Administering%20Group%20Policy - PowerPoint PPT Presentation

View by Category
About This Presentation



Managing Software Using Group Policy. Managing Special Folders Using Group Policy ... A group policy is a collection of user and computer configuration settings that ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 125
Provided by: higheredM


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Administering%20Group%20Policy

Administering Group Policy
  • Group Policy Concepts
  • Group Policy Implementation Planning
  • Implementing Group Policy
  • Managing Software Using Group Policy
  • Managing Special Folders Using Group Policy
  • Troubleshooting Group Policy

Group Policy Concepts
  • What Is Group Policy?
  • Group Policy Objects
  • Delegating Control of Group Policy
  • The Group Policy Snap-In
  • Group Policy Settings
  • Computer and User Configuration Settings
  • The MMC Snap-In Model
  • Group Policy Snap-In Namespace
  • How Group Policy Affects Startup and Logon
  • How Group Policy Is Processed
  • Group Policy Inheritance
  • Using Security Groups to Filter Group Policy

What Is Group Policy?
  • A group policy is a collection of user and
    computer configuration settings that can be
    linked to computers, sites, domains, and OUs to
    specify the behavior of users desktops.
  • Group policies can determine the programs that
    are available to users, the programs that appear
    on the users desktops, and Start menu options.

Group Policy Objects
  • GPOs are used to create a specific desktop
    configuration for a particular group of users.
  • GPOs are collections of group policy settings.
  • Each Windows 2000 computer has one local GPO and
    is subject to any number of nonlocal Active
    Directorybased GPOs.
  • Local GPO settings can be overridden by nonlocal
    GPOs, so the local GPO is the least influential
    if the computer is in an Active Directory

Group Policy Objects (cont)
  • In a nonnetworked environment, the local GPOs
    settings are more important because they are not
    overwritten by nonlocal GPOs.
  • Nonlocal GPOs are linked to Active Directory
    objects and can be applied to either users or
  • To use nonlocal GPOs, a Microsoft Windows 2000
    domain controller must be installed.
  • Nonlocal GPOs are applied hierarchically from the
    least restrictive group (site) to the most
    restrictive group (OU) and are cumulative.

Delegating Control of Group Policy
  • Determine which administrative groups can
    administer GPOs by defining access permissions
    for each GPO.
  • Assign Read and Write permissions to a GPO for an
    administrative group the group delegates control
    of the GPO.

Group Policy Snap-In
Group Policy Snap-In Overview
  • The MMC snap-in is used to organize and manage
    the many group policy settings in each GPO.
  • Depending on the action to perform, the Group
    Policy snap-in can be opened in several ways.

Group Policy Settings
  • Contained in a GPO
  • Determine the users desktop environment
  • Two types Computer configuration settings and
    user configuration settings

Computer Configuration Settings
  • Used to set group policies applied to computers,
    regardless of who logs on
  • Applied when the OS initializes
  • Include Software Settings, Windows Settings, and
    Administrative Templates

Users Configuration Settings
  • Used to set group policies applied to users,
    regardless of which computer the user logs on to
  • Applied when users log on to the computer
  • Include Software Settings, Windows Settings, and
    Administrative Templates

Software Settings
Windows Settings
  • Two types of scripts startup/shutdown and
  • Startup/shutdown scripts run at computer startup
    or shutdown.
  • Logon/logoff scripts run when a user logs on or
    off the computer.
  • When multiple scripts are assigned to a user or
    computer, Windows 2000 executes the scripts from
    top to bottom.
  • The order of execution for multiple scripts can
    be specified in the Properties dialog box.

Scripts (cont)
  • When a computer is shut down, Windows 2000 first
    processes logoff scripts, followed by shutdown
  • The default timeout value for processing scripts
    is 10 minutes.
  • A software policy can be used to adjust the
    timeout value if the logoff and shutdown scripts
    require more than 10 minutes to process.
  • Administrators can use any ActiveX scripting
    language they choose.
  • Scripting languages include VBScript, JScript,
    Perl, and MS-DOS style batch files.

Security Settings
  • Security Settings allows a security administrator
    to manually configure security levels assigned to
    a local or nonlocal GPO.
  • The configuration can be done after, or instead
    of, using a security template to set system

Additional User Configuration Group Policy
  • Internet Explorer Maintenance Allows the
    administration and customization of IE on Windows
    2000 computers
  • Remote Installation Services Used to control the
    behavior of remote OS installation optionally,
    RIS can be used to provide customized packages
    for non-Windows 2000 clients of Active Directory
  • Folder Redirection Allows for the redirection of
    Windows 2000 special folders from their default
    user profile location to an alternate location on
    the network, where they can be centrally managed

Administrative Templates
Administrative Templates Overview
  • More than 450 settings are available for
    configuring the user environment.
  • Computer configurations are saved in the registry
  • User configurations are saved in the registry in

Computer and User Configurations
  • Administrative Templates contains all
    registry-based group policy settings, including
    settings for Windows Components, System, and
  • Windows Components Allows the administration of
    the Windows 2000 components, including
    NetMeeting, Internet Explorer, Windows Explorer,
    MMC, Task Scheduler, and Windows Installer.
  • System Used to control logon and logoff
    functions and group policy itself.
  • Network Allows the control of settings for
    Offline Files and Network and Dial-Up Connections.

Computer Configuration Only
  • Administrative Templates contain additional group
    policy settings for Printers.
  • System Settings contain Disk Quotas, and DNS
    Client and Windows File Protection.

User Configuration Only
  • Administrative Templates contains additional
    registry-based group policy settings.
  • Start Menu Taskbar settings Control a users
    Start menu and taskbar
  • Desktop settings Control the appearance of a
    users desktop
  • Control Panel settings Determine the Control
    Panel options available to a user

The MMC Snap-In Model
  • Nodes of the Group Policy snap-in are MMC snap-in
  • By default, all the available Group Policy
    snap-in extensions are loaded when the Group
    Policy snap-in is started.
  • The default behavior can be modified by using the
    MMC method of creating custom consoles and by
    using policy settings to control the behavior of
    MMC itself.
  • The Administrative Templates node is used to
    configure the policy settings.
  • Developers can create an MMC extension to the
    Group Policy snap-in to provide additional
  • Snap-in extensions may be extended.

Group Policy Snap-In Namespace
  • The root node of the Group Policy snap-in is
    displayed as the name of the GPO and the domain
    to which it belongs.
  • Format GPO Name DomainName Policy.
  • Example Default Domain Controllers Policy
    server1. microsoft. com Policy.

How Group Policy Affects Startup on Logon
  • The network starts, and RPCSS and MUP are
  • An ordered list of GPOs is obtained for the
  • Computer configurations settings are processed.
  • Startup scripts run.
  • The user presses CtrlAltDelete to log on.
  • After the user is validated, the user profile is
    loaded, governed by the group policy settings in
  • An ordered list of GPOs is obtained for the user.
  • User configuration settings are processed.
  • Logon scripts run.
  • The OS user interface prescribed by group policy

How Group Policy Is Processed
  • Local GPO
  • Each Windows 2000 computer has exactly one GPO
    stored locally.
  • Site GPOs
  • Any GPOs that have been linked to the site are
    processed next, synchronously the administrator
    specifies the order of GPOs linked to a site.
  • Domain GPOs
  • Multiple domain-linked GPOs are processed
    synchronously the administrator specifies the
    order of GPOs linked to a domain.
  • OU GPOs
  • GPOs linked to the OU highest in the Active
    Directory hierarchy are processed first, followed
    by GPOs linked to its child OU, and finally, the
    GPOs linked to the OU that contains the user or
    computer are processed.

Group Policy and Active Directory
Exceptions to the Processing Order
  • A computer that is a member of a workgroup
    processes only the local GPO.
  • No Override.
  • Block Policy Inheritance.
  • Loopback setting.

Group Policy Inheritance
  • Group policy is passed down from parent to child
  • If a separate group policy is assigned to a
    parent container, that group policy applies to
    all containers beneath the parent container,
    including the user and computer objects in the
  • If a group policy setting is specified for a
    child container, the child containers group
    policy setting overrides the setting inherited
    from the parent container.
  • If a parent OU has policy settings that are not
    configured, the child OU does not inherit them.

Group Policy Inheritance (cont)
  • Policy settings that are disabled are inherited
    as disabled.
  • If a policy is configured for a parent OU, but
    not for a child OU, the child inherits that
    parents policy setting.
  • If a parent policy and a child policy are
    compatible, the child inherits the parent policy,
    and the childs setting is also applied.
  • Policies are inherited as long as they are
  • If a policy configured for a parent OU is
    incompatible with the same policy configured for
    a child OU, the child does not inherit the policy
    setting from the parent the setting in the child
    is applied.

Using Security Groups to Filter Group Policy
  • Because more than one GPO can be linked to a
    site, domain, or OU, GPOs associated with other
    directory objects may need to be linked.
  • By setting the appropriate permissions for
    security groups, group policy can be filtered to
    influence only the computers and users specified.

Group Policy Implementation Planning
  • Designing GPOs by Setting Type
  • GPO Implementation Strategies
  • Layered vs. Monolithic GPO Design
  • Functional Roles vs. Team Design
  • OU Delegation with Central or Distributed Control

GPO Setting Types
Single Policy Type
  • Includes GPOs that deliver a single type of group
    policy setting.
  • The goal is to separate each type of group policy
    setting into a separate GPO.
  • Create a GPO for software management settings,
    user documents and settings, software policies,
    and so on.
  • Give Read/Write access only to the user or users
    who need to administer a GPO.
  • Best suited for organizations in which
    administrative responsibilities are delegated
    among several individuals.

Multiple Policy Type
  • Includes GPOs that deliver multiple types of
    group policy settings.
  • The goal is to include multiple types of group
    policy settings in a single GPO.
  • Best suited for organizations in which
    administrative responsibilities are centralized
    and an administrator may need to perform many or
    all types of group policy administration.

Dedicated Policy Type
  • Includes GPOs dedicated to either Computer
    Configuration or User Configuration group
  • The goal is to include all User Configuration
    group policy settings in one GPO and all Computer
    Configuration group policy settings in a separate
  • Increases the number of GPOs that must be
    processed at logon lengthens logon time.
  • Aids in troubleshooting.

GPO Implementation Strategies
  • Planning an AD structure requires consideration
    of how group policy will be implemented for the
  • Delegation of authority, separation of
    administrative duties, central versus
    decentralized administration, and design
    flexibility are important factors.
  • Most organizations will combine several
    strategies to create custom solutions.

Layered vs. Monolithic Design
  • The goal is to include a specific policy setting
    in as few GPOs as possible.
  • Create a base GPO to be applied to the domain
    that contains policy settings for as many users
    and computers in the domain as possible.
  • Create additional GPOs tailored to the common
    requirements of each corporate group and apply
    them to the appropriate OUs.
  • When a change is required, GPOs have to be
    modified to enforce the change.
  • Administration is simplified at the expense of a
    longer logon time.
  • Best suited for environments in which different
    groups in the organization have common security
    concerns and changes to group policy are frequent.

  • The goal is to use very few GPOs for any given
    user or computer.
  • All the policy settings required for a given
    site, domain, or OU should be implemented within
    a single GPO.
  • If the site, domain, or OU has groups of users or
    computers with different policy requirements,
    consider subdividing the container into OUs and
    applying separate GPOs to each OU rather than to
    the parent.
  • Changes involve more administration than with the
    layered approach because the settings may need to
    be changed in multiple GPOs.
  • The logon time is shorter than it is with the
    layered approach.
  • Best suited for environments in which users and
    computers can be classified into a small number
    of groups for policy assignment.

Functional Roles vs. Team Design
Functional Roles vs. Team Design Overview
  • Active Directorys OU structure was designed to
    facilitate ease of administration and delegation
    of authority.
  • The OU structure may or may not represent the
    functional roles within the organization.
  • When designing group policy for an organization
    with a functional role OU structure, the group
    policy should be designed by delegating control
    to the OU levels.
  • If the OU architecture does not represent group
    organization, then OU delegation of control
    should be used, but groups should be used as a
    filtering mechanism for applying group policy.

Functional Roles Design
  • The goal is to use an OU structure that reflects
    the functional roles within the organization for
    applying group policy.
  • A minimum number of GPOs is used, with each
    tailored to a groups specific needs.
  • A GPO is created for each OU.
  • Network administrators can set ACL permissions
    for GPO administration either at the domain or OU
    administrator level.
  • Best suited for organizations designed according
    to functional roles groups of users organized
    according to users occupations.
  • Each functional role requires specific group

Team Design
  • The goal is to use groups as a filtering
    mechanism in applying group policy in an
    organization that uses the virtual team concept.
  • Individuals within the organization form teams to
    perform a task or project and each individual is
    a member of multiple teams.
  • Each team has specific group policy requirements.
  • Eliminates complexity by strategically applying
    the GPOs at only one location.
  • Allows administrators to centrally administer the
    GPOs and minimizes the GPO-to-OU assignments.
  • Best suited for organizations that need an
    efficient and flexible method of managing group
    policy in a dynamic environment with an OU
    architecture that does not reflect the team

Central vs. Distributed Control
OU Delegation Overview
  • Administration of OUs can be delegated.
  • OU administrators may need to block group
    policies that have been assigned to their OU at
    higher organizational levels.
  • Certain policies may need to be enforced, and OU
    administrators will not be allowed to block them.
  • Accomplished by using a central or distributed
    control design

Central Control Design
  • Offers delegated administration as well as
    centralized control.
  • Use the No Override option on OUs.
  • Create a GPO to include only security settings
    for a domain, and then set the No Override option
    so that all child OUs are affected by the
    security options specified at the domain level.
  • For all other types of policy, control of those
    GPOs could be delegated to the specific OU
  • Best suited for organizations that choose to
    delegate administration of OUs, but would like to
    enforce certain group policies throughout the

Distributed Control Design
  • Administrators of OUs are allowed to block group
    policies from being applied to their OU, but
    cant block group policies marked as No Override.
  • Create GPOs for each OU.
  • Set ACL permissions allowing OU administrators
    full control over GPOs.
  • Set the Block Policy Inheritance option for each
  • Best suited for organizations that choose to
    minimize the number of domains, but do not want
    to sacrifice autonomous administration of OUs.
  • Allows administrators to enforce certain group
    policies throughout the domain.

Implementing Group Policy
  • Implementing Group Policy
  • Creating a GPO
  • Creating a GPO Console
  • Delegating Administrative Control of a GPO
  • Specifying Group Policy Settings
  • Disabling Unused Group Policy Settings
  • Indicating GPO Processing Exceptions
  • Filtering GPO Scope
  • Linking a GPO
  • Modifying Group Policy
  • Removing a GPO Link
  • Deleting a GPO
  • Editing a GPO and GPO Settings
  • Practice Implementing a Group Policy

Delegating Administrative Control of a GPO
  • After a GPO is created, which groups of
    administrators have access permissions to the GPO
    must be determined.
  • The Default Domain Policy GPO cannot be deleted
    by any administrator, by default.
  • Prevents the accidental deletion of this GPO,
    which contains important required settings for
    the domain
  • If working with a GPO from a pre-built console,
    such as Active Directory Users and Computers, the
    Delegation Of Control Wizard is not available for
    use in delegating administrative control of a
    GPO it only controls security of an object.

Default GPO Permissions
  • Authenticated Users Read, Apply Group Policy,
    Special Permissions
  • CREATOR OWNER Special Permissions
  • Domain Administrators Read, Write, Create All
    Child Objects, Delete All Child Objects, Special
  • Enterprise Administrators Read, Write, Create
    All Child Objects, Delete All Child Objects,
    Special Permissions
  • SYSTEM Read, Write, Create All Child Objects,
    Delete All Child Objects, Special Permissions

Disabling Unused Group Policy Settings
  • If a GPO has only settings that are Not
    Configured, then it is possible to avoid
    processing those settings by disabling the node.
  • Disabling the node expedites startup and logon
    for those users and computers subject to the GPO.

Indicating GPO Processing Exceptions
  • GPOs are processed according to the Active
    Directory hierarchy.
  • The default order of processing group policy
    settings may be changed by several actions.

Modifying the Order of GPOs
Filtering GPO Scope
  • Policies in a GPO apply only to users who have
    Read permission for that GPO.
  • The scope of a GPO is filtered by creating
    security groups and then assigning Read
    permission to the selected groups.
  • A policy is prevented from applying to a specific
    group by denying that group Read permissions to
    the GPO.

Permissions for GPO Scopes
Linking a GPO
  • By default, a new GPO is linked to the site,
    domain, or OU that was selected in the MMC when
    it was created.
  • Settings apply to that site, domain, or OU.
  • The Group Policy tab for the site, domain, or OU
    properties is used to link a GPO to additional
    sites, domains, or OUs.

Add A Group Policy Object Link Dialog Box
Removing, Deleting, and Editing GPOs
  • Removing a GPO Link
  • Removing a GPO link unlinks the GPO from the
    specified site, domain, or OU.
  • The GPO remains in Active Directory until it is
  • Deleting a GPO
  • Deleting a GPO removes it from Active Directory.
  • Any sites, domains, or OUs to which a GPO is
    linked when it is deleted will no longer be
    affected by it.
  • Editing a GPO
  • The same procedures that are used for creating a
    GPO and for specifying group policy settings are
    used to edit a GPO or its settings.

Managing Software Using Group Policy
  • Software Management Tools
  • Assigning Applications
  • Publishing Applications
  • How Software Installation Works
  • Implementing Software Installation
  • Planning and Preparing a Software Installation
  • Setting Up an SDP
  • Specifying Software Installation Defaults
  • Deploying Software Applications
  • Setting Automatic Installation Options
  • Setting Up Application Categories
  • Setting Software Application Properties
  • Maintaining Software Applications

Managing Software Using Group Policy Overview
  • The Software Installation extension is a software
    management feature of Windows 2000 that is an
    administrators primary tool for managing
    software within an organization.
  • Managing software using Software Installation
    provides users with immediate access to the
    software they need to perform their jobs, and
    ensures that users have an easy and consistent
    experience when working with software throughout
    its life cycle.
  • Users no longer need to look for a network share,
    use a CD-ROM, or install, fix, and upgrade
    software themselves.

Software Management Tools Overview
  • The Software Installation extension of the Group
    Policy snap-in Used by administrators to manage
  • Windows Installer Installs software packaged in
    Windows Installer files
  • Add/Remove Programs in Control Panel Used by
    users to manage software on their own computers

The Software Installation Extension
  • Primary tool for managing software within an
  • Works in conjunction with group policy and Active
  • Centrally manages the installation of software on
    a client computer by assigning applications to
    users or computers or by publishing applications
    for users
  • Assigns required or mandatory software to users
    or to computers
  • Publishes software that users might find useful
    to perform their jobs

Application Assigned to User
  • The application is advertised to the user the
    next time he or she logs on to a workstation.
  • The application advertisement follows the user
    regardless of which physical computer he or she
    actually uses.
  • The application is installed the first time the
    user activates the application on the computer,
    either by selecting the application on the Start
    menu or by activating a document associated with
    the application.

Application Assigned to the Computer
  • The application is advertised and the
    installation is performed when it is safe to do
  • A safe time typically is when the computer
    starts up, so that no competing processes are on
    the computer.

Publishing Applications
  • When the application is published to users, the
    application does not appear installed on the
    users computers.
  • No shortcuts are visible on the desktop or Start
  • No changes are made to the local registry on the
    users computers.
  • Advertisement attributes are stored in Active
  • Information, such as the applications name and
    file associations, is exposed to the users in the
    Active Directory container.
  • After publication, the application is available
    for user installation by using Add/Remove
    Programs in Control Panel or by clicking a file
    associated with the application.

How Software Installation Works
  • The Software Installation extension uses Windows
    Installer technology to systematically maintain
  • Windows Installer is a service that allows the OS
    to manage the installation process.

Windows Installers Three Key Parts
  • An OS service that performs the installation,
    modification, and removal of the software in
    accordance with the information in the Windows
  • A database containing information that describes
    the installed state of the application
  • An API that allows applications to interact with
    Windows Installer to install or remove additional
    features of the application after the initial
    installation is complete

Windows Installer Advantages
  • Enables users to take advantage of self-repairing
  • Notes when a program file is missing and
    immediately reinstalls the damaged or missing
    files, thereby fixing the application.
  • Makes modifications to customize the installation
    of a Windows Installer package at the time of
    assignment or publication modifications are
    saved with the .mst file extension.

Windows Installer Package
  • The Windows Installer package is a file that
    contains explicit instructions on the
    installation and removal of specific
  • The developer provides the Windows Installer
    package .msi file and ships it with the
  • If a Windows Installer package is not provided
    with an application, it may need to be created or
    the application may need to be repackaged, using
    a third-party tool.

Deploying Software with Software Installation Is
Limited to Only If
  • Native Windows Installer package .msi files
    Developed as a part of the application and take
    full advantage of the Windows Installer
  • Repackaged application .msi files Allow
    applications that do not have a native Windows
    Installer package to be repackaged
  • An existing setup program (application .zap
    file) Installs an application by using its
    original SETUP.EXE program

Other Files Encountered During Software
  • Patch .msp files Used for bug fixes, service
    packs, and similar files
  • Application assignment scripts .aas files
    Contain instructions associated with the
    assignment or publication of a package

Customizing Windows Installer Packages
  • Transforms can be used to customize Windows
    Installer applications.
  • Customization is provided by allowing the
    original package to be transformed using
    authoring and repackaging tools.
  • Some applications provide wizards or templates
    that permit a user to create modifications.

Tasks for Implementing Software Installation
  • Planning and preparing the software installation
  • Setting up a software distribution point
  • Specifying software installation defaults
  • Deploying software applications
  • Setting automatic installation options
  • Setting up application categories
  • Setting software application properties
  • Maintaining software applications

Planning and Preparing a Software Installation
  • Review the organizations software requirements
    on the basis of the overall organizational
    structure within Active Directory and available
  • Determine how to deploy the applications.
  • Create a pilot to test how software will be
    assigned or published to users or computers.
  • Prepare software using a format that allows the
    administrator to manage it based on what the
    organization requires.
  • Test all of the Windows Installer packages or
    repackaged software.

Planning and Preparing a Software Installation
Strategies and Considerations
  • Create OUs based on software management needs.
  • Deploy software close to the root in the Active
    Directory tree.
  • Deploy multiple applications with a single GPO.
  • Publish or assign one application only once in
    the same GPO or in a series of GPOs that might
    apply to a single user or computer.

Planning and Preparing a Software
Installation Software Licenses
  • Licenses are required for software written by
    independent software vendors and distributed
    using SDPs.
  • The administrator is responsible for matching the
    number of users who can access software to the
    number of licenses on hand.
  • The administrator is responsible for verifying
    that guidelines provided by each ISV are being
  • The Administrator should gather the package
    formats for the software and perform any
    necessary modifications to the packages.

Setting Up an SDP
  • Create the folders for the software on the file
    server that will be the SDP and make the folders
    network shares.
  • Replicate the software to the SDPs by placing or
    copying the software, packages, modifications,
    all necessary files, and components to a
    distribution share(s) place all software in a
    separate folder on the SDP.
  • Set the appropriate permissions on the folders so
    that only administrators can change the files,
    and users can only read the files from the SDP
    folders and shares use group policy to manage
    the software within the appropriate GPO.

Specifying Software Installation Defaults
  • A GPO can contain several settings that affect
    how an application is installed, managed, and
  • The default settings for the new packages are
    globally defined within the GPO in the General
    tab of the Software Installation Properties
    dialog box.
  • Some of the default settings can be changed later
    by editing the package properties in the Software
    Installation extension.

General Tab of the Software Installation
Deploying Software Installation Defaults
  • Because software can be either assigned or
    published, and targeted to either users or
    computers, a workable combination can be
    established to meet the software management
  • Modifications (.mst files) are customizations
    applied to Windows Installer packages.
  • Modifications must be applied at the time of
    assignment or publication, not at the time of

Software Deployment Approaches
Publishing Applications
  • An application is published to make it available
    to people managed by the GPO, should they want
    the application.
  • Each person decides whether or not to install the
    published application.
  • Applications can only be published to users.

Deploying Applications with Modifications
  • Modifications are associated with the Windows
    Installer package at deployment time rather than
    when the Windows Installer is actually using the
    package to install or modify the application.
  • Modifications are applied to Windows Installer
    packages by the administrator.
  • This order in which modifications are applied
    must be determined before the application is
    assigned or published.

Setting Automatic Installation Options
  • The application that is installed when users
    select a file can be specified by the
    administrator by selecting a file extension and
    configuring a priority for installing
    applications associated with the file extension,
    using the File Extensions tab in the Software
    Installation Properties dialog box.
  • The first application listed is the application
    installed in association with the file extension.
  • File extension associations are managed on a
    per-GPO basis.
  • Changing the priority order in a GPO affects only
    those users who have that GPO applied to them.

File Extensions Tab
Setting Up Application Categories
  • Organizing, assigning, and publishing
    applications, from within Add/Remove Programs in
    Control Panel, into logical categories makes it
    easier for users to locate the appropriate
  • Windows 2000 does not ship with any predefined
  • Categories are established per domain, not per
  • Categories need to be defined only once for the
    whole domain.

Setting Software Application Properties
  • Each application can be fine-tuned in several
  • By editing installation options
  • By specifying application categories to be used
  • By setting permissions for the software

Editing Installation Options for Applications
  • Default settings can be changed, even if they
    have been globally defined within the GPO, by
    editing the package properties.
  • Installation options affect how an application is
    installed, managed, and removed.

Deployment Tab
Specifying Application Categories
  • Applications must be associates with existing
  • Categories generally pertain to published
    applications only, because assigned applications
    do not appear in Add/Remove Programs.

Categories Tab of the Properties Dialog Box
Maintaining Software Applications Upgrading
  • Several events trigger an upgrade.
  • Upgrades typically incorporate major changes into
    the software and normally have new version
  • A substantial number of files change for an
  • The Software Installation extension is used to
    establish the procedure to upgrade an existing
    application to the current release.

Add Upgrade Package Dialog Box
Maintaining Software Applications Removing
  • A version of a software application is no longer
  • Administrators can remove the software version
    from Software Installation without forcing the
    removal of the software from the computers of
    users who are still using the software.
  • Users can continue to use the software
  • No user is able to install the software version.
  • A software application is no longer used.
  • Administrators can force the removal of the
  • The software is automatically deleted from a
    computer, either the next time the computer is
    turned on or the next time the user logs on.
  • Users cannot install or run the software.

Managing Special Folders Using Group Policy
  • Folder Redirection
  • Default Special Folder Locations
  • Setting Up Folder Redirection
  • Policy Removal Considerations

Windows 2000 Redirected Special Folders
  • Application Data
  • Desktop
  • My Documents
  • My Pictures
  • Start Menu

Redirecting the My Documents Folder Advantages
  • The users documents are always available, even
    if the user logs on to various network computers.
  • When roaming user profiles are used, only the
    network path to the My Documents folder is part
    of the roaming user profile, not the My Documents
    folder itself.
  • Data stored on a shared network server can be
    backed up as part of routine system
    administration requires no action on the part of
    the user.
  • The system administrator can use group policy to
    set disk quotas, limiting the amount of space
    used by users special folders.
  • Data specific to a user can be redirected to a
    different hard disk on the users local computer
    from the hard disk holding the OS files.

Default Locations for Special Folders
Setting Up Folder Redirection
  • Redirect to a location according to security
    group membership.
  • Redirect to one location for everyone in the
    site, domain, or OU.
  • Redirect the My Pictures folder to follow the My
    Documents folder redirection.

Target Tab in the Properties Dialog Box
Specify Group And Location Dialog Box
Settings Tab of the Properties Dialog Box
Policy Removal Considerations
Troubleshooting Group Policy
  • Troubleshooting Group Policy
  • Group Policy Best Practices

Troubleshooting Group Policy Overview
  • Considering dependencies between components is an
    important part of troubleshooting group policy
  • When trying to fix problems that appear in one
    component, it is generally helpful to check
    whether components, services, and resources on
    which it relies are working correctly.
  • Event logs are useful for tracking down problems
    caused by this type of hierarchical dependency.

Symptom The user has Read access to a GPO but
cannot open it
  • Cause An administrator must have both Read and
    Write permissions for the GPO to open it in the
    Group Policy snap-in
  • Solution Become a member of a security group
    with Read and Write permission for the GPO

Symptom User receives Failed To Open The Group
Policy Object message when trying to edit a GPO
  • Cause A networking problem, specifically a
    problem with the DNS configuration
  • Solution Make sure DNS is working properly

Symptom Group policy is not being applied to
users and computers in a security group that
contains them, even though a GPO is linked to an
OU containing that security group
  • Cause This is correct behavior group policy
    affects only users and computers contained in
    sites, domains, and OUs GPOs are not applied to
    security groups
  • Solution Link GPOs to sites, domains, and OUs
    only keep in mind that the location of a
    security group in Active Directory is unrelated
    to whether group policy applies to the users and
    computers in that security group

Symptom Group policy is not affecting users and
computers in a site, domain, or OU
  • Cause
  • Group policy settings can be prevented,
    intentionally or inadvertently, from taking
    effect on users and computers in several ways.
  • A GPO can be disabled from affecting users,
    computers, or both.
  • A GPO also needs to be linked either directly to
    an OU containing the users and computers, or to a
    parent domain or OU so that the group policy
    settings apply through inheritance.
  • Solution
  • Make sure that the intended policy is not being
  • Make sure no policy set at a higher level of
    Active Directory has been set to No Override.

Symptom Group policy is not affecting users and
computers in a site, domain, or OU (cont)
  • Cause
  • When multiple GPOs apply, they are processed in
    this order local, site, domain, OU.
  • By default, settings applied later have
  • Solution
  • If block Policy Inheritance and No Override are
    both used, No Override takes precedence.
  • Verify that the user or computer is not a member
    of any security group for which the AGP
    permission is set to Deny.

Symptom Group policy is not affecting users and
computers in a site, domain, or OU (cont)
  • Cause
  • Group policy can be blocked at the level of any
    OU, or enforced through a setting of No Override
    applied to a particular GPO link.
  • The user or computer must belong to one or more
    security groups with appropriate permissions set.
  • Solution
  • Verify that the user or computer is a member of
    at least one security group for which the AGP
    permission is set to Allow.
  • Verify that the user or computer is a member of
    at least one security group for which the Read
    permission is set to Allow.

Symptom Group policy is not affecting users and
computers in an Active Directory container
  • Cause GPOs cannot be linked to Active Directory
    containers other than sites, domains, and OUs
  • Solution Link a GPO to an OU that is a parent to
    the Active Directory container then, by default,
    those settings are applied to the users and
    computers in the container through inheritance

Symptom Group policy is not taking effect on the
local computer
  • Cause Local policies are the weakest any
    nonlocal GPO can overwrite them
  • Solution Check to see what GPOs are being
    applied through Active Directory and whether
    those GPOs have settings that are in conflict
    with the local settings

Symptom Published applications do not appear in
Add/Remove Programs in Control Panel
  • Cause
  • Group policy was not applied.
  • Active Directory cannot be accessed.
  • User does not have any published applications in
    the GPOs that apply to him or her.
  • Client is running Terminal Server.
  • Solution
  • Investigate each possibility.
  • Software Installation is not supported for
    Terminal Server clients.

Symptom Document activation of a published
application does not cause the application to
  • Cause The administrator did not set auto-install
  • Solution Ensure that Auto-Install This
    Application By File Extension Activation is
    checked in the Deployment tab in the
    applications Properties sheet

Symptom The user receives an error message such
as The Feature You Are Trying To Install Cannot
Be Found In The Source Directory
  • Cause Network or permissions problems
  • Solution
  • Ensure that the network is working correctly.
  • Ensure that the user has Read and AGP permissions
    for the GPO.
  • Ensure that the user has Read permission for the
  • Ensure that the user has Read permission for the

Symptom After removal of an application, the
shortcuts for the application still appear on
the users desktop
  • Cause The user has created shortcuts, and
    Windows Installer has no knowledge of them
  • Solution The user must remove the shortcuts

Symptom The user receives an error message such
as Another Installation Is Already In Progress
  • Cause An uninstallation might be taking place in
    the background with no user interface presented
    to the user, or perhaps the user has
    inadvertently triggered two installations
  • Solution The user can try again later

Symptom The user opens an already installed
application, and the Windows Installer starts
  • Cause An application might be undergoing
    automatic repair, or a user-required feature is
    being added
  • Solution No action is required

Symptom The user receives error messages such
as Active Directory Will Not Allow The Package
To Be Deployed or Cannot Prepare Package For
  • Cause The package might be corrupted or there
    might be a networking problem
  • Solution Investigate and take appropriate action

General Group Policy Practices
  • Disable unused parts of a GPO.
  • Use the Block Policy Inheritance and No Override
    features sparingly.
  • Minimize the number of GPOs associated with users
    or computers in domains or OUs.
  • Filter policy based on security group membership.
  • Use loopback only when necessary.
  • Avoid cross-domain GPO assignments.

Software Installation Practices
  • Specify application categories for the
  • Make sure Windows Installer packages include
    modifications before they are published or
  • Assign or publish just once per GPO.
  • Take advantage of authoring tools.
  • Repackage existing software.
  • Use SMS and Dfs.
  • Assign or publish close to the root in the Active
    Directory hierarchy.
  • Use Software Installation properties for widely
    scoped control.
  • Use Windows Installer package properties for fine

Folder Redirection Practices
  • Incorporate username into fully qualified UNC
  • Have My Pictures follow My Documents.
  • Consider the effects of policy removal.
  • Accept defaults.