Module 7

Configure User and Computer

Environments By Using Group Policy

Module Overview

• Configuring Group Policy Settings

• Configuring Scripts and Folder Redirection with Group Policy

• Configuring Administrative Templates

• Deploying Software Using Group Policy

• Configuring Group Policy Preferences

• Introduction to Group Policy Troubleshooting

• Troubleshooting Group Policy Application

• Troubleshooting Group Policy Settings

What Are Group Policy Scripts?

You can use scripts to perform many tasks, such as clearing page files or mapping drives, and clearing temp folders for users, etc.You can use scripts to perform many tasks, such as clearing page files or mapping drives, and clearing temp folders for users, etc.

Group Policy script settings can be used to assign:

• For computers

Startup scripts

Shutdown scripts

• For users

Logon scripts

Logoff scripts

What Is Folder Redirection?

Folder redirection allows folders to be located on a network server, but appear as if they are located on the local drive

Folder redirection allows folders to be located on a network server, but appear as if they are located on the local drive

The folders that can be redirected are:

• My Documents (Documents in Windows® Vista)

• Application Data (AppData in Windows Vista)

• Desktop

• Start Menu Extra folders that can be redirected in Windows Vista are:• Contacts

• Downloads

• Favorites

• Searches

• Links

Folder Redirection Configuration Options

AccountingUsers

AccountsN-Z

AccountsA-M

AccountingManagers

Anne

MistyPrivate

Private

• Use basic Folder Redirection when all users save their files to the same location

• With advanced Folder Redirection, the server hosting the folder location is based on group membership

• Target folder location options:

• Redirect to the users’ home directory

• Create a folder for each user under the root path

• Redirect to the following location

• Redirect to the local userprofile location

What Are Administrative Templates?

Administrative Templates sections for computers are:

• Windows components

• System

• Network

• Printers

Administrative Templates sections for users are:

• Windows components

• Start menu and taskbar

• Desktop

• Control panel

• Shared folders

• Network

• System

• Applications

Administrative Templates allow you to control both the environment of the operating system and user experience

Administrative Templates allow you to control both the environment of the operating system and user experience

Preparation

11

Options for Deploying and Managing Software Using Group Policy

Deployment

1.0

22

Maintenance

2.0

33

Removal

44

How Software Distribution Works

Windows Installer

Windows Installer serviceFully automates the software installation and configuration processModifies or repairs an existing application installation

Windows Installer serviceFully automates the software installation and configuration processModifies or repairs an existing application installation

Windows Installer package containsInformation about installing or uninstalling an applicationAn .msi file and any external source files Summary information about the application A reference to an installation point

Windows Installer package containsInformation about installing or uninstalling an applicationAn .msi file and any external source files Summary information about the application A reference to an installation point

Benefits of

Using

Windows

Installer

Custom installations Resilient applications

Clean removal

Custom installations Resilient applications

Clean removal

Software Distribution

Point

Software Distribution

Point

Options for Installing Software

Publish software using document

activation

Publish software using document

activation

?

Publish software using Add or

Remove Programs

Publish software using Add or

Remove Programs

Assign softwareduring Computer

Configuration

Assign softwareduring Computer

Configuration

Assign software during User

Configuration

Assign software during User

Configuration

Published packages:

Options for Modifying the Software Distribution

Options:

Software can be categorized in the Add Programs applet

Software deployment can be customized using MST files

File extensions can be associated with particular applications

Assigned packages:

Advertised in Active Directory and available for users to install with Add or Remove Programs in Control Panel

Application is installed automatically and will be automatically reinstalled if removed

Maintaining Software Using Group Policy

Mandatory upgrade

Users can use only the upgraded version

Optional upgrade

Users can decide when to upgrade

Selective upgrade

You can select specific users for an upgrade

2.0

1.02.0

2.0

1.0

Deploy next version of the

application

Deploy next version of the

application

2.0

What Are Group Policy Preferences?

Group Policy preferences expand the range of configurable settings within a GPO

Are not enforced

Enable IT professionals to configure, deploy, and manage operating system and application settings that were not manageable using Group Policy

Group Policy Preferences Features

Used to configure additional options that control the behavior of a Group Policy preference item

Targeting Features

Determines to which users and computers a preference item applies

Common Tab

Deploying Group Policy Preferences

Windows Server 2008 includes Group Policy preferences by default as part of the GPMC

Group Policy preferences Client side extension (CSE) must be deployed to any client computer to which you want to deploy preferences

Scenarios for Group Policy Troubleshooting

Common scenarios that require troubleshooting:

Policies are applied but settings are inconsistent

Polices not applied

Preparing to Troubleshoot Group Policy

Basic troubleshooting steps:

Check Event Viewer entries

Check that the domain controller is functioning and reachable: use diagnostic tools such as dcdiag, the set command, or Kerbtray

Ensure that DNS is functioning by using NSlookup

Perform basic checks to test network connectivity: use diagnostic tools such as netdiag or ping

Use Group Policy Results to see which polices are being applied

Tools for Troubleshooting Group Policy

Group Policy troubleshooting tools:

Group Policy reporting – RSoP GPResult Gpotool

• Gpupdate

• Dcgpofix

• GPOLogView

• Group Policy log files

• Group Policy Management Scripts

How Client Side Extension Processing Works

• Client side extensions are DLLs that process group policy settings

• Some CSEs do not process if a slow link is detected

• Some CSEs are always applied and cannot be turned off

List of client side extensions:

• Security settings

• Administrative Templates

• Software installation

• Scripts

• Folder redirection

• Internet Explorer maintenance

Troubleshooting Group Policy Inheritance

Sales

Production

Domain

No GPO settings

apply

No GPO settings

apply

GPOs

Blocked inheritance prevents high-level policies from applying to entire OU subtrees

Troubleshooting Group Policy Filtering

Sales

Production

Domain

Mengph

Kimyo

GroupApply Group Policy

Apply Group PolicyDeny

Read and Apply Group Policy

Read and Apply Group Policy

Allow

GPO

WMI filter

Group Policy filtering may affect only certain users or computers in OUs

GPTGPT

GPCGPC

Troubleshooting Group Policy Replication

• Group Policy objects consist of Group Policy templatesand Group Policy containers

• Group Policy Templates (GPT) and GPOs replicate using different mechanisms

• Replication issues can cause domain controllers to have inconsistent versions of Group Policy

• The GPOTool can check for policy consistency across all domain controllers

DC1 DC2GPO1

Version 3

GPO1

Version 2

AD DS Replication

File Replication ServiceGPTGPT

GPCGPC

Troubleshooting Group Policy Refresh

If the Group Policy is not refreshing as expected:

• Check refresh intervals for users and computers

• Verify that the user has logged off and on, or that the computer has been restarted

• Check if there are cached credentials, because they may delay the effect of Group Policy

• Check to see if the Loopback policy is enabled

Use GPUpdate to:

• Manually refresh updated Group Policy settings

• Force the refresh of all Group Policy settings

• Force a reboot or logoff, if required, to refresh the settings

Troubleshooting Administrative Template Policy Settings

When troubleshooting Administrative Templates, consider that:

Administrative Templates are either true polices or preferences

Settings that are preferences will tattoo the registry and remain in effect until they are specifically reversed

Settings that are true policies are reversed when the policy no longer applies

The operating system and service pack level determine if the computer can accept a policy setting

Troubleshooting Script Policy Settings

When troubleshooting script policy settings, consider the following:

Validate the script

Ensure that Group Policy is configured correctly

Ensure that users and computer have access to the script

Ensure that the script is replicating properly

Use the Group Policy tools to ensure that Group Policy is applied correctly