdialogboxshown,youcanfiltertheviewto showonlypolicysettingsthatareconfigured.Thiscanhelpyoulocateandmodify settingsthatarealreadyspecifiedintheGPO. YoucanalsofilterforGroupPolicysettingsthatapplytospecificversionsof

07/06/13
Windows,InternetExplorer,andotherWindowscomponents. Unfortunately,thefilteronlyappliestosettingsintheAdministrativeTemplates nodes.
Comments
Youcanalsosearchandfilterbasedonpolicysettingcomments.WindowsServer 2008enablesyoutoaddcommentstopolicysettingsintheAdministrativeTemplates node.Todoso,doubleclickapolicysettingandclicktheCommenttab. Itisabestpracticetoaddcommentstoconfiguredpolicysettingstodocumentthe justificationforasettinganditsintendedeffect.Youshouldalsoaddcommentsto theGPOitself.WindowsServer2008enablesyoutoattachcommentstoaGPO.In theGPME,rightclicktherootnodeintheconsoletree,clickProperties,andthen clicktheCommenttab.
Starter GPOs
AnothernewGroupPolicyfeatureinWindowsServer2008isstarterGPOs.Astarter GPOcontainsAdministrativeTemplatesettings.YoucancreateanewGPOfroma starterGPO,inwhichcasethenewGPOisprepopulatedwithacopyofthesettingsin thestarterGPO.AstarterGPOis,ineffect,atemplate.WhenyoucreateanewGPO, youcanstillchoosetobeginwithablankGPO,oryoucanselectoneofthe preexistingstarterGPOsoracustomstarterGPO.
07/06/13
AfteryouhavecreatedaGPOfromastarterGPO,thereisnolinktothestarterGPO. ChangestothestarterGPOdonotaffecttheGPOsthatwerepreviouslycreatedfrom thestarterGPO.
Other Ways to Copy GPO Settings

StarterGPOscancontainonlyAdministrativeTemplatespolicysettings.Therearetwo otherwaystocopysettingsfromoneGPOintoanothernewGPO. YoucancopyandpasteentireGPOsintheGroupPolicyObjectscontainerofthe GPMCsothatyouhaveanewGPOwithallsettingsofthesourceGPO. TotransfersettingsbetweenGPOsindifferentdomainsorforests,rightclicka GPOandclickBackUp.Inthetargetdomain,createanewGPO,rightclickit,and clickImportSettings.Youwillbeabletoimportthesettingsofthebackedup GPO.
Lab A: Manage Administrative Templates and Central Store
22/83
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
23/83
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
Lab Scenario
YouwererecentlyhiredasthedomainadministratorforContoso,Ltd,replacingthe previousadministrator,whoretired.Youarenotcertainwhatpolicysettingshave beenconfigured,soyoudecidetolocateanddocumentGPOsandpolicysettings. Youalsodiscoverthatthecompanyhasnotleveragedeitherthefunctionalityorthe manageabilityofadministrativetemplates.
Exercise 1: Manage Administrative Templates

AdministrativetemplatesprovidetheinstructionswithwhichtheGPME createsauserinterfacetoconfigureAdministrativeTemplatespolicy settingsandspecifytheregistrychangesthatmustbemadebasedonthose policysettings.Inthisexercise,youwillexamineandmanage administrativetemplates.Youwillalsocreateacentralstoreof administrativetemplatestocentralizethemanagementoftemplates.
07/06/13
Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Explorethesyntaxofanadministrativetemplate. Manageclassicadministrativetemplates(.ADMfiles). Manage.ADMXand.ADMLfiles. Createthecentralstore.
Task 1: Explore the syntax of an administrative template.
1.
OnNYCDC1,clickStart,clickRun,type %SystemRoot%\PolicyDefinitions,andpressEnter.The PolicyDefinitionsfolderopens.
2. 3. 4.
OpentheenUSfolderorthefolderforyourregionandlanguage. DoubleclickControlPanelDisplay.adml. SelecttheSelectaprogramfromalistofinstalledprogramsoptionand clickOK.
5. 6.
SelectNotepadandclickOK. ClicktheFormatmenuandselectWordwrap.
25/83
07/06/13
7.
SearchforthetextScreenSaverIsSecure. ThisisadefinitionofastringvariablecalledScreenSaverIsSecure.
8. 9.
Notethetextbetweenthe<string>and</string>tags. Notethenameofthevariableonthefollowingline, ScreenSaverIsSecure_Help,andthetextbetweenthe<string>and </string>tags.
10. Closethefile. 11. GotothePolicyDefinitionsfolder. 12. DoubleclickControlPanelDisplay.admx. 13. ChoosetheSelectaprogramfromalistofinstalledprogramsoptionand clickOK. 14. SelectNotepadandclickOK. 15. Searchforthetext,ScreenSaverIsSecure. 16. Examinethecodeinthefile,alsoshownbelow:
< p o l i c yn a m e = " S c r e e n S a v e r I s S e c u r e "c l a s s = " U s e r " d i s p l a y N a m e = " $ ( s t r i n g . S c r e e n S a v e r I s S e c u r e ) " e x p l a i n T e x t = " $ ( s t r i n g . S c r e e n S a v e r I s S e c u r e _ H e l p ) " k e y = " S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ W i n d o w s \ C o n t r o l
07/06/13
P a n e l \ D e s k t o p "v a l u e N a m e = " S c r e e n S a v e r I s S e c u r e " > < p a r e n t C a t e g o r yr e f = " P e r s o n a l i z a t i o n "/ >< s u p p o r t e d O n r e f = " w i n d o w s : S U P P O R T E D _ W i n 2 k S P 1 "/ >< e n a b l e d V a l u e > < s t r i n g > 1 < / s t r i n g >< / e n a b l e d V a l u e >< d i s a b l e d V a l u e > < s t r i n g > 0 < / s t r i n g >< / d i s a b l e d V a l u e >< / p o l i c y >
17. Identifythepartsofthetemplatethatdefinethefollowing: ThenameofthepolicysettingthatappearsintheGPME Theexplanatorytextforthepolicysetting Theregistrykeyandvalueaffectedbythepolicysetting Thedataputintotheregistryifthepolicyisenabled Thedataputintotheregistryifthepolicyisdisabled 18. Closethefile,andthencloseWindowsExplorer.
Task 2: Manage classic administrative templates (.ADM files).
1.
OnNYCDC1,openGroupPolicyManagementconsoleas Pat.Coleman_Admin
27/83
07/06/13
2. 3. 4.
RightclickDefaultDomainPolicyobjectandselectEdit ExpandUserConfiguration\Policies\AdministrativeTemplatesfolder, Addtheoffice12.admtemplatefromD:\Labfiles\Lab07b\Office2007 AdministrativeTemplates. Classicadministrativetemplates(.ADMfiles)areprovidedprimarilyfor enterprisesthatdonotmanageGroupPolicywithWindowsVistaorWindows Server2008orneweroperatingsystems. YoushoulduseacomputerrunningthemostrecentversionofWindowsto manageGroupPolicy.Bydoingso,youwillbeabletoviewandmodifyall availablepolicysettings,includingthosethatapplytopreviousversionsof Windows.IfyouhaveatleastonecomputerrunningWindowsVista,Windows Server2008,orlater,youshouldusethatcomputertomanageGroupPolicy, andthenyouwillnotneedclassicadministrativetemplates(.ADMfiles)when .ADMX/.ADMLfilesareavailable. NotethatthetemplateformataffectsonlythemanagementofGroupPolicy. SettingswillapplytoversionsofWindowsasdescribedintheSupportedonor Requirementssectionofthepolicysettingproperties.
5. 6.
Examinethesettingsinthisadministrativetemplate. Removethetemplate.
28/83
07/06/13
Task 3: Manage .ADMX and .ADML files.
1.
Copyall.ADMXfilesandtheenussubfolder(ortheappropriatesubfolderfor yourlanguageandregion)fromD:\Labfiles\Lab07b\Office2007 AdministrativeTemplatesto%SystemRoot%\PolicyDefinitions.When youpastethefiles,youwillbepromptedforadministrativecredentials.Usethe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
CloseandthenreopentheGPMEfor6425C.Intheconsoletree,expandUser Configuration\Policies\AdministrativeTemplates.Notetheadditionof MicrosoftOffice2007policysettingfolders.
Task 4: Create the central store.
1.
IntheGPME,selecttheAdministrativeTemplatesnodeunderUser Configuration\Policiesandnotetheheadinginthedetailspanereports: Policydefinitions(ADMXfiles)retrievedfromthelocalmachine.
2. 3.
ClosetheGPME. Copyall.ADMXfilesfrom%systemroot%\PolicyDefinitionsto \\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions.
4.
Copyall.ADMLfilesfrom%systemroot%\PolicyDefinitions\enus(orthe appropriatefolderforyourlanguageandregion)to
29/83
07/06/13
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions\enus (ortheappropriatefolderforyourlanguageandregion). 5. Editthe6425CGPOand,intheGPME,selecttheAdministrativeTemplates nodeunderUserConfiguration\Policies,andnotetheheadinginthedetails panereports:Policydefinitions(ADMXfiles)retrievedfromthecentral store.
Results:Inthisexercise,youcreatedacentralstoreofadministrativetemplates andaddedtheMicrosoftOffice2007templates.
NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecause thesettingsyouhaveconfiguredherewillbeusedinsubsequentlabs.
Lab Review Questions Question:Describetherelationshipbetweenadministrativetemplatefiles(both .ADMXand.ADMLfiles)andtheGPME. Question:Whendoesanenterprisegetacentralstore?Whatbenefitsdoesit provide? Question:WhataretheadvantagesofmanagingGroupPolicyfromaclient

07/06/13
runningthe latestversionofWindows?Dothesettingsyoumanageapplytotheprevious versionsofWindows?
Lesson 2: Configure Group Policy Preferences
InthepreviousversionsofWindowsServer,manycommonsettings,suchasmapped drives,thataffecttheuserandcomputerenvironmentcouldnotbedeliveredthrough ordinaryGroupPolicysettings.Thesesettingswereusuallydeliveredthroughlogon

07/06/13
scriptsorimagingsolutions.WindowsServer2008andWindowsServer2008R2 includethenewbuiltinfeaturecalledGroupPolicyPreferencesintheGPMC.Group PolicyPreferencesenableITprofessionalstoconfigure,deploy,andmanagemany commonoperatingsystemandapplicationsettingsthattheywerenotabletomanage byusingGroupPolicy.
Objectives
Aftercompletingthislesson,youwillbeableto: DescribeGroupPolicyPreferences. DescribethedifferencesbetweenGroupPolicysettingsandGroupPolicy Preferences. ConfigureanddeployGroupPolicyPreferences.
What Are Group Policy Preferences?
32/83
07/06/13
GroupPolicyPreferencesareanewfeatureintheWindowsServer2008andWindows Server2008R2operatingsystems,andtheyincludemorethan20newGroupPolicy extensionsthatexpandtherangeofconfigurablesettingswithinaGPO.Incontrast topolicysettings,youallowtheuserstochangepreferencesafteryouvedeployed theGroupPolicyPreferences.
Benefits of Group Policy Preferences

GroupPolicypreferencesprovidethefollowingbenefits: Reducestheneedforlogonscripts.Althoughpreferencesmightnoteliminatethe needforlogonscripts,itsignificantlyreducestheirneed.Themostcommontasks
07/06/13
performedbylogonscriptsareinstallingprinters,mappingnetworkdrives, configuringregistrysettings,andcopyingfilesandfolders.Youcanaccomplish thesetasksbyusingpreferences. Limitsconfigurationerrors.Configurationerrorsduringandafterdeploymentare oftenthereasonforsupportcallsandescalationsthatleadtohigherdeployment costs.GroupPolicypreferencessignificantlyhelpreducethesecosts. Minimizesimagemaintenance.UsingGroupPolicypreferences,youcansignificantly reducethetimeandcostofmaintainingdiskimages.Insteadofupdatingimages toreflectconfigurationchanges,youcandeployagenericimageandupdateGroup Policypreferences.
Deploying Group Policy Preferences

GroupPolicypreferencesdonotrequireyoutoinstallanyservicesonservers.By default,WindowsServer2008includesGroupPolicyPreferencesaspartoftheGPME. GroupPolicyPreferencescanbedeployedinaWindowsServer2003environmentby installingRemoteServerAdministrationTools(RSAT)onacomputerrunning WindowsVistaSP1orWindows7. AlthoughyoudonothavetoinstallanyservicestocreateGPOsthatcontainGroup PolicyPreferences,youmustdeploytheGroupPolicyPreferencesCSEtoanyclient computertowhichyouwanttodeploypreferences.TheCSEisavailableasaseparate downloadfromMicrosoft.ItsupportsthefollowingWindowsversions:
07/06/13
WindowsXPSP2 WindowsVista WindowsServer2003SP1 WindowsServer2008andWindowsServer2008R2alreadyincludestheCSE. Windows7
YoumustusethenewversionoftheGPMEtoconfigurepreferences.Thisnew versionispartoftheRSATthatcanbeinstalledonWindowsServer2008,Windows Vista,andneweroperatingsystems.
Features of Group Policy Preferences

Preferencessupportanumberoffeaturesthatsettingsdonot.MostGroupPolicy Preferencesextensionssupportthefollowingactionsforeachpreferenceitem: Create.Createanewitemonthetargetedcomputer. Delete.Removeanexistingitemfromthetargetedcomputer. Replace.Deleteandrecreateanitemonthetargetedcomputer.Theresultisthat GroupPolicypreferencesreplaceallexistingsettingsandfilesassociatedwiththe preferenceitem.
07/06/13
Update.Modifyanexistingitemonthetargetedcomputer.
EveryGroupPolicyPreferenceitemhasaCommontabthatyoucanusetoconfigure additionaloptionsthatcontrolthebehavioroftheitem.Thefollowingtabledescribes thesettings.
Option
Stopprocessing itemsinthis extensionifan erroroccurs Runinloggedon user'ssecurity context
Description
Bydefault,errorsdonotpreventGroupPolicyPreferencesfromprocessingthe remainingpreferenceitemsinthesameextension.Ifyouwantpreferencestostop processingadditionalitemsifanerroroccurs,enablethisoption.
Bydefault,GroupPolicypreferencesprocesspreferenceitemsbyusingthelocalSystem account.Asaresult,theseitemscanonlyaccesssystemenvironmentvariablesand localresources.Toaccessuserenvironmentvariablesandnetworkresources,including networkdrives,youmustenablethisoptiontoprocesstheitembyusingthelogged onusersaccount.
Removethisitem whenitisno longerapplied Applyonceanddo notreapply
Unlikepolicysettings,GroupPolicydoesnotremovepreferenceswhentheGPOis removedfromtheuserorthecomputer.Choosingthisoptionchangesthedefault behavior:whentheGPOisremovedfromtheuserorthecomputer. GroupPolicyrefreshespreferenceitemsduringtheregularrefreshinterval,bydefault. Asaresult,GroupPolicyrestorespreferenceitems,eventhoughuserscanchangethe settingstheycreate.
Itemlevel
Targetingdeterminestowhichusersandcomputersapreferenceitemapplies.Enable
36/83
07/06/13
targeting
thisoption,andthenclicktheTargetingbuttontoconfiguretargetingitems forthepreferenceitem.
Targeting Control
ItemleveltargetingdeterminestheusersandcomputerstowhichGroupPolicy appliesindividualpreferenceitemswithinaGPO.Youcantargetdifferentpreference itemswithinasingleGPOatcomputersbasedondifferentcriteria.Youcanuselogical operatorstojoincriteria.Forexample,youcanapplyapreferenceifthecomputer matchesaspecificIPAddressrangeandoperatingsystemversion.
Differences Between Group Policy Preferences and Settings
37/83
07/06/13
Thekeydifferencebetweenpreferencesandpolicysettingsisenforcement.Group Policystrictlyenforcespolicysettings.Organizationstypicallydeploytwotypesof settings,managedandunmanaged.Managedsettingsarepolicysettingsthatyou enforce.Unmanagedsettingsarepreferences.Incontrasttopolicysettings,youallow userstochangepreferencesafteryouhavedeployedthem. Thefollowingtabledescribesthedifferencesbetweenpoliciesandpreferences.
Preferences
Preferencesarenotenforced.
Policies
Settingsareenforced.
38/83
07/06/13
Userinterfaceisnotdisabled. Importindividualregistrysettingsor entireregistrybranchesfromalocalora remotecomputer. NotavailableinlocalGroupPolicy. SupportsnonGroupPolicyaware applications. Originalsettingsareoverwritten. Removingthepreferenceitemdoesnot restoretheoriginalsetting. Targetingisgranularwithauser interfaceforeachtypeoftargetingitem. Supportstargetingattheindividual preferenceitemlevel.
Userinterfaceisdisabled. Cannotcreatepolicysettingstomanagefiles,folders,andsoon.
AvailableinlocalGroupPolicy. RequiresGroupPolicyawareapplications.
Originalsettingsarenotchanged. Removingthepolicysettingrestorestheoriginalsettings.
FilteringisbasedonWindowsManagementInstrumentation (WMI)andrequireswritingWMIqueries. SupportsfilteringataGPOlevel.
WhenchoosingwhethertodeployanitembyusingGroupPolicysettingsor preferences,themostimportantfactoryoumustconsideriswhetheryouwantto enforcethesetting.Toconfigureasettingwithoutenforcingit,usepreferences.The nextfactortoconsideriswhethertheapplicationorfeatureisGroupPolicyaware.To enforceitemsforwhichnopolicysettingisavailable,youcandeploythemas preferenceitemsandthendisabletheApplyOnceAndDoNotReapplyoptionin theconfigurationofthesetting.
39/83
07/06/13
Demonstration: Configure Group Policy Preferences
Inthisdemonstration,yourinstructorwillshowyouhowtoconfiguresomeGroup PolicyPreferences.
Demonstration Steps
AddashortcuttoNotepadforNYCCL1. AddafoldernamedReportstoallcomputersrunningWindowsServer2008R2.
40/83
07/06/13
Lab B: Manage Group Policy Preferences
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start.
07/06/13
3. 4.
IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
Lab Scenario
YouwererecentlyhiredasthedomainadministratorforContoso,Ltd.Tosimplify GroupPolicymanagement,whichincludeseliminatingtheneedforlogonscriptsto mapdrives,youneedtodeployseveralGroupPolicyPreferencessettingsthatwill allowformoreflexibilityforcorporateusers.
Exercise 1: Configure Group Policy Preferences

Themaintasksforthisexerciseare: 1. 2. AddashortcuttoNotepadonthedesktopofNYCDC1. CreateanewfoldernamedReportsontheC:driveofallcomputersrunning WindowsServer2008.
07/06/13
3.
Configuredrivemapping.
Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1.
1.
On6425CNYCDC1,intheGroupPolicyManagementwindow,configurethe DefaultDomainPolicyGPOwiththefollowingsettings: UnderComputerConfiguration,Preferences,WindowsSettings,right clickShortcuts,pointtoNew,andthenclickShortcut. IntheNewShortcutPropertiesdialogbox,createashortcutfor Notepad.exeintheAllUsersDesktoplocation. OntheCommontab,configureitemleveltargetingforthecomputerNYC DC1.
2.
LeavetheGroupPolicyManagementEditorwindowopenforthenexttask.
Task 2: Create a new folder named Reports on drive C of all computers running Windows Server 2008. 1. IntheGroupPolicyManagementEditorwindow,underWindowsSettings, rightclickFolders,pointtoNew,andthenclickFolder.
43/83
07/06/13
2. 3.
IntheNewFolderPropertiesdialogbox,createtheC:\Reportsfolder. OntheCommontab,configureitemleveltargetingfortheWindowsServer 2008R2operatingsystem.
4.
LeavetheGroupPolicyManagementEditorwindowopenforthenexttask.
Task 3: Configure drive mapping.
1.
IntheGroupPolicyManagementEditorwindow,underUserConfiguration, Preferences,WindowsSettings,DriveMaps,rightclickDriveMaps,point toNew,andthenclickMappedDrive.
2.
CreateanewmappeddrivelabeledDatafor\\NYCDC1\Databyusingthe driveletterPandselecttheReconnectoption.
Exercise 2: Verify Group Policy Preferences Application

Themaintasksforthisexerciseare: 1. Verifythatthepreferenceshavebeenapplied.
Task 1: Verify that the preferences have been applied

07/06/13
1. 2. 3.
OnNYCDC1,logoff,andthenlogonagainasContoso\Pat.Coleman. VerifythatdrivePismappedtotheDatashareonNYCDC1. VerifythattheC:\Reportsfolderexists.
NoteItmaytakeafewmomentsforthisfoldertoappear.
NoteDonotshutdownthevirtualmachinesafteryouarefinishwiththis labbecausethesettingsyouhaveconfiguredherewillbeusedinthe subsequentlabs.
Result:Inthisexercise,youconfiguredandtestedGroupPolicyPreferencesand verifiedtheirapplication.
Lab Review Questions Question:Whatisthealternatemethodofprovidingdrivemappingtousers, insteadof
45/83
07/06/13
usingPreferences? Question:IfyouapplyaGroupPolicypreferencessetting,canyouchangethis settingon theclientside?
Lesson 3: Manage Software with GPSI
Youmightbeawareofseveraltoolsthatcanbeusedtodeploysoftwarewithinan
07/06/13
organization,includingMicrosoftSystemCenterConfigurationManagerandits predecessorMicrosoftSystemsManagementServer(SMS).Althoughthesetools providegreatbenefits,includingfeaturestometersoftwareuseandinventory systems,youcaneffectivelydeploymostsoftwarewithoutthesetoolsbyusingonly GroupPolicysoftwareinstallation(GPSI).
Objectives
Aftercompletingthislesson,youwillbeableto: DeploysoftwarebyusingGPSI. Describesoftwaredeploymentoptions. RemovesoftwareoriginallyinstalledwithGPSI.
Understand GPSI
47/83
07/06/13
GPSIisusedtocreateamanagedsoftwareenvironmentthathasthefollowing characteristics: 1. Usershaveaccesstotheapplicationstheyneedtodotheirjobs,nomatter whichcomputertheylogonto. 2. Computershavetherequiredapplications,withoutinterventionfromatechnical supportrepresentative. 3. Applicationscanbeupdated,maintained,orremovedtomeettheneedsofthe organization.
48/83
07/06/13
Thesoftwareinstallationextensionisoneofthemanyclientsideextensions(CSEs) thatsupportchangeandconfigurationmanagementbyusingGroupPolicy.CSEs werediscussedinModule6.Theextensionenablesyoutomanagecentrallytheinitial deployment,theupgrades,andtheremovalofsoftware.Allconfigurationofthe softwaredeploymentismanagedwithinaGPObyusingproceduresdetailedlaterin thislesson.
Windows Installer Packages

GPSIusestheWindowsInstallerservicetoinstall,maintain,andremovesoftware. TheWindowsInstallerservicemanagessoftwarebyusinginformationcontainedin theapplicationsWindowsInstallerpackage.TheWindowsInstallerpackageisina filewithan.msiextensionthatdescribestheinstalledstateoftheapplication.The packagecontainsexplicitinstructionsregardingtheinstallationandremovalofan application.YoucancustomizeWindowsInstallerpackagesbyusingoneofthe followingtypesoffiles: Transform(.mst)files.Thesefilesprovideameansforcustomizingtheinstallation ofanapplication.Someapplicationsprovidewizardsortemplatesthatpermita usertocreatetransforms.Forexample,Adobeprovidesanenterprisedeployment toolforAdobeAcrobatReaderthatgeneratesatransform.Manyenterprisesuse thetransformtoconfigureagreementwiththeenduserlicenseagreementandto disablecertainfeaturesoftheapplication,suchasautomaticupdatesthatinvolve accesstotheInternet.
07/06/13
Update(.msp)files.Thesefilesareusedtoupdateanexisting.msifileforsecurity updates,bugfixes,andservicepacks.An.mspfileprovidesinstructionsabout applyingtheupdatedfilesandregistrykeysinthesoftwarepatch,servicepack,or softwareupdate.Forexample,updatestoMicrosoftOffice2003andlaterare providedas.mspfiles.
NoteYoucannotdeploy.mstor.mspfilesalone.Theymustbeappliedto anexistingWindowsInstallerpackage.
GPSIcanmakelimiteduseofnonMSIapplicationfiles(.zapfile),alsoknownas downlevelapplicationpackages,thatspecifythelocationofthesoftware distributionpoint(SDP)andthesetupcommand.Seeknowledgebasearticle 231747athttp://go.microsoft.com/fwlink/?LinkID=214197fordetails. Mostorganizationsdonotuse.zapfiles,becausetheinstallationoftheapplication requirestheusertohaveadministrativeprivilegesonthesystem.WhenGPSI installsanapplicationbyusingaWindowsInstallerpackage,theuserdoesnot requireadministrativeprivileges,allowingforamoresecureenterprise.
NoteGPSIcanfullymanageapplicationsonlyiftheapplicationsare deployedbyusingWindowsInstallerpackages.Othertools,including ConfigurationManagerandSMS,canmanageapplicationsthatuseother deploymentmechanisms.
50/83
07/06/13
The.msifile,transforms,andotherfilesrequiredtoinstallanapplicationarestored inasharedsoftwaredistributionpoint(SDP).
Software Deployment Options
Youcandeploysoftwarebyassigningapplicationstousersorcomputersorby publishingapplicationsforusers.Youassignrequiredormandatorysoftwaretousers ortocomputers.Youpublishsoftwarethatusersmightfindusefulinperformingtheir jobs.
Assigning Applications
07/06/13
Whenyouassignanapplicationtoauser,theapplicationslocalregistrysettings, includingfilenameextensions,areupdatedanditsshortcutsarecreatedontheStart menuordesktop,advertisingtheavailabilityoftheapplication.Theapplication advertisementfollowstheuser,regardlessofwhichphysicalcomputertheuserlogs onto.Thisapplicationisinstalledthefirsttimetheuseractivatestheapplicationon thecomputer,eitherbyselectingtheapplicationontheStartmenuorbyopeninga documentassociatedwiththeapplication.Whenyouassignanapplicationtothe computer,theapplicationisinstalledduringthecomputersstartupprocess.
Publishing Applications
Whenyoupublishanapplicationtousers,theapplicationdoesnotappearasifitis installedontheuserscomputers.NoshortcutsarevisibleonthedesktoporStart menu.Instead,theapplicationappearsasanavailableapplicationfortheuserto installusingAddOrRemoveProgramsinControlPanelonaWindowsXPsystemor inprogramsandfeaturesonaWindowsServer2008,WindowsVista,orWindows7 system.Additionally,theapplicationcanbeinstalledwhenauseropensafiletype associatedwiththeapplication.Forexample,ifAcrobatReaderisadvertisedtousers, itwillbeinstalledifauseropensafilewitha.pdfextension. Giventhatapplicationscanbeeitherassignedorpublishedandtargetedtousersor computers,youcanestablishaworkablecombinationtomeetyoursoftware managementgoals.Thefollowingtabledetailsthedifferentsoftwaredeployment options.
07/06/13
Software Deployment Options

Publish (User Only)
Afterdeployment oftheGPO,the softwareis availablefor installation: Typically,the userinstallsthe softwarefrom: AddOrRemove Programsin ControlPanel (WindowsXP)or programsand features(Windows Server2008, WindowsVista, andWindows7). Ifthesoftwareis notinstalledand theuseropensa fileassociated withthe software,does thesoftware install? Yes(ifautoinstall isenabled). Yes. Doesnotapplythesoftwareisalready installed. Startmenuor desktopshortcut. Anapplicationcan alsobeconfigured toinstall automaticallyat logon. Thesoftwareisinstalledautomaticallywhen thecomputerstarts. Thenexttimea userlogson.
Assign (User)
Thenexttimea userlogson.
Assign(Computer)
Thenexttimethecomputerstarts.
53/83
07/06/13
Cantheuser removethe softwarebyusing ControlPanel?
Yes,andtheuser canchooseto installitagain fromControl Panel.
Yes,andthe softwareisavailable forinstallation againfromthe Startmenu shortcutsorfile associations.
No.Onlyalocaladministratorcanremove thesoftwareausercanrunarepaironthe software.
Supported installationfiles:
WindowsInstaller packages(.msi files),.zapfiles.
WindowsInstaller packages(.msi files).
WindowsInstallerpackages(.msifiles).
Demonstration: Create a Software Distribution Point
NowthatyouunderstandGPSIatahighlevel,youcanpreparetheSDP.TheSDPis
07/06/13
simplyasharedfolderfromwhichusersandcomputerscaninstallapplications.Create asharedfolderandaseparatefolderforeachapplication.Then,copythesoftware package,modifications,andallothernecessaryfilestotheapplicationfolders.Set appropriatepermissionsonthefoldersthatallowusersorcomputersRead&Execute permissiontheminimumpermissionrequiredtosuccessfullyinstallanapplication fromtheSDP.TheadministratorsoftheSDPmustbeabletochangeanddeletefiles tomaintaintheSDPovertime.
Demonstration Steps
1. Start6425CNYCDC1andlogonasPat.Colemanwiththepassword, Pa$$w0rd. 2. 3. 4. Start6425CNYCSVR1,butdonotlogon. SwitchtoNYCDC1. RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd. 5. Intheconsoletree,expandthecontoso.comdomainandtheGroupsOU,and thenclicktheApplicationOU. 6. 7. 8. RightclicktheApplicationOU,pointtoNew,andthenclickGroup. TypeAPP_XMLNotepad,andthenpressEnter. Intheconsoletree,expandthecontoso.comdomainandtheServersOU,and
55/83
07/06/13
thenclicktheFileOU. 9. Inthedetailspane,rightclickNYCSVR1,andthenclickManage. TheComputerManagementconsoleopens,focusedonNYCSVR1. 10. Intheconsoletree,expandSystemToolsandSharedFolders,andthenclick Shares. 11. RightclickShares,andthenclickNewShare.TheCreateaSharedFolder Wizardappears. 12. ClickNext. 13. IntheFolderPathbox,typeC:\Software,andthenclickNext. Amessageappearsaskingifyouwanttocreatethefolder. 14. ClickYes. 15. AcceptthedefaultSharename,Software,andthenclickNext. 16. ClickCustomizepermissions,andthenclickCustom. 17. ClickSecurity. 18. ClickAdvanced. TheAdvancedSecuritySettingsdialogboxappears. 19. ClickChangePermissions.
07/06/13
20. CleartheIncludeinheritablepermissionsfromthisobject'sparent option. AdialogboxappearsaskingifyouwanttoAddorRemoveinherited permissions. 21. ClickAdd. 22. SelectthefirstpermissionassignedtotheUsersgroup,andthenclickRemove. 23. SelecttheremainingpermissionassignedtotheUsersgroup,andthenclick Remove. 24. SelectthepermissionassignedtoCreatorOwner,andthenclickRemove. 25. ClickOKtwotimestoclosetheAdvancedSecuritySettingsdialogboxes. 26. IntheCustomizePermissionsdialogbox,clicktheSharePermissionstab. 27. SelecttheFullControlcheckbox. Thesecuritymanagementbestpracticeistoconfigureleastprivilegepermissions intheACLoftheresource,whichwillapplytousers,regardlessofhowusers connecttotheresource,atwhichpointyoucanusetheFullControlpermission ontheSMBsharedfolder.Theresultantaccesslevelwillbethemorerestrictive permissionsdefinedintheACLofthefolder. 28. ClickOK.
57/83
07/06/13
29. ClickFinish. 30. ClickFinishtoclosethewizard. 31. ClickStart,clickRun,type\\NYCSVR1\c$,andthenpressEnter. TheConnecttoNYCSVR1dialogboxappears. 32. IntheUsernamebox,typeCONTOSO\Pat.Coleman_Admin. 33. InthePasswordbox,typePa$$w0rd,andthenpressEnter. AWindowsExplorerwindowopens,focusedontherootofthedriveConNYC SVR1. 34. OpentheSoftwarefolder. 35. ClickNewfolder. Anewfolderiscreatedandisin"renamemode." 36. TypeXMLNotepad,andthenpressEnter. 37. RightclicktheXMLNotepadfolder,andthenclickProperties. 38. ClickSecurity. 39. ClickEdit. 40. ClickAdd.TheSelectUsers,Computers,ServiceAccounts,orGroups dialogboxappears.
07/06/13
41. TypeAPP_XMLNotepad,andthenpressEnter. Thegroupisgiventhedefault,Read&Executepermission. 42. ClickOKtwicetocloseallopendialogboxes. 43. OpentheXMLNotepadfolder. 44. OpentheD:\Labfiles\Lab07cfolderinanewwindow. 45. RightclickXMLNotepad.msi,andthenclickCopy. 46. SwitchtotheWindowsExplorerwindow,displaying\\NYC SVR1\c$\Software\XMLNotepad. 47. Rightclickintheemptydetailspane,andthenclickPaste. XMLNotepadiscopiedintothefolderonNYCSVR1. 48. CloseallopenWindowsExplorerwindows. 49. ClosetheComputerManagementconsole.
Create and Scope a Software Deployment GPO
59/83
07/06/13
TocreateasoftwaredeploymentGPO,youmustperformthefollowingsteps: 1. UsetheGroupPolicyManagementconsoletocreateanewGPOorselectan existingGPO. 2. 3. EdittheGPObyusingtheGroupPolicyManagementEditor. ExpandtheconsolenodesComputerConfiguration\Policies\Software Settings\SoftwareInstallation.Alternatively,selecttheSoftware InstallationnodeintheUserConfigurationbranch. 4. RightclickSoftwareInstallation,chooseNew,andthenselectPackage.
60/83
07/06/13
5.
Browsetolocatethe.msifilefortheapplication.ClickOpen. TheDeploySoftwaredialogboxappears,showninthefollowingscreenshot:
6.
SelectPublished,Assigned,orAdvanced. Youcannotpublishanapplicationtocomputers,sotheoptionwillnotbe availableifyouarecreatingthepackageintheSoftwareInstallationnodein ComputerConfiguration. TheAdvancedoptionenablesyoutospecifywhethertheapplicationispublished orassignedandgivesyoutheopportunitytoconfigureadvancedpropertiesof thesoftwarepackage.Therefore,selectAdvanced.Thepackagepropertiesdialog boxthenappears.Amongthemoreimportantpropertiesthatyoucanconfigure arethefollowingchoices: DeploymentType:OntheDeploymenttab,configurePublishedorAssigned.
61/83
07/06/13
DeploymentOptions:Basedontheselecteddeploymenttype,different choicesappearintheDeploymentOptionssection.Theseoptions,alongwith othersettingsontheDeploymenttab,managethebehavioroftheapplication installation. UninstallThisApplicationWhenItFallsOutOftheScopeOfManagement:If thisoptionisselected,theapplicationwillbeautomaticallyremovedwhenthe GPOnolongerappliestotheuserorcomputer. Upgrades:OntheUpgradestab,youcanspecifythesoftwarethatthis packagewillupgrade.UpgradesarediscussedintheMaintainSoftware DeployedwithGPSIsectionlaterinthislesson. Categories:TheCategoriestabenablesyoutoassociatethepackagewith oneormorecategories.Categoriesareusedwhenanapplicationispublished toauser.WhentheuseropenstheControlPaneltoinstallaprogram, applicationspublishedbyusingGPSIarepresentedingroupsbasedonthese categories. Tocreatecategoriesthatareavailabletoassociatewithpackages,rightclick SoftwareInstallationandclickProperties.Then,clicktheCategoriestab. Modifications:Ifyouhaveatransform(.mstfile)thatcustomizesthepackage, clicktheAddbuttontoassociatethetransformwiththepackage.Mosttabsin thepackagePropertiesdialogboxareavailableforyoutochangesettingsat anytime.However,theModificationstabisavailableonlywhenyoucreate thenewpackageandselecttheAdvancedoption.
07/06/13
Managing the Scope of a Software Deployment GPO

AfteryouhavecreatedasoftwaredeploymentGPO,youcanscopetheGPOto distributethesoftwaretoappropriatecomputersorusers.Inmanysoftware managementscenarios,applicationsshouldbeassignedtocomputersratherthanto users.Thisisbecausemostsoftwarelicensesallowanapplicationtobeinstalledon onecomputer,andiftheapplicationisassignedtoauser,theapplicationisinstalled oneachcomputertowhichtheuserlogson. YoucanscopeaGPObylinkingtheGPOtoanOUorbyfilteringtheGPOsothatit appliesonlytoaselectedglobalsecuritygroup.Manyorganizationshavefoundthatit iseasiesttomanagesoftwarebylinkinganapplicationsGPOtothedomainand filteringtheGPOwithaglobalsecuritygroupthatcontainstheusersandcomputers towhichtheapplicationshouldbedeployed.Forexample,aGPOthatdeploysthe XMLNotepadtool(availablefromtheMicrosoftdownloadssiteat http://go.microsoft.com/fwlink/?LinkID=214198)wouldbelinkedtothe domainandfilteredwithagroupcontainingdevelopersthatrequirethetool.The groupwouldhaveadescriptivenamethatindicatesitspurposetomanagethe deploymentofXMLNotepadsuchasAPP_XMLNotepad.
Maintain Software Deployed with GPSI
63/83
07/06/13
AfteracomputerhasinstalledanapplicationbyusingtheWindowsInstallerpackage specifiedbyaGPO,thecomputerwillnotattempttoreinstalltheapplicationateach GroupPolicyrefresh.Theremightbescenariosinwhichyouwanttoforcesystemsto reinstalltheapplication.Forexample,smallchangesmighthavebeenmadetothe originalWindowsInstallerpackage. ToredeployanapplicationdeployedwithGroupPolicy: RightclickthepackageintheGPO,clickAllTasks,andthenselectRedeploy Application.
64/83
07/06/13
YoucanalsoupgradeanapplicationthathasbeendeployedwithGPSI. 1. CreateapackageforthenewversionoftheapplicationintheSoftware InstallationnodeoftheGPO. ThepackagecanbeinthesameGPOasthepackageforthepreviousversionor inanydifferentGPO. 2. 3. RightclickthepackageandclickProperties. ClicktheUpgradestab,andthenclicktheAddbutton. TheAddUpgradePackagedialogboxappears.
4.
Selectwhetherthepackageforthepreviousversionoftheapplicationisinthe currentGPOorinanotherGPO.IfthepreviouspackageisinanotherGPO,click BrowsetoselectthatGPO.
65/83
07/06/13
5. 6.
Then,selectthepackagefromthePackagetoupgradelist. Basedonyourknowledgeoftheapplicationsupgradebehavior,chooseoneof theupgradeoptionsshownatthelowerpartofthedialogbox. Uninstalltheexistingpackage,andtheninstalltheupgradepackage Packagecanupgradeovertheexistingpackage
7.
ClickOK.
YoucanalsoremoveanapplicationthatwasdeployedwithGPSIbyperformingthe followingsteps: 1. 2. Rightclickthepackage,clickAllTasks,andthenselectRemove. IntheRemoveSoftwaredialogbox,chooseoneofthefollowingtwooptions: Immediatelyuninstallthesoftwarefromusersandcomputers.This option,knownasforcedremoval,causescomputerstoremovetheapplication. Thesoftwareinstallationextensionwillremoveanapplicationwhenthe computerrestartsiftheapplicationwasdeployedwithapackageinthe ComputerConfigurationportionoftheGPO.IfthepackageisintheUser Configurationportion,theapplicationisuninstalledthenexttimetheuserlogs on. AllowsUsersToContinueToUseTheSoftware,ButPreventsNew
07/06/13
Installations.Thissetting,knownasoptionalremoval,causesthesoftware installationextensiontoavoidaddingthepackagetosystemsthatdonotyet havethepackageinstalled.Computersthathadpreviouslyinstalledthe applicationdonotforciblyuninstalltheapplication,souserscancontinue usingit.
IfyouuseoneofthesetwooptionstoremovesoftwarebyusingGPSI,itis importantthatyouallowthesettingsintheGPOtopropagatetoallcomputerswithin thescopeoftheGPObeforeyoudelete,disable,orunlinktheGPO.Clientsneedto receivethissetting,whichspecifiesforcedoroptionalremoval.IftheGPOisdeleted ornolongerappliedbeforeallclientshavereceivedthissetting,thesoftwareisnot removedaccordingtoyourinstructions.Thisisparticularlyimportantinenvironments withmobileusersonlaptopcomputersthatmightnotconnecttothenetworkona regularbasis. If,whencreatingthesoftwarepackage,youchosetheUninstallthisapplication whenitfallsoutofthescopeofmanagementoption,youcansimplydelete, disable,orunlinktheGPO,andtheapplicationwillbeforciblyremovedbyallclients thathaveinstalledthepackagewiththatsetting.
GPSI and Slow Links
67/83
07/06/13
WhenaclientperformsaGroupPolicyrefresh,itteststheperformanceofthe networktodeterminewhetheritisconnectedbyusingaslowlinkdefinedbydefault as500kilobitspersecond(kbps).Eachclientsideextensionisconfiguredtoprocess GroupPolicyortoskiptheapplicationofsettingsonaslowlink.Bydefault,GPSI doesnotprocessGroupPolicysettingsoveraslowlinkbecausetheinstallationof softwareoveraslowlinkcouldcausesignificantdelays. Youcanchangetheslowlinkpolicyprocessingbehaviorofeachclientsideextension byusingpolicysettingslocatedinComputerConfiguration\Policies \AdministrativeTemplates\System\GroupPolicy.Forexample,youcouldmodifythe

07/06/13
behaviorofthesoftwareinstallationextensionsothatitdoesprocesspoliciesovera slowlink. Youcanalsochangetheconnectionspeedthresholdthatconstitutesaslowlink.By configuringalowthresholdfortheconnectionspeed,youcanconvincetheclientside extensionsthataconnectionisnotaslowlink,evenifitactuallyis.Thereare separateGroupPolicySlowLinkDetectionpolicysettingsforcomputerpolicy processinganduserpolicyprocessing.ThepoliciesareintheAdministrative Templates\System\GroupPolicyfoldersinComputerConfigurationandUser Configuration.
Lab C: Manage Software with GPSI
69/83
07/06/13
Lab Setup
Forthislab,youwillusethesamevirtualmachineenvironmentusedinpreviouslabs. Ifrequired,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
70/83
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
5.
Repeatsteps2and3for6425CNYCSVR1.Donotlogontothemachineuntil directedtodoso.
Lab Scenario
YouareanadministratoratContoso,Ltd.YourdevelopersrequireXMLNotepadto editXMLfiles,andyouwanttoautomatethedeploymentandlifecyclemanagement oftheapplication.YoudecidetouseGroupPolicySoftwareInstallation.Most applicationsarelicensedpercomputer,soyouwilldeployXMLNotepadtothe developers'computers,ratherthanassociatingtheapplicationwiththeiruser accounts.
Exercise 1: Deploy Software with GPSI

Inthisexercise,youwilluseGPSItodeployXMLNotepadtocomputers, includingNYCCL1. Themaintasksforthisexerciseareasfollows:
07/06/13
1. 2. 3. 4.
Createasoftwaredistributionfolder. CreateasoftwaredeploymentGPO. Deploysoftwaretocomputers. Confirmthesuccessfuldeploymentofsoftware.
Task 1: Create a software distribution folder.
1.
OnNYCDC1,runActiveDirectoryUsersandComputersasan administrator,withtheusernamePat.Coleman_Adminandthepassword Pa$$w0rd.
2.
IntheGroups\ApplicationOU,createanewglobalsecuritygroupnamed APP_XMLNotepad.
3. 4.
IntheServers\FileOU,rightclickNYCSVR1,andthenclickManage. UsetheSharedFolderssnapintocreateanewsharedfolder,C:\Software, withasharenameofSoftware.ConfiguretheNTFSpermissionsasdescribed below: System:Allow:FullControl Administrators:Allow:FullControl
72/83
07/06/13
Then,configuretheSharepermissionsuchthattheEveryonegroupisallowedFull Control.
Securitymanagementbestpracticeistoconfigureleastprivilegepermissionsinthe ACLoftheresource,whichwillapplytousers,regardlessofhowusersconnecttothe resource,atwhichpointyoucanusetheFullControlpermissionontheSMBshared folder.Theresultantaccesslevelwillbethemorerestrictivepermissionsdefinedin theACLofthefolder.
5.
OpentheadministrativesharefordriveConNYCSVR1(\\NYCSVR1\c$)as Pat.Coleman_AdminwiththepasswordPa$$w0rd.
6.
InsidetheSoftwarefolderonNYCSVR1,createafoldercalledXML Notepad.
7.
AddpermissiontotheXMLNotepadfoldersothattheAPP_XMLNotepad groupisallowedRead&Executepermission.
8.
CopyXMLNotepad.msifromD:\Labfiles\Lab07cto\\NYC SVR1\c$\Software\XMLNotepad.
9.
CloseanyopenWindowsExplorerwindows.
10. ClosetheComputerManagementconsole.
73/83
07/06/13
Task 2: Create a software deployment GPO.
1.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
IntheGroupPolicyObjectscontainer,createanewGPOcalledXML Notepad.EditthatGPO.
3.
ExpandComputerConfiguration,Policies,SoftwareSettings,andthen clickSoftwareInstallation.
4. 5.
RightclickSoftwareInstallation,pointtoNew,andthenclickPackage. IntheFilenametextbox,typethenetworkpathtothesoftwaredistribution folder,\\NYCSVR1\software\XMLNotepad,andthenpressEnter.
6.
SelecttheWindowsInstallerpackage,XmlNotepad.msiandthenclickOpen. Afterafewmoments,theDeploySoftwaredialogboxappears.
7. 8.
ClickAdvanced,andthenclickOK. OntheGeneraltab,notethatthenameofthepackageincludestheversion, XMLNotepad2007.
9.
ClicktheDeploymenttab. Notethatwhendeployingsoftwaretocomputers,Assignedistheonlyoption. Examinetheoptionsthatwouldbeavailableifyouwereassigningorpublishing
74/83
07/06/13
theapplicationtousers. 10. SelectUninstallThisApplicationWhenItFallsOutOfTheScopeOf Management. 11. ClickOK. 12. ClosetheGroupPolicyManagementEditor. 13. ScopetheGPOtoapplyonlytomembersofAPP_XMLNotepad,andnotto AuthenticatedUsers. 14. LinktheGPOtotheClientComputersOU.
Task 3: Deploy software to computers.
1. 2.
AddNYCCL1totheAPP_XMLNotepadgroup. Start6425CNYCCL1,butdonotlogon.
Task 4: Confirm the successful deployment of software.
1. 2.
LogontoNYCCL1asPat.ColemanwiththepasswordPa$$w0rd. ConfirmthatXMLNotepadinstalledsuccessfully.
75/83
07/06/13
NoteWhenverifyingthedeploymentofthexmlnotepad,anditmay taketwostartupstobesuccessful,ifyoudonotseeNotepadinstalled, restartthevirtualmachine.Youmayneedtodothisacoupleoftimes.
Results:Inthisexercise,youdeployedXMLNotepadtoNYCCL1.
Exercise 2: Upgrade Applications with GPSI

Inthisexercise,youwillsimulatedeployinganupgradedversionofXML Notepad. Themaintaskforthisexerciseisasfollows: CreateanupgradepackagebyusingGPSI.
Task 1: Create an upgrade package by using GPSI.
1. 2.
SwitchtoNYCDC1. IntheGroupPolicyManagementconsoletree,rightclicktheXMLNotepad
76/83
07/06/13
GPOintheGroupPolicyObjectscontainer,andthenclickEdit. TheGroupPolicyManagementEditoropens. 3. Intheconsoletree,expandComputerConfiguration,Policies,Software Settings,andthenclickSoftwareInstallation. 4. 5. RightclickSoftwareInstallation,pointtoNew,andthenclickPackage. IntheFilenametextbox,typethenetworkpathtothesoftwaredistribution folder,\\NYCSVR1\software\XMLNotepad,andthenpressEnter. ThisexercisewillusetheexistingXmlNotepad.msifileasifitisanupdated versionofXMLNotepad. 6. SelecttheWindowsInstallerpackage,XmlNotepad.msi,andthenclickOpen. TheDeploySoftwaredialogboxappears. 7. 8. ClickAdvanced,andthenclickOK. OntheGeneraltab,changethenameofthepackagetosuggestthatitisthe nextversionoftheapplication.TypeXMLNotepad2011. 9. ClicktheDeploymenttab.Becauseyouaredeployingtheapplicationto computers,Assignedistheonlydeploymenttypeoption. 10. ClickUpgrades. 11. ClickAdd.
07/06/13
12. ClicktheCurrentGroupPolicyObject(GPO)option. 13. InthePackagetoupgradelist,selectthepackageforthesimulatedearlier version,XMLNotepad2007. 14. SelecttheUninstalltheexistingpackageandthenselecttheninstallthe upgradepackageoption. 15. ClickOK. 16. ClickOK. Ifthiswereanactualupgrade,thenewpackagewouldupgradetheprevious versionoftheapplicationasclientsappliedtheXMLNotepadGPO.Becausethis isonlyasimulationofanupgrade,youcanremovethesimulatedupgrade package. 17. RightclickXMLNotepad2011,whichyoujustcreatedtosimulateanupgrade, pointtoAllTasks,andthenselectRemove. 18. IntheRemoveSoftwaredialogbox,clickImmediatelyuninstallthe softwarefromusersandcomputers,andthenclickOK.
Results:Inthisexercise,yousimulatedanupgradeofXMLNotepadbyusing GPSI.
78/83
07/06/13
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCCL1.
Lab Review Questions Question:ConsidertheNTFSpermissionsyouappliedtotheSoftwareandXML Notepad foldersonNYCSVR1.Explainwhytheseleastprivilegepermissionsarepreferredto the
defaultpermissions.
07/06/13
Question:ConsiderthemethodsusedtoscopethedeploymentofXML Notepad:Assigning theapplicationtocomputers,filteringtheGPOtoapplytotheAPP_XMLNotepad group
thatcontainsonlycomputers,andlinkingtheGPOtotheClientComputersOU.Why isthisapproachadvantageousfordeployingmostsoftware?Whatwouldbethe disadvantageofscopingsoftwaredeploymenttousersratherthantocomputers?
Module Review and Takeaways
80/83
07/06/13
Review Questions
1. 2. WhatisthebenefitofhavingCentralStore? WhatisthemaindifferencebetweenGroupPolicySettingsandGroupPolicy Preferences? 3. WhatisthedifferencebetweenpublishingandassigningsoftwarethroughGPSI?
Common Issues Related to Group Policy Management

Issue Troubleshootingtip
81/83
07/06/13
GroupPolicyPreferencesarenot beingapplied. GroupPolicySoftwareinstallation doesnotworkforsomeusers
Real-World Issues and Scenarios

Youhaveanumberoflogonscriptsthatmapnetworkdrivesforusers.Notallusers needthesedrivemappings,soyoumustensurethatonlytherightusersgetthe mappings.Youwanttomoveawayfromusingthesescripts.
Best Practices Related to Group Policy Management

MakecommentsonGPOsettings UseCentralStoreforAdministrativetemplateswhenhavingclientswithWindows VistaandWindows7 UseGroupPolicypreferencestoconfiguresettingsnotavailableinGroupPolicyset ofsettings UseGroupPolicySoftwareInstallationtodeploypackagesin.msiformattoalarge numberofusersorcomputers.
Tools
07/06/13
Tool
Grouppolicyreporting RSoP
Usefor
Reportinginformationaboutthe currentpoliciesbeingdelivered toclients.
Wheretofindit
GroupPolicyManagementConsole
GPResult
Acommandlineutilitythat displaysRSoPinformation.
Commandlineutility
GPUpdate
RefreshinglocalandADDS basedGroupPolicysettings.
Commandlineutility
Dcgpofix
RestoringthedefaultGroup Policyobjectstotheiroriginal stateafterinitialinstallation.
Commandlineutility
GPOLogView
ExportingGroupPolicyrelated eventsfromthesystemand operationallogsintotext,HTML, orXMLfiles.Forusewith WindowsVistaandlater versions.
Commandlineutility
83/83

Module 7 - Managing User Desktop With Group Policy

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 7 - Managing User Desktop With Group Policy

Uploaded by

Copyright:

Available Formats

07/06/13

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Aftercompletingthismodule,youwillbeableto: DescribeAdministrativetemplates. UnderstandandconfigureGroupPolicypreferences. DeploysoftwarebyusingGroupPolicy.

Lesson 1: Implement Administrative Templates

Module 7: Managing User Desktop with Group Policy

systemanduserexperience.TherearetwosetsofAdministrativeTemplates:onefor usersandoneforcomputers.UsingtheadministrativetemplatesectionsoftheGPO, youcandeployhundredsofmodificationstotheregistry.

What Are Administrative Templates?

Module 7: Managing User Desktop with Group Policy

Anadministrativetemplateisatextfilethatspecifiestheregistrychangetobemade andthatgeneratestheuserinterfacetoconfiguretheAdministrativeTemplatespolicy settingsintheGPME.Thescreenshothereshowsthepropertiesdialogboxforthe PreventAccessToRegistryEditingToolspolicysetting.

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Copythe.ADMLfileintothelanguageandregionspecificsubfolder,suchasenus, of%SystemRoot%\PolicyDefinitionsonyourclientorinthecentralstore.Thecentral storewillbediscussedinthenexttopic.

No Need to Take Sides

Migrate Classic Administrative Templates to .ADMX

How Administrative Templates Work

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Managed Settings, Unmanaged Settings, and Preferences

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Storeinsteadoffromthelocalmachine. Tocreateacentralstore: 1. CreateafoldercalledPolicyDefinitionsinthe\\FQDN\SYSVOL\FQDN\Policies path. Forexample,thecentralstoreforthecontoso.comdomainwouldbe.

Module 7: Managing User Desktop with Group Policy

newSYSVOLPolicyDefinitionsfolder. Forexample,English(UnitedStates).ADMLfilesarelocatedin %SystemRoot%\PolicyDefinitions\enus.Copytheminto \\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\enus. 4. Ifadditionallanguagesarerequired,copythefolderthatcontainsthe.ADML filestoCentralStore.

Demonstration: Work with Settings and GPOs

Module 7: Managing User Desktop with Group Policy

GroupPolicyeditingtoolsinWindowsServer2008R2provideseveralnew functionalitiesthateaseconfigurationandmanagementofGPOs.Inthis demonstration,wewillreviewtheseoptions.

Filter Administrative Template Policy Settings

Module 7: Managing User Desktop with Group Policy

Tocreateafilter: 1. 2. RightclickAdministrativeTemplatesandclickFilterOptions. Tolocateaspecificpolicy,selecttheEnablekeywordfilterscheckbox,enter thewordswithwhichtofilterandselectthefieldswithinwhichtosearch.The screenshothereshowsanexampleofasearchforpolicysettingsrelatedtothe screensaver.

Module 7: Managing User Desktop with Group Policy

InthetopsectionoftheFilterOptionsdialogboxshown,youcanfiltertheviewto showonlypolicysettingsthatareconfigured.Thiscanhelpyoulocateandmodify settingsthatarealreadyspecifiedintheGPO. YoucanalsofilterforGroupPolicysettingsthatapplytospecificversionsof

Module 7: Managing User Desktop with Group Policy

Windows,InternetExplorer,andotherWindowscomponents. Unfortunately,thefilteronlyappliestosettingsintheAdministrativeTemplates nodes.

Module 7: Managing User Desktop with Group Policy

AfteryouhavecreatedaGPOfromastarterGPO,thereisnolinktothestarterGPO. ChangestothestarterGPOdonotaffecttheGPOsthatwerepreviouslycreatedfrom thestarterGPO.

Other Ways to Copy GPO Settings

Lab A: Manage Administrative Templates and Central Store

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

Exercise 1: Manage Administrative Templates

Module 7: Managing User Desktop with Group Policy

Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Explorethesyntaxofanadministrativetemplate. Manageclassicadministrativetemplates(.ADMfiles). Manage.ADMXand.ADMLfiles. Createthecentralstore.

Task 1: Explore the syntax of an administrative template.

OnNYCDC1,clickStart,clickRun,type %SystemRoot%\PolicyDefinitions,andpressEnter.The PolicyDefinitionsfolderopens.

OpentheenUSfolderorthefolderforyourregionandlanguage. DoubleclickControlPanelDisplay.adml. SelecttheSelectaprogramfromalistofinstalledprogramsoptionand clickOK.

Module 7: Managing User Desktop with Group Policy

Notethetextbetweenthe<string>and</string>tags. Notethenameofthevariableonthefollowingline, ScreenSaverIsSecure_Help,andthetextbetweenthe<string>and </string>tags.

Module 7: Managing User Desktop with Group Policy

Task 2: Manage classic administrative templates (.ADM files).

Module 7: Managing User Desktop with Group Policy

Module 7: Managing User Desktop with Group Policy

Task 3: Manage .ADMX and .ADML files.

CloseandthenreopentheGPMEfor6425C.Intheconsoletree,expandUser Configuration\Policies\AdministrativeTemplates.Notetheadditionof MicrosoftOffice2007policysettingfolders.

Task 4: Create the central store.