Mdule 7 Managing User Desktop with Group Policy

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Module Overview
Implement Administrative Templates Configure Group Policy Preferences Manage Software with GPSI

Lesson 1: Implement Administrative Templates

What Are Administrative Templates? How Administrative Templates Work Managed Settings, Unmanaged Settings, and Preferences Central Store Demonstration: Work with Settings and the GPOs

What Are Administrative Templates?

.ADMX

.ADML

Registry

How Administrative Templates Work

Policy settings in the Administrative Templates node make

changes to the registry

HKCU\Software\Microsoft\

Windows\CurrentVersion\ Policies\System

DisableRegeditMode

1Regedit UI tool only 2Also disable regedit /s

Managed Settings, Unmanaged Settings, and Preferences

Administrative templates

Managed policy setting

User interface (UI) is locked; user cannot make a change to the setting Changes are made in one of four reserved registry keys Change and UI lock are "released" when the user/computer falls out of scope UI not locked Makes a change that is persistent; "tattoos" the registry

Unmanaged policy setting

Only managed setting shown by default Set Filter Options to view unmanaged settings Effects vary

Preferences

Central Store
.ADM files Stored in the GPT Leads to version control and GPO bloat problems

.ADMX/.ADML files Retrieved from the client Problematic if the client doesn't have the appropriate files

Central Store

Create a folder called PolicyDefinitions on a DC

Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\ PolicyDefinitions Locally: %SystemRoot%\SYSVOL\contoso.com\ Policies\PolicyDefinitions

Copy .ADMX files from your %SystemRoot%\PolicyDefinitions Copy .ADML file from language-specific subfolders (such as en-us)

Demonstration: Work with Settings and GPOs

In this demonstration, you will see how to:
Use filter options to locate policies in administrative

templates

Add comments to a policy setting Add comments to a GPO Create a new GPO from a starter GPO Create a new GPO by copying an existing GPO Create a new GPO by importing settings that were

exported from another GPO

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Lab A: Manage Settings and GPOs

Exercise 1: Manage Administrative Templates

Logon information

Estimated time: 30 minutes

Lab Scenario
You were recently hired as the domain administrator for

Contoso, Ltd, replacing the previous administrator, who retired. You are not certain what policy settings have been configured, so you decide to locate and document GPOs and policy settings. You also discover that the company has not leveraged either the functionality or the manageability of administrative templates.

Lab Review
Describe the relationship between administrative template

files (both .ADMX and .ADML files) and the GPME. benefits does it provide?

When does an enterprise get a central store? What What are the advantages of managing Group Policy from a

client running the latest version of Windows? Do settings you manage apply to previous versions of Windows?

Lesson 2: Configure Group Policy Preferences

What Are Group Policy Preferences? Differences Between Group Policy Preferences and

Settings

Demonstration: Configure Group Policy Preferences

What Are Group Policy Preferences?

Group Policy preferences expand the range of configurable settings within a GPO and:
Are not enforced Enable IT pros to configure, deploy, and manage

operating system and application settings that were not manageable by using Group Policy

Features of Group Policy Preferences:

Create: Create a new item on the targeted computer Delete: Remove an existing item from the targeted computer Replace: Delete and re-create an item on the targeted computer Update: Modify an existing item on the targeted computer

Differences Between Group Policy Preferences and Settings

Group Policy Preferences Group Policy Settings

Are written to the normal locations in Strictly enforce policy settings by the registry that the application or writing the settings to areas of the operating system feature uses to registry that standard users cannot store the setting modify Do not cause the application or operating system feature to disable the user interface for the settings they configure Refresh preferences by using the same interval as Group Policy settings by default Typically disable the user interface for settings that Group Policy is managing Refresh policy settings at a regular interval

Are not available on local computers Are available through local Group Policy

Demonstration: Configure Group Policy Preferences

In this demonstration, you will see how to configure some

Group Policy Preferences

Lab B: Manage Group Policy Preferences

Exercise 1: Configure Group Policy Preferences Exercise 2: Verify Group Policy Preferences Application

Logon information

Estimated time: 20 minutes

Lab Scenario
You were recently hired as the domain administrator for

Contoso, Ltd. To simplify Group Policy management, which includes eliminating the need for logon scripts to map drives, you need to deploy several Group Policy Preferences settings that will allow for more flexibility for corporate users..

Lab Review
What is the alternate way to provide drive mapping to

users, instead of using Preferences? change this setting on client side?

If you apply the Group Policy preferences setting, can you

Lesson 3: Manage Software with GPSI

Understand GPSI Software Deployment Options Demonstration: Create a Software Distribution Point Create and Scope a Software Deployment GPO Maintain Software Deployed with GPSI GPSI and Slow Links

Understand GPSI
Client-side extension (CSE) Installs supported packages

Windows Installer packages (.msi)

Optionally modified by Transform (.mst) or patches (.msp) GPSI automatically installs with elevated privileges

Downlevel application package (.zap)

Supported by publish option only Requires user to have admin privileges

System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages

No feedback

No centralized indication of success or failure No built-in metering, auditing, license management

Software Deployment Options

Software deployment options

Assign application to users

Start menu shortcuts appear

- Install-on-demand

File associations made (optional Auto Install)

- Install-on-document invocation

Optionally, configure to install at logon

Publish application to users

Advertised in Programs And Features (Control Panel)

- Install-on-request

Assign to computers

Install at startup

Demonstration: Create a Software Distribution Point

In this demonstration, you will see how to:
Create a software distribution point

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Create and Scope a Software Deployment GPO

Computer [or User] Configuration \ Policies \ Software

Settings \ Software Installation

Right-click New Package Browse to .msi file through network path (\\server\share) Choose deployment option (Recommended: Advanced)

Managing the scope of a

software deployment GPO

Typically easiest to manage with security group filtering Create an app group such as APP_XML Notepad Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary Put computers into the group if assigning to computers

Maintain Software Deployed with GPSI

Redeploy application

After successful install, client will not attempt to reinstall app You might make a change to the package Package All Tasks Redeploy Application

Upgrade application

Create new package in same or different GPO Advanced Upgrades Select package to upgrade Uninstall old version first; or install over old version

Remove application

Package All Tasks Remove Uninstall immediately (forced removal) or Prevent new installations (optional removal) Dont delete or unlink GPO until all clients have applied setting

GPSI and Slow Links

The Group Policy Client determines whether the domain

controller providing GPOs is on the other side of a slow link

Less than 500 kbps by default

Each CSE uses the slow link determination to decide

whether to process

By default, GPSI does not process over a slow link

You can change slow link processing behavior of each CSE

Computer Configuration\Policies\Administrative Templates\ System\Group Policy

You can change the slow link threshold

Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy

Lab C: Manage Software with GPSI

Exercise 1: Deploy Software with GPSI Exercise 2: Upgrade Applications with GPSI

Logon information

Estimated time: 15 minutes

Lab Scenario
You are an administrator at Contoso, Ltd. Your developers

require XML Notepad to edit XML files, and you want to automate the deployment and life cycle management of the application. You decide to use Group Policy Software Installation. Most applications are licensed per computer, so you will deploy XML Notepad to the developers' computers, rather than associating the application with their user accounts.

Lab Review
Consider the NTFS permissions you applied to the

Software and XML Notepad folders on NYC-SVR1. Explain why these least privilege permissions are preferred to the default permissions. XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers?

Consider the methods used to scope the deployment of

Module Review and Takeaways

Review Questions Common Issues Related to Group Policy Management Real-World Issues and Scenarios Best Practices Related to Group Policy Management Tools

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.