Microsoft Training and Certification 10

Document Sample
Microsoft Training and Certification 10 Powered By Docstoc
					                                          Module 8: Using Group
                                          Policy to Manage the
                                          Desktop Environment
Contents

Overview                                   1
Introduction to Managing User
Environments                               3
Using Administrative Templates in Group
Policy                                     5
Assigning Scripts by Using Group Policy   16
Using Group Policy to Redirect Folders    20
Lab A: Using Group Policy to Manage the
User Environment                          25
Troubleshooting User Environment
Management                                40
Introduction to Managing Software
Deployment                                42
Deploying Software                        47
Managing Software                         53
Identifying Solutions to Software
Deployment Problems                       59
Best Practices                            60
Lab B: Using Group Policy to Deploy
Software                                  65
Review                                    78
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, places or events is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001-2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Desktop, Active Directory, FrontPage,
MSDN, NetMeeting, PowerPoint, Visual Basic, Win32, and Windows Media are either registered
trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.

Special thanks to Kimborly A. Ditto-Ehlert of Net Wave Training, Matthew Duncan of the Dana
Corporation, and Thomas Lee of PS Partnership for technical review of the course content.
                             Module 8: Using Group Policy to Manage the Desktop Environment        iii



Instructor Notes
Presentation:   This module provides students with the knowledge and skills to use Group
90 Minutes      Policy to manage user environments, and to install, modify, repair, and remove
                software more efficiently. Students will learn to manage user environments by
Lab:            configuring the Administrative Template settings, using Group Policy to run
75 Minutes      scripts at designated times, and redirecting folders to a central location. They
                will also learn how software installation policies take advantage of the
                Microsoft® Windows® Installer to deliver software to computers.
                After completing this module, students will be able to:
                   Describe key tasks in configuring and managing user environments.
                   Use Administrative Templates in Group Policy to assign registry-based
                   policies to control and configure user and computer environments.
                   Control user environments by using Group Policy to assign scripts, such as
                   startup, shutdown, logon, and logoff.
                   Use Group Policy to redirect user folders to a central network location.
                   Troubleshoot the management of user environments by using Group Policy.
                   Explain how software installation and maintenance technology uses Group
                   Policy and Windows Installer to manage software.
                   Deploy software by using Group Policy.
                   Manage software by configuring deployment options, managing file
                   extension associations, and assigning software categories.
                   Identify solutions to common problems that are associated with software
                   deployment.
                   Apply best practices to using Group Policy to manage the desktop
                   environment.
iv   Module 8: Using Group Policy to Manage the Desktop Environment



Materials and Preparation
                        This section provides the materials and preparation tasks that you need to teach
                        this module.

                        Required Materials
                        To teach this module, you need the Microsoft PowerPoint® file 2126B_08.ppt.

                        Preparation Tasks
                        To prepare for this module, you should:
                           Read all of the materials for this module.
                           Complete the labs.
                           Study the review questions and prepare alternative answers to discuss.
                           Read the white paper, Using Group Policy Scenarios, under Additional
                           Reading on the Web page on the Student Materials compact disc.
                           Review the Windows Script Host information at:
                           http://msdn.microsoft.com/scripting/.
                               Module 8: Using Group Policy to Manage the Desktop Environment         v



Module Strategy
                  Use the following strategy to present this module:
                     Introduction to Managing User Environments
                     Introduce managing user environments by configuring the Administrative
                     Templates and Scripts Group Policy extensions, and by redirecting folders.
                     Emphasize that configuring user environments by using Group Policy
                     enables you to immediately apply the environments to users or computers
                     by adding the users or computers to the organizational unit that is affected
                     by the settings. Finally, describe the tasks for centrally configuring and
                     managing user environments.
                     Using Administrative Templates in Group Policy
                     Introduce the different types of settings in Administrative Templates.
                     Explain the type of settings to use if an administrator wants to configure the
                     computer to restrict access to the desktop, network resources, or
                     administrative tools and applications. Emphasize that the settings that this
                     module presents are only examples and not recommendations. Finally,
                     demonstrate how to implement Administrative Template settings.
                     Assigning Scripts by Using Group Policy
                     Introduce how to use Group Policy to run scripts. Emphasize that script
                     settings enable an administrator to automate the running of scripts at
                     specific times, such as startup, shutdown, and when a user logs on or logs
                     off. Then, present the order in which the next version of the Microsoft
                     Windows 2000 operating system processes scripts. Emphasize that startup
                     scripts run synchronously, and define the term if needed. Finally,
                     demonstrate how to implement scripts.
                     Using Group Policy to Redirect Folders
                     Introduce how to redirect default user folders to a network server by using
                     Group Policy. Explain that although a redirected folder appears to be stored
                     locally, it is actually stored on a server. Mention that the information in a
                     redirected folder is always available to the user, regardless of the computer
                     from which the user logs on. Present information about the four types of
                     folders that an administrator can redirect and why an administrator would
                     choose to redirect these folders. Finally, demonstrate how to redirect folders
                     by using Group Policy.
                     Troubleshooting User Environment Management
                     Introduce troubleshooting options for configuring and managing user
                     environments through Group Policy. Explain some of the more common
                     problems that students may encounter when they manage user environments
                     and provide suggested strategies for resolving these problems.
vi   Module 8: Using Group Policy to Manage the Desktop Environment


                           Introduction to Managing Software Deployment
                           Describe the technologies that participate in software deployment: Windows
                           Installer and software installation and maintenance. Students must
                           understand that Windows Installer resides on the client computer and runs
                           the installation. Software installation and maintenance is the delivery
                           mechanism that the server uses.
                           Explain the operation of software installation and maintenance through the
                           four phases of the software life cycle. Make sure that students understand
                           how packages are acquired and the concept of advertising an application.
                           Briefly mention the difference between assigning and publishing
                           applications, and the difference between forced and optional removal. These
                           concepts will be discussed in detail later in the module.
                           Deploying Software
                           Explain how to use software installation and maintenance to deploy a new
                           application. Then, explain the difference between assigning an application
                           to a user and assigning an application to a computer. Finally, explain the
                           concept of publishing applications.
                           Managing Software
                           Focus on methods of deploying packages that upgrade previously deployed
                           applications. Give special attention to describing the differences between
                           mandatory and optional upgrades and the effect of redeploying software in
                           the scenarios described in the text.
                           Discuss how to remove deployed software. Highlight the differences
                           between forced and optional removal.
                           Identifying Solutions to Software Deployment Problems
                           Discuss three important strategies for investigating problems with software
                           deployments. The most complex area to troubleshoot is Group Policy
                           conflicts. Discuss at least one scenario in which conflicting Group Policy
                           settings would cause an application to deploy in an unexpected way.
                           Best Practices
                           In this topic, you will review best practices for using Group Policy to
                           manage the desktop environment. Emphasize the reason for each best
                           practice.
                                              Module 8: Using Group Policy to Manage the Desktop Environment    1



Overview
Topic Objective
To provide an overview of
the module topics and
objectives.                                Introduction to Managing User Environments
Lead-in                                    Using Administrative Templates in Group Policy
In this module, you will learn             Assigning Scripts by Using Group Policy
how to configure and
manage the user desktop                    Using Group Policy to Redirect Folders
environment by using Group                 Troubleshooting User Environment Management
Policy, and how to deploy
and manage software by                     Introduction to Managing Software Deployment
using the software                         Deploying Software
installation and maintenance
                                           Managing Software
technology.
                                           Identifying Solutions to Software Deployment Problems
                                           Best Practices


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Group Policy enables an organization to reduce the cost of administering
                                 computer networks by allowing administrators to control users’ desktops and
                                 deploy computer configurations from a central location. As an administrator,
                                 you can create a managed desktop environment that you can configure to each
                                 user’s job responsibilities and experience level.
                                 Microsoft® Windows® 2000 Server includes many Group Policy settings that
                                 provide administrators with greater control over computer configurations.
                                 Group Policy enables administrators to specify Group Policy settings to manage
                                 desktop configurations for groups of computers and users. Group Policy
                                 includes settings for registry-based policy, security, software installation,
                                 scripts, computer startup and shutdown, user logon and logoff, and folder
                                 redirection.
                                 In addition, Windows 2000 includes a technology called software installation
                                 and maintenance that uses Windows Installer and Group Policy to deploy and
                                 manage software with a minimal amount of administrative effort. In this
                                 module, you will learn how to deploy and manage software by using the
                                 software installation and maintenance technology.
2   Module 8: Using Group Policy to Manage the Desktop Environment


                       After completing this module, you will be able to:
                           Describe key tasks in configuring and managing user environments.
                           Use Administrative Templates in Group Policy to assign registry-based
                           policies to control and configure user and computer environments.
                           Control user environments by using Group Policy to assign scripts, such as
                           startup, shutdown, logon, and logoff.
                           Use Group Policy to redirect user folders to a central network location.
                           Troubleshoot the management of user environments by using Group Policy.
                           Explain how software installation and maintenance technology use Group
                           Policy and Windows Installer to manage software.
                           Deploy software by using Group Policy.
                           Manage software by configuring deployment options, managing file
                           extension associations, and assigning software categories.
                           Identify solutions to common problems that are associated with software
                           deployment.
                                                 Module 8: Using Group Policy to Manage the Desktop Environment     3



Introduction to Managing User Environments
Topic Objective
To identify the benefits of             Control user desktops, user interfaces, and network access
using Group Policy to
centrally configure and                 Use Group Policy settings
manage the user desktop
environment.                                                       My Documents
                                 Registry
Lead-in
                                 HKEY_LOCAL_MACHINE
Managing user                    HKEY_CURRENT_USER

environments means
                                Administrative
controlling what users can       Templates               Script      Redirecting      Security       Manage User
do when they are logged on        Settings              Settings     User Folders     Settings       Environments
to the network, which
includes controlling what
appears on their desktops.              Apply Group Policy to a site, domain, or organizational unit
                                           User environment settings automatically apply to a new user
                                           or computer


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                              Managing user environments means controlling what users can do when they
                              are logged on to the network. You control user environments by controlling
                              users’ desktops, network connections, and user interfaces. You control user
                              environments to ensure that users have what they need to perform their jobs, but
                              do not have the ability to incorrectly configure their environments.
                              The types of Group Policy settings that you typically use to manage user
                              environments are Administrative Template settings, script settings, folder
                              redirection, and security settings. You configure these settings in Group Policy.
                              If you use Group Policy to set up user environments for a site, a domain, or an
                              organizational unit, Group Policy settings are applied automatically to any
                              computer or user that you add to the site, domain, or organizational unit.
                              To centrally configure and manage user environments, you can perform the
                              following tasks:
                                 Enforce standard configurations. Group Policy settings provide an efficient
                                 way to enforce standards, such as logon scripts or password settings. For
                                 example, you can prevent users from making changes to their desktops that
                                 could make their user environments more complex than necessary.
                                 Limit user access to selected components of the operating system. You can
                                 prevent users from opening Control Panel and shutting down their
                                 computers. By preventing users from accessing critical operating system
                                 components and configuration options, you reduce the possibility of users
                                 corrupting their systems, and therefore, the number of technical support
                                 calls that users must make.
4   Module 8: Using Group Policy to Manage the Desktop Environment


                           Ensure that users always have their desktops and personal data. By
                           managing user desktop settings with registry-based policies, you ensure that
                           users have the same computing environments even if they log on from
                           different computers. You can control how Windows 2000 or later, manages
                           user profiles, which includes how users’ personal data is made available. By
                           redirecting user folders from users’ local hard disks to a central location on
                           a server, you can ensure that users’ data is available to them regardless of
                           the computers to which they log on.
                           Secure the user environment. Through the use of Group Policy in the
                           Active Directory® directory service, administrators can centrally apply the
                           security settings to the user and to the computer that are required to protect
                           the user environment. In Windows 2000 or later, you can use the Security
                           Settings extension in Group Policy to define the security settings for local
                           and domain security policies.

                           Note For more information about managing Group Policy security settings
                           for user environments, see Module 9, “Managing Network Security,” in
                           Course 2126B, Managing a Microsoft Windows 2000 Network
                           Environment.
                                            Module 8: Using Group Policy to Manage the Desktop Environment       5



       Using Administrative Templates in Group Policy
Topic Objective
To introduce the topics that
relate to using
Administrative Templates in               Types of Administrative Template Settings
Group Policy.
                                          Settings for Securing the Desktop
Lead-in
Administrative Template                   Settings for Securing User Access to Network
settings are available for                Resources
both computers and user
accounts.                                 Settings for Securing User Access to Administrative
                                          Tools and Applications
                                          Implementing Administrative Templates




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Administrative Template (.adm files) settings are available for both computers
                               and user accounts. You can control the user environment by configuring
                               specific administrative settings to restrict access to user desktops, access to
                               network resources, and administrative tools and applications.
                               Group Policy applies not only to users and client computers, but also to member
                               servers, domain controllers, and any other Windows 2000–based or
                               Windows XP Professional–based computers within the scope of management.
                               To create a specific desktop configuration for a particular group of users,
                               administrators use the Group Policy snap–in.
                               In order to manage Windows XP clients, administrators require a computer
                               running Windows XP, which comes with updated .adm files. These are the files
                               that provide policy information for items that are under the Administrative
                               Templates folder in the console tree of the Group Policy snap–in.
                               Windows XP contains the following updated administrative template files:
                                  System.adm. Used for core settings.
                                  Wmplayer.adm. Used for Microsoft Windows Media™ settings.
                                  Conf.adm. Used for Microsoft NetMeeting® conferencing software.
                                  Inetres.adm. Used for Microsoft Internet Explorer.
6         Module 8: Using Group Policy to Manage the Desktop Environment



Types of Administrative Template Settings
Topic Objective                   Setting Type                          Controls                            Available for
To identify the different
types of Administrative          Windows         The parts of Windows 2000 and its tools and
                                                 components to which users can gain access,
Template settings to use to      Components      including MMC
control user environments.
                                                 Logon and logoff, Group Policy, refresh intervals,
                                 System          disk quotas, and loopback policy
Lead-in
You can configure several                        The properties of network connections and dial-in
Administrative Template          Network         connections
settings that apply to user
                                                 Printer settings that can force printers to be published
settings and to computer         Printers        in Active Directory and disable Web-based printing
settings.
                                 Start Menu      Settings that control the appearance and access to
                                 & Taskbar       the Start menu and the taskbar
                                                 The Active Desktop, including what appears on
                                 Desktop         desktops, and what users can do with the My
                                                 Documents folder
                                 Control         The use of Add/Remove Programs, Display, and
                                 Panel           Printers


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Administrative Template settings are organized into seven types, for which
Delivery Tip                   there are both user and computer settings. The computer settings focus on the
Encourage students to
explore the Administrative
                               management of Windows, whereas user settings focus on controlling how users
Templates extension in         can affect their desktop environments.
Group Policy.
                               In earlier versions of Windows, Administrative Templates were American
Show students the different
                               National Standards Institute (ANSI) encoded text files. These templates created
types of Administrative        a namespace within System Policy Editor for convenient editing of the registry
Template settings in Group     Administrative Templates provided a friendlier user interface than the Registry
Policy. Tell students that     Editor (Regedit.exe). They also added a degree of safety by exposing only the
some types of settings apply   registry keys that are explicitly mentioned in the .adm file.
to computers and to users.
                               In Windows 2000 and Windows XP, Administrative Templates have the .adm
                               file name extension, as they did in Microsoft Windows NT® 4.0. However, their
                               role is slightly different.
                               The .adm file is a Unicode file that specifies a hierarchy of categories and
                               indicates the registry locations where changes should be made if a particular
                               selection is made.
                                                 Module 8: Using Group Policy to Manage the Desktop Environment          7


                                 The following table describes the types of settings in the Administrative
                                 Templates extension.
Setting type                  Controls                                                                 Available for

Windows Components            The Windows tools and components to which users can gain                 Computers and users
                              access. This includes controlling user access to Microsoft
                              Management Console (MMC).
System                        Logon and logoff procedures. By using System settings, you can           Computers and users
                              manage Group Policy and refresh intervals, and enable disk quotas.
Network                       The properties of network connections and dial-in connections,           Computers and users
                              which include shared network access.
Printers                      Printer settings that can force printers to be automatically published   Computers
                              in Active Directory and can disable Web-based printing.
Start Menu and                The features that users can access from the Start menu. For              Users
Taskbar                       example, by removing the Run command, you prevent users from
                              running applications for which there is no icon or shortcut. You can
                              also make the Start menu read-only and disable users’ ability to
                              make changes.
Desktop                       Microsoft Active Desktop®. You can control users’ ability to gain        Users
                              access to the network and the Internet by hiding the appropriate
                              desktop icons and controlling what users can do with their My
                              Documents folder.
Control Panel                 Several applications in Control Panel. This includes restricting the     Users
                              use of Add/Remove Programs, Display, and Printers.


                                 Note Windows provides you with the ability to add additional templates to
                                 Administrative Templates in Group Policy if the preconfigured templates do not
                                 provide the settings that you require. However, the administrative templates in
                                 Microsoft Windows XP Professional contain many new policies in addition to
                                 the policies that are included in Windows 2000.

                                 If you have .adm files that are newer than those in the Group Policy object
                                 (GPO), you can automatically update the GPO with the newer .adm files. In
                                 order to make this happen, you must have the latest .adm files in your INF
                                 directory.
                                 To upgrade .adm files:
                                 1. On a computer running Windows XP, locate the desired .adm files, which
 Delivery Tip                       are located in the Windows/INF directory.
 Advise the students on the
 use of a Windows XP             2. Copy System.adm and any other .adm files to a file share.
 Professional client,
 managing Group Policy
                                 3. On a Windows 2000–based computer, open a GPO in the Group Policy
 objects.                           snap–in.
                                 4. Right-click Administrative templates, and then click Add/Remove
                                    Templates.
                                 5. When the Add/Remove Templates dialog box appears, remove the
                                    Windows 2000–based .adm files and add the Windows XP–based .adm
                                    files.
                                 6. Repeat for each GPO.
8         Module 8: Using Group Policy to Manage the Desktop Environment



Settings for Securing the Desktop
Topic Objective                         Common Group Policy Settings for Securing the Desktop
To explain how to use the
Administrative Template
                                          Hide all icons on desktop
settings to set up a
computer that allows users                Don’t save settings at exit
to perform a limited number
of functions that they cannot             Hide these specified drives in My Computer
modify.
Lead-in                                   Remove Run menu from Start menu
You can use the appropriate
                                          Prohibit access to Display in Control Panel
Administrative Template
settings to set up computers
                                          Disable and remove links to Windows Update
that allow users to perform
only a limited number of                  Disable changes to Taskbar and Start Menu settings
functions.
                                          Disable/Remove the Shut Down command


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                You can use various Group Policy settings to customize a user’s desktop
Delivery Tip                    environment. To secure the desktop, you must set up a computer so that it can
Emphasize that this table
does not provide
                                perform only a limited number of functions that users cannot modify. For
recommendations, but            example, you can configure a computer in a public information kiosk to run
rather provides examples for    only a Web browser.
the types of administrative
settings to configure secure
                                The following table describes common Group Policy settings to configure when
user desktop environments.      securing user desktops and the effect of these configurations. The settings in the
                                table do not provide recommendations, but rather examples for the types of
                                administrative settings to secure the user’s desktop environment.
                                Group Policy setting and location            Effect

                                Hide all icons on desktop                    Hides all desktop items, including menus,
                                (User Configuration\                         folders, and shortcuts, to provide users with a
                                Administrative Templates\Desktop)            simple user interface.
                                Don’t save settings at exit                  Disables the ability to save any configuration
                                (User Configuration\                         changes made during the logon session. The
                                Administrative Templates\Desktop)            original settings are restored each time users
                                                                             log off.
                                Hide these specified drives in My Computer   Removes icons that represent the selected
                                (User Configuration\                         drives from My Computer, Windows
                                Administrative Templates\                    Explorer, and My Network Places. Drive
                                Windows Components\                          letters will not appear in the Open dialog box
                                Windows Explorer)                            of any application.


                                Remove Run command from Start menu           Removes the Run command from the Start
                                (User Configuration\                         menu. However, users can still access this
                                Administrative Templates\Start Menu, and     command through Task Manager.
                                Taskbar)
              Module 8: Using Group Policy to Manage the Desktop Environment          9


(continued)
Group Policy setting and location             Effect

Prohibit access to Display in Control Panel   Prevents users from changing display
(User Configuration\                          settings, such as the wallpaper, screen saver,
Administrative Templates\                     or color schemes. This setting also reduces
Control Panel\Display)                        problems that can arise when users change
                                              their desktop settings.
Disable and remove links to Windows           Removes the Windows Update command
Update                                        from the Settings menu. However, this
(User Configuration\                          command will still be available in Microsoft
Administrative Templates\ Start Menu and      Internet Explorer. Removing this command
Taskbar)                                      prevents users from applying updates or
                                              changes to their operating systems that you
                                              do not authorize.
Disable changes to Taskbar and Start Menu     Removes the Taskbar and Start Menu
settings                                      command from the Settings menu. This
(User Configuration\                          setting prevents users from overriding any
Administrative Templates\                     changes that you make to the Start menu.
Start Menu and Taskbar)
Disable/Remove the Shut Down command          Prevents users from shutting down and
(User Configuration\                          restarting Windows. This setting is useful on
Administrative Templates\Desktop)             computers that must run continuously, such
                                              as a computer in a public library.
10        Module 8: Using Group Policy to Manage the Desktop Environment



Settings for Securing User Access to Network Resources
Topic Objective                                 Common Group Policy Settings for Securing
To identify how to use the                         User Access to Network Resources
Administrative Template
settings for securing users’
                                           Hide My Network Places icon on desktop
access to network
resources.
                                           Remove the Map Network Drive and
Lead-in                                    Disconnect Network Drive options
You can use the
Administrative Template
settings to secure user                    Tools menu: Disable Internet Options… menu option
access to network
resources.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 You can restrict the network resources to which users can gain access. The
Delivery Tip                     following table provides common Group Policy settings that you can configure
Emphasize that this table
does not provide
                                 when locking down user access to network resources. The table does not
recommendations, but             provide recommendations, but rather provides examples for the type of
rather provides examples         administrative settings to configure to restrict user access to the network.
for the type of administrative
settings necessary to            Group Policy setting and location         Effect
configure to the computer to     Hide My Network Places icon on desktop    Removes the My Network Places icon
restrict network access.
                                 (User Configuration\                      from the desktop and disables support for
                                 Administrative Templates\Desktop)         universal naming convention (UNC) file
                                                                           names. By using logon scripts to map
                                                                           network drives, you can control the
                                                                           network resources to which users have
                                                                           access.


                                 Remove the Map Network Drive and          Removes the Map Network Drive and
                                 Disconnect Network Drive options          Disconnect Network Drive options from
                                 (User Configuration\                      Windows Explorer. This setting also
                                 Administrative Templates\                 removes the Add Network Places Wizard
                                 Windows Components\                       from My Network Places. However, users
                                 Windows Explorer)                         can still connect to computers by using the
                                                                           Run command on the Start menu.
              Module 8: Using Group Policy to Manage the Desktop Environment         11


(continued)
Group Policy setting and location           Effect

Tools menu: Disable Internet Options…       Removes the Internet Options menu
menu option                                 option from Internet Explorer. This setting
(User Configuration\                        prevents users from modifying their
Administrative Templates\                   Internet Explorer configurations.
Windows Components\                         You can also disable individual pages by
Internet Explorer\Browser Menus)            using Group Policy settings that are
                                            located under User Configuration\
                                            Administrative Templates\
                                            Windows Components\Internet Explorer\
                                            Internet Control Panel
12         Module 8: Using Group Policy to Manage the Desktop Environment



Settings for Securing User Access to Administrative Tools and
Applications
Topic Objective                          Common Group Policy Settings for Securing the Desktop
To identify how to use the
Administrative Template                    Remove Search menu from Start menu
settings to secure users’
access to administrative                   Remove Run command from Start menu
tools and applications.
                                           Disable Task Manager
Lead-in
You can use the                            Run only allowed Windows applications
Administrative Template
settings to secure user                    Remove the Documents menu from the Start menu
access to administrative
tools and applications.                    Disable changes to Taskbar and Start Menu settings

                                           Hide common program groups in Start menu




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 The following table provides some of the settings that you can configure when
Delivery Tip                     securing user access to administrative tools and applications, and the possible
Emphasize that this table
does not provide examples,
                                 effect of these configurations. The table does not provide recommendations, but
but rather recommendations       rather provides examples for the type of administrative settings necessary to
for the type of administrative   configure user access to administrative tools and applications.
settings to configure user
access to administrative         Group Policy setting and location          Effect
tools and applications.          Remove Search menu from Start menu         Removes the Search menu from the Start
                                 (User Configuration\                       menu. However, the Search menu will
                                 Administrative Templates\                  still appear in Windows Explorer and
                                 Start Menu, and Taskbar)                   Internet Explorer.
                                 Remove Run command from Start menu         Removes the Run command from the
                                 (User Configuration\                       Start menu. This setting makes it more
                                 Administrative Templates\                  difficult for users to run applications that
                                 Start Menu & Taskbar)                      you do not authorize.
                                 Disable Task Manager                       Prevents users from starting applications
                                 (User Configuration\                       by using Task Manager.
                                 Administrative Templates\System\
                                 Logon/Logoff)
                                 Run only allowed Windows applications      Prevents users from running applications
                                 (User Configuration\                       other than those you specify in this Group
                                 Administrative Templates\System)           Policy setting. This restriction applies only
                                                                            to applications that users start by using
                                                                            Windows Explorer.
              Module 8: Using Group Policy to Manage the Desktop Environment        13


(continued)
Group Policy setting and location           Effect

Remove the Documents menu from the          Removes the Documents menu from the
Start menu                                  Start menu.
(User Configuration\
Administrative Templates\
Start Menu and Taskbar)
Disable changes to Taskbar and Start        Removes the Taskbar and Start Menu
Menu settings                               command from the Settings menu. This
(User Configuration\                        setting prevents users from overriding any
Administrative Templates\                   changes that you make to the Start menu.
Start Menu & Taskbar)
Hide common program groups in Start         Removes common program groups from
menu                                        the Start menu. This means that users
(User Configuration\                        receive only the Start menu items that are
Administrative Templates\                   specified in their user profiles.
Start Menu & Taskbar)
14        Module 8: Using Group Policy to Manage the Desktop Environment



Implementing Administrative Templates
Topic Objective
To illustrate the procedure                Selecting the State to Configure a Setting
for implementing the
Administrative Template                Hide My Network Places icon on desktop Properties
settings to control user                Policy   Explain                              Contains information about
                                                                                      Contains information about
environments.                                                                         what this policy can do
                                                                                      what this policy can do
                                             Hide My Network Places icon on desktop
Lead-in
You implement                               Not Configured                                   Ignores the setting
                                                                                              Ignores the setting
Administrative Template                     Enabled                                          (default)
                                                                                              (default)
                                            Disabled
settings by configuring the
settings in the                                                                              Applies the setting
                                                                                             Applies the setting
Administrative Templates
extension in Group Policy.                                                                   Prevents the setting
                                                                                             Prevents the setting

                                            Accessing an Administrative Template Setting



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Implement Administrative Template settings by configuring the settings in the
Delivery Tip                   Administrative Templates extension in Group Policy.
Demonstrate configuring a
setting by selecting a state
for an Administrative          Selecting the State to Configure a Setting
Template setting. The          You configure a setting by selecting one of three states:
example in the slide is in
Group Policy\                     Not configured. Windows 2000 ignores the setting and makes no changes to
User Configuration\               the computer. This state does not specify a value change in the registry.
Administrative Templates\
Desktop\Hide My Network           Enabled. Windows 2000 applies the setting and adds the change to the
Places icon on the desktop.       appropriate customized registry setting (Registry.pol) file.
                                  Disabled. Windows 2000 prevents the setting from being applied and adds
                                  the change to the appropriate Registry.pol file.

                               You select the state in the Properties dialog box, on the Policy tab for the
                               Group Policy setting. You may be required to provide additional information,
                               such as a list of programs to run at logon, or a disk quota size.
            Module 8: Using Group Policy to Manage the Desktop Environment      15


Accessing an Administrative Template Setting
To gain access to the Policy tab for an Administrative Template setting,
perform the following steps:
1. Right-click the appropriate site, domain, or organizational unit, and then
   click Properties.
2. On the Group Policy tab, create a new GPO, or select an existing GPO, and
   then click Edit.
3. In Group Policy, expand Computer Settings or User Settings, and then
   expand Administrative Templates until you locate the setting that you
   want to modify. For example, if you want to modify the Desktop setting,
   under User Configuration, expand Administrative Templates, and then
   click Desktop.
4. In the details pane of Group Policy, double-click the Group Policy setting
   that you want to modify.


Note When you create a GPO that either contains only settings for users or
contains only settings for computers, you can disable the settings that you are
not using to speed up processing of the Group Policy settings at the client. You
can disable the settings in the Properties dialog box, on the General tab for the
GPO.
16         Module 8: Using Group Policy to Manage the Desktop Environment



       Assigning Scripts by Using Group Policy
Topic Objective
To introduce the topics that
relate to assigning scripts in
Group Policy.                              Introduction to Group Policy Script Settings
Lead-in                                    Applying Script Settings in Group Policy
You can use Group Policy to
automate the running of                    Assigning Group Policy Script Settings
scripts.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 You can use Group Policy script settings to automate the running of scripts.
                                 There are script settings under both Computer Configuration and User
                                 Configuration in Group Policy. You can use Group Policy to run scripts when a
                                 computer starts and shuts down, and when a user logs on and logs off. As with
                                 all Group Policy settings, you configure a setting once, and the policy is
                                 continually implemented and enforced throughout your network.
                                            Module 8: Using Group Policy to Manage the Desktop Environment       17



Introduction to Group Policy Script Settings
Topic Objective                         Computer
To identify the purpose of               Startup/Shutdown
                                         Startup/Shutdown                       Scripts
Group Policy script settings.
                                                                                     Computer
Lead-in                                                                              Configuration
Using Group Policy script                                                            Startup/Shutdown
                                                                                      Startup/Shutdown
settings, you can set up
scripts to run automatically                                                         User Configuration
when specific events occur.              Logon/Logoff                                 Logon/Logoff
                                                                                      Logon/Logoff
                                          Logon/Logoff
                                         User
                                         You can use Group Policy script settings to:
                                            Run pre-existing scripts
                                            Run scripts that perform tasks you cannot configure by using
                                            other Group Policy settings
                                            Use scripts to clean up desktops when users log off and shut
                                            down computers

*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                You can use Group Policy script settings to centrally configure scripts to run
Delivery Tip                    automatically at startup and shutdown, and when users log on and log off. You
Direct students to the
Windows Script
                                can specify any script that runs in Windows 2000, including batch files,
Technologies Web site for       executable programs, and Windows Script Host–supported scripts.
Windows Script Host at
                                For more information about Windows Script Host, refer to the Windows Script
http://msdn.microsoft.com/
scripting/.
                                Technologies Web site at http://msdn.microsoft.com/scripting/.
                                To help you manage and configure user environments, you can:
                                   Run pre-existing scripts set up to manage user environments until you set up
                                   Group Policy settings to replace the tasks that these scripts perform.
                                   Run scripts that perform tasks that you cannot configure through other
                                   Group Policy settings. For example, you can populate user environments
                                   with network connections, printer connections, shortcuts to applications, and
                                   corporate documents.
                                   Use scripts to clean up desktops when users log off and shut down
                                   computers. You can remove connections that you added with logon or
                                   startup scripts so that the computer is left in the same state as when the user
                                   started the computer.


                                Note You can assign logon scripts individually to user accounts in the
                                Properties dialog box for each user account. However, Group Policy is the
                                preferred method of running scripts because you can manage these scripts
                                centrally, along with startup, shutdown, and logoff scripts.
18         Module 8: Using Group Policy to Manage the Desktop Environment



Applying Script Settings in Group Policy
Topic Objective                                                 Processing Order
To explain the process of
applying script settings in
Group Policy.                             Windows processes multiple scripts from top to bottom
Lead-in                                      When a user starts a computer and logs on:
Windows processes Group                      a. Startup scripts run
Policy scripts in a particular               b. Logon scripts run
order, which is from top to
bottom.
                                             When a user logs off and shuts down a computer:
                                             a. Logoff scripts run
                                             b. Shutdown scripts run




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Multiple scripts are executed from top to bottom, as listed in the Script
                                 Properties dialog box, on the Script tab. This process determines the order in
                                 which scripts run and the effects that they have on computers and users. If there
                                 is a conflict between different scripts, the script that is processed last prevails.
                                 By running scripts in the preferred order, you avoid a situation in which a script
                                 that depends on the successful execution of another script executes before the
                                 dependent script.
                                 Group Policy–assigned scripts are processed and run as follows:
                                 1. When a user starts a computer and logs on, the following occur:
                                    a. Startup scripts are hidden and run synchronously by default.
                                        When scripts run synchronously, each script must complete or time out
                                        before the next one starts.
                                    b. Logon scripts are hidden and run asynchronously by default.
                                        When scripts run asynchronously, the scripts run simultaneously. Non–
                                        Group Policy logon scripts that are associated with a specific user
                                        account run after the Group Policy logon scripts run for the user account.
                                 2. When a user logs off and shuts down a computer, the following occur:
                                    a. Logoff scripts run.
                                    b. Shutdown scripts run.


                                 Note The default time-out value for processing scripts is 10 minutes. If a script
                                 requires more than 10 minutes to process, you must adjust the time-out value by
                                 configuring the wait time for Group Policy scripts, in Computer Configuration\
                                 Administrative Templates\System\Logon\Maximum wait time. This setting
                                 affects all scripts that run, not only logon scripts.
                                            Module 8: Using Group Policy to Manage the Desktop Environment        19



Assigning Group Policy Script Settings
                                                 Logon Properties
Topic Objective
To illustrate the procedure                      Scripts

for assigning Group Policy                                  Logon Scripts for Log On Script
script settings to users and                                [AUCKLAND.contoso.msft]

computers.
                                                    Name                    Parameters
Lead-in                                             Development.vbs                                       Up
To implement scripts by                             Information Services.vbs                            Down
using Group Policy, you add
the script to the appropriate                              Add the script to
                                                            Add the script to                           Add...
script setting.                                            the appropriate GPO
                                                            the appropriate GPO
                                                                                                        Edit...

                                                                                                       Remove



                                                   To view the script files stores in this Group Policy Object,
                                                   press the button below.
                                                                                  Copy the script to the
                                                                                  Copy the script to the
                                                      Show Files...
                                                                                  appropriate GPT
                                                                                  appropriate GPT
                                                                               OK             Cancel      Apply


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                Implementing a script means using Group Policy to add that script to the
Delivery Tip                    appropriate setting in the Group Policy template (GPT), which designates that
Demonstrate how to add a
startup script by using
                                the script runs during startup, shutdown, logon, or logoff.
Group Policy. Then, show
students where the script       Copying a Script to a Group Policy Template
resides in the GPT.
                                To copy a script into the appropriate GPT, perform the following steps:
The path to the location in     1. Locate the script on your hard disk by using Windows Explorer.
the GPT is systemroot
\SYSVOL\Sysvol\                 2. Open the appropriate GPO in Group Policy, expand either Computer
domain_name\policies               Configuration (for startup and shutdown scripts) or User Configuration
\GPO_GUID_identifier\              (for logon and logoff scripts), expand Windows Settings, and then click
machine\scripts\Startup.           Scripts.
                                3. Double-click the appropriate script type (Startup, Shutdown, Logon, or
                                   Logoff), and then click Show Files.
                                4. Copy the script file from Windows Explorer to the window that appears, and
                                   then close the window.

                                Adding a Script to a Group Policy Object
                                To add a script to a GPO, perform the following steps:
                                1. In the Properties dialog box for the script type, click Add, click Browse,
                                   select a script, and then click Open.
                                2. Add any necessary script parameters, and then click OK.
20        Module 8: Using Group Policy to Manage the Desktop Environment



       Using Group Policy to Redirect Folders
Topic Objective
To introduce the topics that
relate to using Group Policy
to redirect user folders.                 Folder Redirection Overview
Lead-in                                   Selecting the Folders to Redirect
By redirecting folders, you
can ensure that users’ data               Redirecting Folders to a Server Location
is available to them
regardless of the computers
to which they log on.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               You can use Group Policy to redirect folders, which are part of the user profile,
                               from users’ local hard disks to a central location on a server. By redirecting
                               these folders, you can ensure that users’ data is in a central location, which
                               makes it easier to manage and back up. Also, you can ensure that users’ data is
                               available to them regardless of the computers to which they log on.
                               The folders that you can redirect are My Documents, Start Menu, Desktop, and
                               Application Data. These folders are automatically created and made part of the
                               user profile for each user account.
                                          Module 8: Using Group Policy to Manage the Desktop Environment        21



Folder Redirection Overview
Topic Objective                   Redirected Personal Folders
                                  Redirected Personal Folders
To explain the reasons for
redirecting folders.                         My Documents
                                                                     Advantages of folder
Lead-in                                                              redirection:
When you redirect folders,
you change the storage                                                   Data is always available
location of folders.
                                  Documents are stored                   Data is centrally stored
                                  on the server but
                                  appear to be stored                    Files are not saved on the
                                  locally                                client computer


                                                        My
                                                     Documents




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             When you redirect folders, you change the storage location of folders from the
                             local hard disk on the user’s computer to a shared folder on a network file
                             server. After you redirect a folder to a file server, a user can access the folder as
                             if it were stored on the local hard disk.
                             The following list describes the advantages of redirecting folders:
                                The data in the folders is available to the user regardless of the client
                                computer to which the user logs on.
                                The data in the folders is centrally stored, so the files that the folders contain
                                are easier to manage and back up.
                                Files in redirected folders, unlike files that are part of a roaming user profile,
                                are not copied and saved on the computers where the user logs on. This
                                means that when a user logs on to a client computer, no storage space is
                                used to store these files, and data that might be confidential does not remain
                                on a client computer.
22        Module 8: Using Group Policy to Manage the Desktop Environment



Selecting the Folders to Redirect
Topic Objective                          Folder              Contains                    Reason to redirect
To introduce the different
types of folders, and the                                                          Users can access their data
reasons to redirect these            My               Users’ personal work         from any computer, and this
folders.                             Documents        data                         data can be backed up and
                                                                                   managed centrally
Lead-in
Depending on the needs of                             Folders and shortcuts        Users’ Start menus are
users and your network, you          Start Menu
                                                      on the Start menu            standardized
may redirect some or all of
these folders.
                                                      All files and folders        Users have the same desktop
                                     Desktop          that users place on          regardless of the computer to
                                                      the desktop                  which they log on

                                                                                   Applications use the same
                                                      User-specific
                                     Application                                   user-specific data for users
                                                      data stored
                                     Data                                          regardless of the computer to
                                                      by applications
                                                                                   which the user logs on


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Depending on the needs of users and your network, you may redirect some or
Key Point                      all of the folders that can be redirected. The following table describes what each
You can standardize user
Start menus by redirecting
                               folder that can be redirected contains, and provides specific reasons for
users’ Start Menu folders to   redirecting the folder.
the same folder and then
                               Folder          Contains                                  Reason to redirect
assigning only the NTFS
Read permission so that        My              The default location where users          Users can access data from any
users cannot change the        Documents       store their personal work data. It        computer, and this data can be
contents of their Start
                                               is the default location for the           backed up and managed centrally.
menus.
                                               Open and Save As commands on              The amount of data that is saved
                                               the File menu. Windows 2000               in the user profile is reduced.
                                               places a My Documents shortcut
                                               icon on the desktop. It also
                                               includes the My Pictures folder,
                                               where users can save their
                                               graphics.
                               Start Menu      Folders and shortcuts on the Start        Users’ Start menus are
                                               menu.                                     standardized. Redirect multiple
                                                                                         users’ Start Menu folders to the
                                                                                         same network location and then
                                                                                         assign only the NTFS file system
                                                                                         Read permission so that users
                                                                                         cannot change their Start menu
                                                                                         content.
                               Desktop         All files, folders, and shortcuts         Users’ desktops are standardized.
                                               that users place on his or her            Use the same strategy that you use
                                               desktop.                                  for the Start menu.
                               Application     User-specific data stored by              Application-specific data is
                               Data            applications, such as configuration       available for a user, regardless of
                                               files and personal dictionaries for       the computer to which the user
                                               spelling checker.                         logs on.
                                                     Module 8: Using Group Policy to Manage the Desktop Environment                                                 23



Redirecting Folders to a Server Location
                                     Desktop Properties
Topic Objective                       Target Settings        Desktop Properties
To illustrate how to redirect                                  Target Settings                Desktop Properties
                                              You can specify the location of the Desktop folder
folders to a server location                                                                   Target Settings
by using Group Policy.                                                   You can specify the location of the Desktop folder
                                      Setting: No administrative policy specified
                                                                                                          You can specify the location of the Desktop folder
Lead-in                               The Group Policy Object Setting: Basic – Redirect everyone’s folder to the dame loc
                                      location of this folder.
                                                                 will have no effect on the

You use the Folder                                               This folder will be redirected toSetting: Advanced – Specify locations for various user grou
                                                                                                   the specified location. An
                                                                 example target path is: \\server\share\%username%.
Redirection extension in                                           OK          Cancel         Apply folder will be redirected to different locations based on the
                                                                                                  This
                                                                                                  security group membership of the users.
Group Policy to redirect                                                                          An example target path is \\server\share\%username%
folders.                            Use the
                                    Use the                       Target folder location
                                    %username%
                                    %username%                                                Security Group Membership
                                                                   \\london\desktops\%username%
                                    variable
                                     variable                                                      Group           Path
                                                                                                                Browse
                                                                                                   NWTRADERS\acct \\london\acct\%username%
                                                                                                   NWTRADERS\sales \\london\sales\%username%
                                                                                              OK            Cancel          Apply



                                                                                                      Add            Edit           Remove


                                                                                                                              OK          Cancel         Apply

*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                  To store the My Documents, Application Data, Desktop, and Start Menu folders
Delivery Tip                      on a server, use the Folder Redirection extension in Group Policy.
Demonstrate, at an
organizational unit level,        To redirect a folder, perform the following steps:
configuring the Group Policy
settings to redirect folders to   1. Create a new GPO or select an existing GPO, and then click Edit.
a shared folder on a server.
                                  2. Expand User Configuration, expand Windows Settings, and then expand
Key Point                            Folder Redirection.
If an administrator uses the
%username% variable when          3. Right-click the name of the folder that you want to redirect, click
redirecting a folder, a unique       Properties, and then provide the target location and path to the location.
personal folder is created on
the server for each user to       The options on the Target tab are described in the following table.
which the Group Policy
settings apply.                   Options                         Description

                                  Setting                         No administrative policy specified. Selected by default.
                                                                  Basic. Redirects all folders to the same location.
                                                                  Advanced. Specifies locations for various security groups. You
                                                                  can use this option to redirect the folders of users to whom this
                                                                  GPO applies and to specify different locations, depending on
                                                                  group membership.
                                  Target folder                   This option appears when you click Basic. This option redirects
                                  location                        all folders to the same location, and you can use it to specify a
                                                                  UNC path name to the new location. You can use the following
                                                                  syntax to create target folders that are named after a user’s logon
                                                                  name: \\server_name\share_name\%username%
                                  Security Group                  This option appears when you select Advanced. This option
                                  Membership                      specifies locations for various security groups. The security
                                                                  groups and the path to the redirected folders appear here.
24   Module 8: Using Group Policy to Manage the Desktop Environment


                       You use the options on the Setting tab to control folder redirection. You must
                       know the defaults for these settings because they have implications for server
                       disk space and security. The following table describes the settings for folder
                       redirection.
                       Setting                                        Effect

                       Grant the user exclusive rights to folder.     Enabled by default, this setting ensures
                                                                      that only the user and the system have
                                                                      rights to the folder. Administrators do not
                                                                      have access to the folder.
                                                                      If this check box is cleared, the new folder
                                                                      location will retain the permissions that
                                                                      were granted to the previous location.
                       Move the contents of folder to the new         Enabled by default, this setting moves the
                       location.                                      contents of the folder to the new location
                                                                      the next time Group Policy is applied.
                                                                      If this check box is cleared, the folder will
                                                                      be redirected, but the contents will remain
                                                                      in the previous location.
                       Policy Removal                                 By default, when a folder redirection
                                                                      Group Policy is removed, the folder
                                                                      remains in the redirected location.
                                                                      You can also choose to return redirected
                                                                      folders to the local user profile location
                                                                      when Group Policy is removed.
                                             Module 8: Using Group Policy to Manage the Desktop Environment       25



Lab A: Using Group Policy to Manage the User
Environment
Topic Objective
To introduce the lab.
Lead-in
In this lab, you will create a
GPO linked to an
organizational unit,
configure the GPO with
Group Policy, verify that
Group Policy settings are in
effect, verify that proper
scripts are executed, and
direct the My Documents
folder to a new location.




*****************************ILLEGAL FOR NON-TRAINER USE******************************

Key Points                       Objectives
The lab does not reflect the
                                 After completing this lab, you will be able to:
real-world environment. It is
recommended that you                Configure, apply, and test registry-based Group Policy by using
always use complex                  Administrative Templates.
passwords for any
administrator accounts, and         Assign scripts to users and computers by using Group Policy.
never create accounts
                                    Implement folder redirection by using Group Policy.
without a password.

Outside of the classroom         Prerequisites
environment, it is strongly
                                 Before working on this lab, you must have:
advised that you use the
most recent software                Skill using Active Directory Users and Computers.
updates that are necessary.
Because this is a classroom         Knowledge of disk quotas and scheduled tasks.
environment, we may use
software that does not           Estimated time to complete this lab: 45 minutes
include the latest updates.
                                 Important Outside of the classroom environment, it is strongly advised that
                                 you use the most recent software updates that are necessary. Because this is a
                                 classroom environment, we may use software that does not include the latest
                                 updates.
26        Module 8: Using Group Policy to Manage the Desktop Environment


     Lab Setup
      Tasks                                Detailed steps

      •     Log on to your domain as        a.   Press CTRL+ALT+DEL to open the logon page.
            Administrator with a            b.   In the User Name box, type Administrator
            password of password.
                                            c.   In the Password box, type password
                                            d.   In the Domain box, ensure that your domain is listed.
                                            e.   Click OK.



                            Important This Lab does not reflect the real-world environment. It is
                            recommended that you always use complex passwords for any user or
                            administrator accounts, and never create accounts without a password.
                                       Module 8: Using Group Policy to Manage the Desktop Environment          27


Exercise 1
Implementing an Administrative Templates Policy for Computers
In this exercise, you will create a GPO linked to the Domain Controllers organizational unit, and
you will configure the GPO with Group Policy settings that satisfy the scenario requirements. After
the GPO is configured, restart your computer to ensure that the Group Policy settings have been
applied.


Scenario
You need to assign additional Group Policy settings for a domain controller in your domain. The
Group Policy settings that you must apply to enhance the settings in the default domain controller
Group Policy must satisfy the following management requirements:
   Disk quotas must be enabled for all volumes so that disk space usage can be easily tracked.
   Disk quota limits must not be enforced. No limits will be enforced until you can determine the
   average disk utilization for the server and install additional disk capacity, if required.
   Users must not be able to run the New Task Wizard so that server performance is not affected.



  Tasks                                 Detailed steps

  1.   Create a new GPO linked to        a.   On the Administrative Tools menu, open Active Directory Users and
       the Domain Controllers                 Computers.
       organizational unit. Name         b.   In the console tree, expand your domain, right-click Domain
       the new GPO Admin                      Controllers, and then click Properties.
       Template Policy.
                                         c.   On the Group Policy tab, click New, type Admin Template Policy
                                              and then press ENTER.
  2.   Edit the administrative           a.   Select the new Group Policy, and then click Edit.
       template settings for the new     b.   In the Group Policy console tree, under Computer Configuration,
       GPO to:                                expand Administrative Templates.
       ● Enable disk quotas.             c.   In the console tree, expand System, click Disk Quotas, and then in the
       ● Prevent disk quota limits            details pane, double-click Enable disk quotas.
          from being enforced.           d.   In the Enable disk quotas Properties dialog box, on the Policy tab,
       ● Prevent users from                   click Enabled, and then click OK.
          running the New Task           e.   In the details pane, double-click Enforce disk quota limit.
          Wizard.
                                         f.   In the Enforce disk quota limit Properties box, click Disabled, and
                                              then click OK.
                                         g.   In the console tree, expand Windows Components, click Task
                                              Scheduler, and then in the details pane, double-click Disable New
                                              Task Creation.
                                         h.   In the Disable New Task Creation Properties dialog box, on the
                                              Policy tab, click Enabled, and then click OK.
                                         i.   Close Group Policy, and then click Close to close the Domain
                                              Controllers Properties dialog box.
                                         j.   Leave Active Directory Users and Computers open.
28          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 2
     Implementing an Administrative Templates Policy for Users
     In this exercise, you will create a GPO linked to the Telemarketing organizational unit, and you will
     configure the GPO with Group Policy settings that satisfy the restrictions described in the scenario.


     Scenario
     Telemarketing users are typically temporary workers who accept orders by telephone and enter
     customers’ data into a database by using in-house software installed on preconfigured computers. You
     must implement Group Policy settings that enforce the following restrictions for telemarketing users:
        Prevent users from mapping network drives.
        Prevent users from using My Network Places to browse the corporate network.
        Prevent users from making changes to Taskbar and Start Menu settings.
        Prevent users from accessing the Windows Update icon. The Information Services department
        must install all software updates for corporate computers.
        Enable users to run the New Task Wizard to schedule an in-house tool to perform maintenance
        tasks on the order database.



       Tasks                                 Detailed steps

       1.    Create a GPO for the             a.   In the console tree, if necessary, expand your domain, expand Sales,
             Telemarketing                         right-click Telemarketing, and then click Properties.
             organizational unit. Name        b.   On the Group Policy tab, click New, type Telemarketing Policy and
             this new GPO                          then press ENTER.
             Telemarketing Policy.
       2.    Edit the Administrative          a.   With Telemarketing Policy selected, click Edit.
             Template settings for the        b.   In the console tree, under User Configuration, expand
             Telemarketing Policy GPO              Administrative Templates.
             to prevent users from
             mapping network drives.          c.   In the console tree, expand Windows Components, click Windows
                                                   Explorer, and then in the details pane, double-click Remove the
                                                   “Map Network Drive” and “Disconnect Network Drive.”
                                              d.   In the Remove “Map Network Drive” and “Disconnect Network
                                                   Drive” Properties dialog box, on the Policy tab, click Enabled, and
                                                   then click OK.
                                  Module 8: Using Group Policy to Manage the Desktop Environment         29




Tasks                              Detailed steps

3.   Edit the remaining             a.   Using the following information, configure the remaining required
     administrative template             restrictions:
     settings for the                    •   Enable the Hide My Network Places icon on desktop policy,
     Telemarketing GPO to:                   which is located in the Desktop folder.
     ● Prevent users from using          •   Enable the Disable changes to Taskbar and Start Menu
        My Network Places to                 Settings policy, which is located in the Start Menu & Taskbar
        browse the corporate                 folder.
        network.
                                         •   Enable the Disable and remove links to Windows Update,
     ● Prevent users from
                                             which is located in the Start Menu & Taskbar folder.
        making changes to
        Taskbar & Start Menu             •   Disable the Disable New Task Creation policy, which is located
        settings.                            in the Windows Components\Task Scheduler folder.

     ● Prevent users from
                                    b.   Close all open windows, and then restart your computer.
        accessing Windows
        Update.
     ● Enable users to run the
        New Task Wizard.
30          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 3
     Verifying Administrative Templates Policies
     In this exercise, you will log on as Administrator to verify which computer Group Policy settings
     are in effect. Then, you will log on as a Telemarketing user to verify which user Group Policy
     settings are in effect for members of the Telemarketing organizational unit.


     Scenario
     Now that the required GPOs are in place and configured, you must confirm that the Group Policy
     settings are being applied as expected.


       Tasks                                 Detailed steps

       1. Verify that the Group Policy        a.   Log on as Administrator with a password of password.
          settings contained in the           b.   On the desktop, double-click My Computer, right-click the icon for
          Admin Template GPO are                   drive C, and then click Properties.
          being properly applied.
                                              c.   Click the Quota tab.
               Are disk quotas enabled? Why or why not?


               Yes, because disk quotas were enabled in the Admin Template GPO.




               Are disk quota limits enforced? Why or why not?


               No, because the enforcement of disk quota limits was disabled in the Admin Template GPO.




       1.     (continued)                     d.   Click Cancel to close the Local Disk (C:) Properties dialog box.
                                              e.   In the My Computer window, double-click Control Panel.
                                              f.   In Control Panel, double-click Scheduled Tasks.
               Are you able to run the Add Task Wizard?


               No.
                                  Module 8: Using Group Policy to Manage the Desktop Environment        31




Tasks                               Detailed steps


     Were all of the Group Policy settings in the Admin Template Policy GPO applied?


      Yes.




1. (continued)                         g.   Close all open windows, and then log off.
2. Log on as TMUser and                a.   Log on as TMUser with a password of password.
   verify that the Group Policy
   settings contained in the
   Telemarketing GPO are
   being properly applied.
     Are the following settings contained in the Telemarketing Policy GPO enforced? Why or why not?
     The My Network Places icon does not appear on the desktop.
      Unable to map a network drive.
      Unable to modify Taskbar & Start Menu settings.
      The Windows Update icon does not appear on the Start menu.
      Able to schedule a new task using the Add a New Task Wizard.


      All of the Group Policy settings are enforced, with the exception of being able to schedule a new task
      by using the Add a New Task Wizard. Because the user is logging on to a domain controller, the
      Admin Template Policy GPO, which is linked to the Domain Controllers organizational unit, is also
      being applied. The Admin Template Policy GPO contains a setting that restricts the right to use the
      Add a New Task Wizard, and computer Group Policy overrides user Group Policy.




2. (continued)                         b.   Close all open windows, and then log off.
32       Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 4
     Using Group Policy to Assign Scripts
     In this exercise, you will create a GPO for the Sales organizational unit and a second GPO for the
     Retail organizational unit. You will configure the settings in the two GPOs to run the required
     scripts.


     Scenario
     All Sales users in your organization must run scripts to configure their desktop environments when
     they log on and to perform cleanup tasks when they log off. Retail users must run additional scripts
     to configure their computers to use proprietary software. You must assign the following script
     Group Policy for users in the Sales organizational unit and its child organizational units:
        All users in the Sales organizational unit and the child organizational units must run the
        Sales Logon.vbs script when they log on.
        All users in the Sales organizational unit and the child organizational units must run the
        Sales Logoff.vbs script when they log off.
        All users in the Retail organizational unit must run the Retail Logon.vbs script and the
        Retail Config.vbs script when they log on.



       Tasks                              Detailed steps

       1. Create a GPO linked to the       a.   Log on as Administrator with a password of password.
          Sales organizational unit.       b.   On the Administrative Tools menu, open Active Directory Users and
          Name this GPO Sales Script            Computers.
          Policy.
                                           c.   In the console tree, expand your domain, right-click Sales, and then
                                                click Properties.
                                           d.   On the Group Policy tab, click New, type Sales Script Policy and
                                                then press ENTER.
       2. Copy the Sales Logon script      a.   With Sales Script Policy selected, click Edit.
          from C:\MOC\2126\                b.   In the console tree, under User Configuration, expand Windows
          Labfiles\Lab08A\Scripts to            Settings, and then click Scripts (Logon/Logoff).
          the Logon folder in the Sales
          Script Policy GPT folder.        c.   In the details pane, double-click Logon, and then in the Logon
                                                Properties box, click Show Files.
                                                      A window appears showing the contents of the Logon folder
                                                      in the GPT for this GPO. Before you can assign a script
                                                      with this GPO, you must copy the script file to this folder.

                                           d.   Open the C:\MOC\2126\Labfiles\Lab08A\Scripts folder.
                                           e.   Copy the Sales Logon script file from the Scripts folder to the Logon
                                                folder.
                                           f.   Minimize the Scripts folder, and then close the Logon folder.
                                           g.   Leave the Logon Properties dialog box open.
                                   Module 8: Using Group Policy to Manage the Desktop Environment             33




Tasks                               Detailed steps

3. Add the Sales Logon script        a.   In the Logon Properties dialog box, click Add.
   to the list of Logon scripts      b.   In the Add a Script dialog box, click Browse, click the Sales Logon
   for the Sales Script Policy            script, click Open, and then click OK.
   GPO.
                                     c.   Click OK to close the Logon Properties dialog box.
                                     d.   Leave Group Policy open.
4. Copy the Sales Logoff script      a.   In the details pane, double-click Logoff, and then in the Logoff
   from C:\MOC\2126\                      Properties dialog box, click Show Files.
   Labfiles\Lab08A\Scripts to        b.   Restore the Scripts window, and then copy the Sales Logoff script to
   the Logoff folder in the               the Logoff folder.
   Sales Script Policy GPT
   folder.                           c.   Minimize the Scripts window, and then close the Logoff window.
                                     d.   Leave the Logoff Properties dialog box open.
5. Add the Sales Logoff script       a.   In the Logoff Properties dialog box, click Add.
   to the list of Logoff scripts     b.   In the Add a Script dialog box, click Browse, click the Sales Logoff
   for the Sales Script Policy            script, click Open, and then click OK.
   GPO.
                                     c.   Click OK to close the Logoff Properties dialog box, and then close
                                          Group Policy.
                                     d.   Click Close to close the Sales Properties dialog box.
                                     e.   Leave Active Directory Users and Computers open.
6. Create a GPO linked to the        a.   In the console tree, expand Sales, right-click Retail, and then click
   Retail organizational unit.            Properties.
   Name this GPO Retail              b.   On the Group Policy tab, click New, type Retail Script Policy and
   Script Policy.                         then press ENTER.
7. Copy the Retail Logon and         a.   With Retail Script Policy selected, click Edit.
   Retail Config scripts from        b.   In the console tree, under User Configuration, expand Windows
   C:\MOC\2126\                           Settings, and then click Scripts (Logon/Logoff).
   Labfiles\Lab08A\Scripts to
   the Logon folder in the           c.   In the details pane, double-click Logon, and then in the Logon
   Retail Script Policy GPT               Properties dialog box, click Show Files.
   folder.                           d.   Restore the Scripts window, and then copy the Retail Logon and Retail
                                          Config scripts from the Scripts folder to the Logon folder.
                                     e.   Close the Scripts window and the Logon window.
8. Add the Retail Logon and          a.   In the Logon Properties dialog box, click Add.
   the Retail Config scripts to      b.   In the Add a Script dialog box, click Browse, click the Retail Logon
   the list of logon scripts for          script, click Open, and then click OK.
   the Retail Script Policy
   GPO.                              c.   In the Logon Properties dialog box, click Add.
                                     d.   In the Add a Script dialog box, click Browse, click the Retail Config
                                          script, click Open, and then click OK.
                                     e.   Click OK to close the Logon Properties dialog box, and then close
                                          Group Policy.
                                     f.   Close the Retail Properties dialog box, close Active Directory Users
                                          and Computers, and then log off.
34       Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 5
     Verifying Script Assignment
     In this exercise, you will log on by using a user account in the Sales organizational unit to verify
     that the proper scripts are executed. You will also log on as a user in the Retail organizational unit
     to verify that the proper scripts are executed.


     Scenario
     Now that the required GPOs are setup and configured, you must confirm that the Group Policy
     settings are being applied as expected.


       Tasks                                Detailed steps

       1. Log on as Salesuser to            •   Log on as Salesuser with a password of password.
          verify that the Sales Logon
          script executes.
             Did the Sales Logon script execute? Why or why not?


             Yes, the Sales Logon script executed. This script was assigned to the Sales organizational unit and
             will be executed for users in the Sales organizational unit and in all child organizational units.




       2. Log off to verify that the        •   Log off.
          Sales Logoff script executes.
             Did the Sales Logoff script execute?


             Yes.
                                   Module 8: Using Group Policy to Manage the Desktop Environment        35




Tasks                               Detailed steps

3. Log on as Retailuser to           •   Log on as Retailuser with a password of password.
   verify that the Sales Logon,
   Retail Logon, and Retail
   Config scripts execute.
     Which logon scripts executed and why?


      The Sales Logon, Retail Logon, and Retail Config scripts executed. The Sales Logon script will be
      executed for all user accounts in the Sales organizational unit and all child organizational units. The
      Retail Logon and Retail Config scripts will be executed for all user accounts in the Retail
      organizational unit.




4. Log off to verify that the        •   Log off.
   Sales Logoff script executes.
     Did the Sales Logoff script execute?


      Yes.
36       Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 6
     Implementing Folder Redirection Policy
     In this exercise, you will redirect the My Documents folder to a new location on the network by
     using Group Policy.


     Scenario
     Northwind Traders has a policy that only data on the servers is backed up. To address fault-
     tolerance concerns, you do not want the contents of the My Documents folder to be stored locally.
     You want to redirect the folder to the user’s home directory on the server because the servers are
     backed up every evening.


       Tasks                                Detailed steps

       1. Confirm the current location      a.    Log on as Salesuser with a password of password.
          of My Documents for the           b.    Open the Properties dialog box for My Documents.
          salesuser account and create
          a text file in the My
          Documents folder.
             What is the current location of My Documents?


             C:\Documents and Settings\Salesuser.




             Can the user change this location?


             Yes.




       1. (continued)                       c.    Close the My Documents Properties dialog box, and then open the
                                                  My Documents folder.
                                            d.    Create a text file in the My Documents folder.
                                            e.    Close My Documents, and then log off.
                                      Module 8: Using Group Policy to Manage the Desktop Environment           37




Tasks                                  Detailed steps

2. Redirect the My Documents            a.   Log on as Administrator with a password of password.
   folder for a user in the Sales       b.   At the root of drive D, create a folder named Redirect, and then share
   organizational unit. Use the              it with the default permissions.
   following settings for the
   redirected folder:                   c.   On the Administrative Tools menu, open Active Directory Users and
                                             Computers.
    ● Basic – Redirect
        everyone’s folder to the        d.   In the console tree, expand your domain, right-click Sales, and then
        same location.                       click Properties.

    ● Target folder:                    e.   On the Group Policy tab, create a new GPO named Folder Redirect
        \\computer\redirect\                 Policy, and then click Edit.
        %username% (where               f.   Under User Configuration, expand Windows Settings, expand
        computer is your                     Folder Redirection, right-click My Documents, and then click
        computer name).                      Properties.
    ● Policy removal: Redirect          g.   In the Setting list, click Basic – Redirect everyone’s folder to the
        the folder back to the               same location.
        local user profile location     h.   Under Target folder location, type
        when Group Policy is                 \\computer\redirect\%username% (where computer is your computer
        removed.                             name), and then click the Settings tab.
      Record the default settings for folder redirection in the following space.


      Grant the user exclusive rights to My Documents is enabled.
      Move the contents of My Documents to the new location is enabled.
      Policy Removal defaults to Leave the folder in the new location when policy is removed.
      My Pictures Preferences defaults to Make My Pictures a subfolder of My Documents.




2. (continued)                          i.   Click Redirect the folder back to the local user profile location
                                             when policy is removed, and then click OK.
                                        j.   Close all open windows, and then log off.
3. Verify that the Folder               a.   Log on as Salesuser with a password of password.
   Redirection Group Policy is          b.   Open the Properties dialog box for My Documents.
   being applied properly.
      What is the current location of My Documents?


      \\ computer\redirect\SalesUser (where computer is your assigned computer name).
38        Module 8: Using Group Policy to Manage the Desktop Environment




     Tasks                                 Detailed steps

             Can the user change the location of My Documents? Why or why not?


             No, because the folder was redirected by using Group Policy.




     3. (continued)                         c.   Close the My Documents Properties dialog box, and then open My
                                                 Documents.
             Does the My Documents folder contain the text file that you created earlier? Why or why not?


             Yes. The default setting for folder redirection moves the contents of the redirected folder to the new
             location.




     3. (continued)                         d.   Close My Documents, and then log off.
     4.    Remove the Folder                a.   Log on as Administrator with a password of password.
           Redirection Policy GPO.          b.   On the Administrative Tools menu, open Active Directory Users and
                                                 Computers.
                                            c.   In the console tree, expand your domain, right-click Sales, and then
                                                 click Properties.
                                            d.   On the Group Policy tab, click the Folder Redirect Policy GPO, and
                                                 then click Delete.
                                            e.   In the Delete dialog box, click Remove the link and delete the
                                                 Group Policy Object permanently, and then click OK.
                                            f.   In the Delete Group Policy Object dialog box, click Yes, and then
                                                 click Close to close the Sales Properties box.
                                            g.   Close all open windows, and then log off.
                                    Module 8: Using Group Policy to Manage the Desktop Environment         39




Tasks                                Detailed steps

5.   Test the results of deleting     a.   Log on as Salesuser with a password of password.
     the Folder Redirect Policy       b.   Right-click My Documents, and then click Properties.
     GPO.
       What is the current location of My Documents? Is this the default behavior when folder redirection Group
       Policy is removed?


       C:\Documents and Settings\Salesuser. No, the default behavior when folder redirection Group Policy
       is removed is to leave the redirected folder on the network share where it was redirected.




5.   (continued)                      c.   Close all open windows, and then log off.
40        Module 8: Using Group Policy to Manage the Desktop Environment



Troubleshooting User Environment Management
Topic Objective
To introduce troubleshooting
options for resolving
problems that may occur                   Registry Settings Are Not Applied
when using Group Policy to
manage user environments.                 Scripts Do Not Execute
Lead-in
You may encounter                         Folders Are Not Being Redirected
problems when you manage
the user environment by
using Group Policy.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               You may encounter problems when you use Group Policy to manage user
                               environments. Some of the most common problems include registry settings
                               that are not applied, scripts that do not execute, and folders that do not redirect
                               as specified.

                               Tip To display information about the effect that Group Policy has on the
                               computer and the currently logged-on user, you can use the Group Policy
                               Results command-line tool (Gpresult.exe), which is available in the
                               Windows 2000 Server Resource Kit and for download from the Microsoft Web
                               site at http://www.microsoft.com.


Delivery Tip                   Registry Settings Are Not Applied
Demonstrate the output
                               Run Gpresult.exe in verbose mode on the client computer to confirm that
from Gpresult.exe in normal
and verbose modes.
                               Administrative Templates Group Policy settings are not applied, and then
                               review the output:
                                  If the text “The user (or computer) received ’Registry’ settings from these
                                  GPOs.” does not appear in the output, no administrative template settings
                                  were applied.
                                  If this text does not appear, verify that the user or computer account has at
                                  least Read and Apply Group Policy permissions on all GPOs that must be
                                  processed.
                                  Verify the relevant GPOs to determine whether either the User
                                  Configuration or Computer Configuration nodes are disabled.
            Module 8: Using Group Policy to Manage the Desktop Environment       41


Scripts Do Not Execute
Confirm that the Group Policy Scripts client-side extension is executing, by:
   Running Gpresult.exe in verbose mode.
   Examining the output under the User received Scripts settings from the
   heading of these GPOs:
   • If the text is missing from the output, verify permissions on the relevant
     GPOs and check for inheritance issues.
   • If the text appears in the output, but certain scripts are not executing,
     verify that the SYSVOL directory is being properly replicated to all
     domain controllers.

Folders Are Not Being Redirected
Possible causes and strategies for resolving the problems include the following:
   If you are using redirected folders and they are not being redirected, verify
   the discretionary access control list (DACL) on the network share where the
   folders are being redirected. Ensure that the user has sufficient permissions.
   If the volume that contains the redirected folders has disk quotas enabled,
   verify that the user has not exceeded his or her quota limit.
   If the folder on the network share existed before you implemented
   redirection, verify that the DACL for the folder allows the user Full Control
   permission.
42         Module 8: Using Group Policy to Manage the Desktop Environment



       Introduction to Managing Software Deployment
Topic Objective
To identify the key concepts
in software deployment.
Lead-in                                     Software Management Technologies
We will examine the                         The Software Life Cycle
software management
technologies that are
available in Windows 2000.
In a more general manner,
we will examine the stages
in the life cycle of pieces of
software.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Two technologies included in Windows 2000—Windows Installer and the
                                 software installation and maintenance technology—are designed to help
                                 overcome the problems inherent in deploying and managing software
                                 throughout an organization.
                                 The Windows Installer service uses packages which are .msi files that contain
                                 explicit instructions about installing and removing specific applications.
                                 The software installation and maintenance technology assists you in managing
                                 the installation, configuration, repair, and removal of software, including
                                 applications, operating system service packs, or software upgrades.
                                 In addition, the Windows 2000 software installation and maintenance
                                 technology is designed to facilitate policy-based management of software
                                 through the entire software life cycle.
                                             Module 8: Using Group Policy to Manage the Desktop Environment      43



Software Management Technologies
Topic Objective
To identify concepts that                                                      Software Installation
relate to Windows Installer                  Windows Installer
                                                                                and Maintenance
and the software installation
and maintenance                           Service allows for:              Group Policy objects can:
technology.
                                            Custom installations               Install applications on
Lead-in                                                                        user computers
                                            Resilient applications
There are two software
management technologies                                                        Upgrade the
                                            Clean removal
to assist you with software                                                    application or
deployment: The Windows                     Users to only need                 automatically apply
Installer service and the                   read access to                     software patches or
software installation and                   installation folders               service packs
maintenance technology.                                                        Remove applications




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Windows 2000 provides two software management technologies to assist you
                                 with the tasks associated with software deployment: The Windows Installer
                                 service and the software installation and maintenance technology.

                                 Windows Installer
                                 Windows Installer has a file format that replaces the Setup.exe file: the
Delivery Tip                     Windows Installer package, which is an .msi file. A Windows Installer package
Explain the functions of         has a high level of functionality for software installation and maintenance. The
Windows Installer and the        benefits of using Windows Installer include:
software installation and
maintenance technology.             Custom installations. Optional features in an application, such as clip art or
Differentiate between the           a thesaurus, can be visible in a program without being installed. Although
two: the software installation
                                    the menu commands will be accessible, the feature itself will not be
and maintenance
technology uses Group
                                    installed until the user accesses the command on the menu. This method of
Policy to deploy and                installation helps reduce both the complexity of the application and the
manage software that is in          amount of hard disk space that the application uses.
the Windows Installer               Resilient applications. If a critical file is deleted or becomes corrupt, the
package file format.                application will automatically return to the installation source and acquire a
                                    new copy of the file, without requiring user intervention.
                                    Clean removal. Applications are uninstalled without leaving orphaned files
                                    and without inadvertently breaking another application, such as deleting a
                                    shared file that another program requires.
                                    Users need only Read access to installation folders. Deployed applications
                                    are installed through the elevated permissions of Windows Installer. As a
                                    result, users do not require administrator permissions either to their
                                    computers or to the installation folders to install applications.
44   Module 8: Using Group Policy to Manage the Desktop Environment


                       Windows 2000 includes the Windows Installer technology. Versions of
                       Windows Installer are also available for Microsoft Windows XP Professional,
                       Microsoft Windows NT version 4.0, Microsoft Windows 98, and Microsoft
                       Windows 95. However, using Windows 2000 and Windows XP Professional
                       does give administrators one major advantage: it combines the Windows
                       Installer package files with the software installation and maintenance
                       technology, so that administrators can easily deploy and manage software
                       throughout their entire organization.

                       Note To use the Windows Installer packages on computers running
                       Windows NT 4.0, Windows 98, or Windows 95, you use the Windows Installer
                       setup program. This can be downloaded from the Microsoft Web site at
                       http://www.microsoft.com/downloads.


                       Windows 2000 Software Installation and Maintenance
                       Technology
                       The software installation and maintenance technology uses Group Policy to
                       deploy and manage software that is in the Windows Installer package file
                       format.
                       The most important advantage of using software installation and maintenance
                       technology is that you can manage and deploy software from a central location.
                       By working with Windows Installer package files, you can manage most
                       software deployment and management tasks by using Group Policy.
                       After an organization obtains a Windows Installer package file, you can create
                       GPOs and associate them with the package file. These GPOs can:
                           Install applications on user computers. Installation can occur automatically
                           when a user logs on or when a computer starts up, or you can make these
                           applications available for users to install when they need them.
                           Upgrade a previous version of the application, or automatically apply
                           software patches or service packs.
                           Remove applications.


                       Important Software installation and maintenance technology operates by using
                       Group Policy. Therefore, these deployment and management features are
                       available only for client computers running Windows 2000 or Windows XP
                       Professional. If you have client computers running other operating systems, you
                       must replace or supplement the software installation and maintenance
                       technology with another deployment solution, such as Microsoft Systems
                       Management Server (SMS).
                                              Module 8: Using Group Policy to Manage the Desktop Environment         45



The Software Life Cycle
Topic Objective
To illustrate the four phases                         Preparation
of the software life cycle.                           Packages are acquired
Lead-in
The software installation
and maintenance
technology enables the                                                         Deployment
distribution of software in a                                                  Packages are installed
manner that closely aligns
with the typical software life
cycle.



                                              Removal
                                              Packages are removed                Maintenance
                                                                                  Packages are upgraded


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 The software installation and maintenance technology enables the distribution
                                 of software in a manner that closely aligns with the typical software life cycle.
                                 You can use Group Policy to install, modify, repair, and remove software
                                 instead of managing software manually. The four phases of the software life
                                 cycle are: preparation, deployment, maintenance, and removal.

                                 The Preparation Phase
                                 The preparation phase occurs before software is deployed to users or
                                 computers. This phase involves two key processes:
                                    Package acquisition.
                                    You must have a package file for an application before you can use Group
                                    Policy to deploy that application. You have three options for acquiring
                                    package files. You can:
                                    a. Obtain a package file from a software vendor.
Delivery Tip
Point out to students that          b. Repackage an application. You can create a package file by using
Wininstall LE is available on          repackaging software.
the Windows 2000
Advanced Server compact
                                    c. Create a text file that has the .zap extension. These text files enable you
disc in the valuadd\3rdParty\          to publish an application by using Group Policy.
mgmt\winstle folder.                Package modifications.
                                    Modifications are similar to Windows Installer package files, but they have
                                    an .mst file extension. You can use modifications to take one product and
                                    create any number of custom installations. For example, you might create,
                                    for the human resources department, one version of Microsoft Excel that
                                    does not include the statistical analysis components. You might then create,
                                    for the accounting department, a second version that includes the statistical
                                    analysis components. You can then create GPOs, assign these different
                                    versions to different users, and have the software installed.
46        Module 8: Using Group Policy to Manage the Desktop Environment


                            The Deployment Phase
                            In the deployment phase, software is installed on computers. Two options exist
                            for software deployment:
                                Assigning applications. When you assign an application to a user, that
                                application is advertised on the computer desktop. Advertised applications
                                are not actually installed, but they appear as though they have been
                                installed. A Start menu shortcut, desktop icons, and file associations are
                                created. The user can install the software by clicking the Start menu
                                shortcut, double-clicking the desktop icon, or double-clicking a document
                                type that is associated with that application, which is called document
                                invocation.
                                Publishing applications. When an application is published, it is not
                                advertised on the user desktop. However, users can install the application,
                                either through Add/Remove Programs or through document invocation.

                            The Maintenance Phase
                            Windows 2000 makes it easy to upgrade or redeploy software. For example,
                            when a service pack has been issued for an application, you place the service
                            pack on the network and modify a GPO to redeploy the application. The next
                            time a user activates the application, the service pack will be applied
                            automatically.

                            The Removal Phase
                            Windows 2000 offers two methods for automatically removing applications:
Delivery Tip
Differentiate between the       Forced removal. By using a forced removal, software is automatically
forced removal and the          deleted from a computer, either the next time the computer starts up, such as
optional removal of             in the case of a computer policy, or the next time a user logs on, as in the
software.
                                case of a user policy.
                                Optional removal. By using an optional removal, software is not
                                automatically uninstalled from computers. For example, if a user already
                                has Microsoft Word 97 installed, the user will be able to continue running
                                that application. However, no new users will be able to install Word 97.


                            Note The maintenance phase and the removal phase can only be completed on
                            software that has been through the deployment phase. They will not work on
                            software that has been installed by any other method.
                                           Module 8: Using Group Policy to Manage the Desktop Environment       47



      Deploying Software
Topic Objective
To identify the topics that
relate to software
deployment by using                        Deploying a New Application
software installation and
maintenance technology.                    Assigning Software Packages
Lead-in                                    Publishing Software Packages
There is a new way for
administrators to deploy
software in an organization.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               You can use Software Installation and Maintenance, a component of Group
                               Policy, to deploy software to users and computers. Deploying software ensures
                               that required applications are available from any computer to which a user logs
                               on. From the user’s point of view, software is always available and functional.
                               Administrators can either install software for users in advance, or give users the
                               option to install the software that they require.
48        Module 8: Using Group Policy to Manage the Desktop Environment



Deploying a New Application
Topic Objective
To illustrate how you deploy                                         Steps
                                                                     Steps
software by using software
installation and
maintenance.                                       Acquire a Windows Installer
                                                   package file
Lead-in
You use software
installation and maintenance                       Place the package on a software
to deploy a new application.                       distribution point


                                                         Create or modify a GPO



                                                   Select a deployment option



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               The steps to deploy software include acquiring the package, placing the
                               package and any related files in a shared folder on your network, and then
                               specifying deployment options in one or more GPOs.
                               To deploy a new application, perform the following steps:
Delivery Tip
Demonstrate how to deploy      1. Create or acquire a Windows Installer package file. The package file will be
a new application by using        the .msi file that Windows Installer uses.
software installation and
maintenance. You can use       2. Place the package file and any related installation files in a shared folder.
the Configure package             The related installation files are the application files that will be installed on
properties option, and then       the local hard disk.
briefly discuss the possible
choices. Tell students that
                               3. On the Administrative Tools menu, open Active Directory Users and
these options will be             Computers.
covered in more detail later   4. Open the Properties dialog box for the container object, for example an
in this module.                   organizational unit, click the Group Policy tab, and then click Edit.
                               5. In the new Group Policy window, expand either Computer Configuration
                                  or User Configuration.
                               6. Expand Software Settings, right-click Software Installation, point to New,
                                  and then click Package.
                               7. When the File Open dialog box appears, locate the package file, and then
                                  click Open.
                               8. In the Deploy Software dialog box, select a deployment method, and then
                                  click OK. You can assign an application to a user or a computer, or publish
                                  an application to a user by using software installation and maintenance
                                  defaults, or you can select Advanced published or assigned, and then click
                                  OK. This will open the Properties dialog box for the package file and
                                  enable you to set additional options for deployment.
                                             Module 8: Using Group Policy to Manage the Desktop Environment           49



Assigning Software Packages
Topic Objective
                                       Assigning to a User
To illustrate the concept of
assigning software
packages.                             The application is                  Start
                                      installed the first
Lead-in                               time the user starts
You can assign software               the application
packages to users or to
computers.

                                       Assigning to a Computer


                                      The application is
                                      installed the next
                                      time the computer
                                      is started




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                You can assign software packages to users or to computers.
Delivery Tip
Explain the difference
between assigning an            Assigning Software to Users
application to a user and       Software is usually assigned when an application is required for users to do
assigning an application to a   their jobs. For example, you might assign Excel to the accounting group
computer. You may want to
                                because accountants need this program to do their work. By assigning a
discuss situations in which
assigning an application to a
                                software package to the users in an organizational unit, you ensure that:
user would be more                 The application will always be available to the users, even if they log on
appropriate, and occasions
                                   from a different computer. If a user logs on to a computer where Excel is
when it might be better to
assign applications to
                                   not installed, Excel will be installed when the user activates the program.
computers.                         The application will be resilient. If the application or any of its components
                                   are deleted for any reason, it will be reinstalled the next time the user logs
                                   on and activates the program.

                                When you assign an application to the users in an organizational unit, the
                                program is advertised when the users log on, this means that it will appear in
                                the users start menu but installation will not occur until the users start the
                                application from the start menu icon or double-click a file type associated with
                                the application.
                                When assigning an application to users, you have the option of forcing the
                                application to be installed automatically when the user logs on, rather than
                                waiting to install the application the first time the user opens it. This option is
                                useful when you are assigning applications to mobile users, so that you can be
                                sure that those users will have access to the assigned applications even when
                                they are not connected to the network.
50   Module 8: Using Group Policy to Manage the Desktop Environment


                       Assigning Software to Computers
                       By assigning a software package to the computers in an organizational unit, you
                       ensure that certain applications will be available on those computers regardless
                       of who is using them. For example, in a classroom that is used for Microsoft
                       Office XP training and that requires Office XP installations on all of the
                       computers, you would create the GPO under Computer Configuration rather
                       than User Configuration.
                       When you assign an application to the computers in an organizational unit, no
                       advertising occurs. Instead, the next time that a computer in the organizational
                       unit is started, the software is installed automatically.

                       Tip If you are unsure whether a user will use an application that you are
                       deploying, assign the application to the user. The application is advertised, but
                       no files are copied, and hard disk space is not wasted. If the user never starts the
                       application, the personalized menus that are found in Windows 2000 or
                       Windows XP will eventually hide the Start menu shortcuts, reducing the
                       complexity of the Start menu.
                                               Module 8: Using Group Policy to Manage the Desktop Environment      51



Publishing Software Packages
Topic Objective
                                        Add/Remove Programs
To illustrate the concept of
publishing applications.                The application is
                                        installed when the
Lead-in                                 user selects it from
Applications are assigned               Add/Remove
when they are required for              Programs in
users to do their jobs.                 Control Panel
Published applications, in
contrast, are applications
that might be useful, but are           Document Invocation
not mandatory for users to
perform their daily activities.         The application is
                                        installed when the
                                        user double-clicks
                                        an unknown
                                        file type



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                  When an application is published, it is not installed or advertised. However, the
                                  software is readily available, and a user can install an application in one of two
                                  ways: by using Add/Remove Programs, or through document invocation.

Delivery Tip                      Installing a Program Using Add/Remove Programs
Show students Add/Remove
                                  When a user opens Control Panel and double-clicks the Add/Remove Programs
Programs in Control Panel,
and demonstrate how users
                                  icon, the set of programs that are available to the user appear. The user can then
can use it to install software.   select a program and click Install to install the software. Many organizations
                                  set up shared folders, place the Setup files in the shared folders, and allow users
                                  to connect to the network to install software themselves.
                                  Improvements to the Add/Remove Programs feature include:
                                     Display names for installation. For example, “Microsoft Office 2000” will
                                     appear rather than “\\Server1\Msofc2000\Setup.exe”.
                                     Centralized distribution. Users can install all of their software by using
                                     Add/Remove Programs, without needing to know the network locations for
                                     each Setup file.
                                     The use of Windows Installer package files. Setup can be completed with
                                     minimal user intervention.
                                     The use of access permissions placed on a package file. If a user has
                                     permission to install Word and Excel, but not Microsoft PowerPoint®, only
                                     Word and Excel will appear in Add/Remove Programs.
52       Module 8: Using Group Policy to Manage the Desktop Environment


                           Installing a Program Using Document Invocation
                           In Windows 2000 or Windows XP Professional, if a user double-clicks an
                           unknown file type, the following actions occur:
                               The computer sends a query to Active Directory to determine whether there
                               are any applications associated with the file extension.
                               If Active Directory contains such an application, the computer checks
Delivery Tip                   whether this application has been published to the user.
Explain the concept of
document invocation.           If the application has been published to the user, the computer checks
Demonstrate the process,       whether the application is set to Auto-install this application by file
which occurs whenever a        extension activation, which allows it to be installed automatically through
user double-clicks an          document invocation.
unknown file type.
                               If the administrator has set the application to install automatically, the
                               application is installed.

                           Either of the above options can be disabled, if for example you only wanted the
                           users to install a particular application through document invocation, you could
                           hide the program from the Add/Remove Programs window. However, you
                           could decide to show the program in the Add/Remove Programs window but
                           disable the ability to invoke it by double-clicking if necessary.
                                            Module 8: Using Group Policy to Manage the Desktop Environment   53



      Managing Software
Topic Objective
To identify topics that relate
to upgrading software by
using software installation.                Deploying a Mandatory Upgrade
Lead-in                                     Deploying an Optional Upgrade
You can upgrade existing
versions of a software                      Redeploying Software
program by using software
installation.                               Removing Software




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 The ability to upgrade users’ software is essential to ensuring that users’
                                 computers have the most current version of an organization’s software.
                                 Knowing how to deploy both mandatory and optional upgrades will help you to
                                 keep existing software installations current. You must also understand the
                                 requirements and implications of redeploying software or making an upgrade
                                 mandatory or optional.
54         Module 8: Using Group Policy to Manage the Desktop Environment



Deploying a Mandatory Upgrade
Topic Objective                       Example
To illustrate what happens
when an administrator
implements a mandatory                 Users are running
software upgrade.                      version 1.0 of a
                                       program
                                                                                        1.0
Lead-in
You use mandatory
upgrades whenever you
want to discontinue use of a           Version 2.0 of the program is
previous version of a                  deployed as a mandatory upgrade                                  2.0
program and force users to
upgrade to the more current
version.
                                       Users are able to
                                       use only version 2.0                            2.0
                                       of the program


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                A mandatory upgrade automatically replaces an old version of a program with
Delivery Tip                    the upgraded version. If users are currently using version 1.0 of a program, this
Show students how to            version will be removed, and version 2.0 of the program will be installed.
implement a mandatory
upgrade.                        To deploy a mandatory upgrade, in an example that uses versions 1.0 and 2.0 of
                                a program, perform the following steps:
Discuss what happens after
a mandatory upgrade has         1. In software installation and maintenance, open the Properties dialog box
been implemented,                  for the version 2.0 package file, and then click the Upgrades tab.
including what users will see
if version 1.0 of a program     2. In the Packages that this package will upgrade section, click Add, and
was never installed.               then select version 1.0 of the program. If both versions 1.0 and 2.0 of the
                                   program are native Windows Installer packages, this step will be done
                                   automatically.
                                   Native Windows Installer packages detect the native package files that they
                                   update. For example, suppose you have deployed Office 2000. When you
                                   deploy the next version of the program, the new package file will
                                   automatically mark your original Office 2000 deployment for upgrading. If
                                   version 1.0 of a program is not a native Windows Installer program, you
                                   will need to manually specify the package that the new package upgrades.
                                3. Select the Required upgrade for existing packages check box, and then
                                   click OK.

                                If version 1.0 has been installed, it will be replaced with version 2.0 the next
                                time that the user activates the program. If version 1.0 has not yet been
                                installed, the user may use either document invocation or Add/Remove
                                Programs to install version 2.0 the next time that he or she logs on.
                                             Module 8: Using Group Policy to Manage the Desktop Environment        55



Deploying an Optional Upgrade
Topic Objective                       Example
To illustrate what happens
when an administrator
implements an optional                 Users are running
software upgrade.                      version 1.0 of a
                                       program
                                                                                        1.0
Lead-in
Sometimes you want to
deploy a new version of a
program without forcing                Version 2.0 of the program is
users to stop using the                deployed as an optional upgrade                                   2.0
previous version. To permit
the simultaneous use of two
versions of a program, you
must implement an optional             Users may now use
upgrade.                               either version of the
                                                                                         1.0          2.0
                                       program


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                Optional upgrades enable users to use either the old or the new version of a
Delivery Tip                    program. After an optional upgrade, users can install and use both versions of
Show students how to
implement an optional
                                the application simultaneously.
upgrade.                        To deploy an optional upgrade, in an example that uses versions 1.0 and 2.0 of
                                a program, perform the following steps:
Discuss what happens after
an optional upgrade is          1. In software installation and maintenance, open the Properties dialog box
implemented, including what        for the version 2.0 package file, and then click the Upgrades tab.
users will see if version 1.0
was never installed.            2. In the Packages that this package will upgrade section, click Add, and
                                   then select version 1.0 of the program. If both versions 1.0 and 2.0 of the
                                   program are native Windows Installer packages, this step will be done
                                   automatically.
                                3. Clear the Required upgrade for existing packages check box, and then
                                   click OK.

                                If version 1.0 has been installed, existing shortcuts will still start version 1.0.
                                The next time the user logs on, the user can install version 1.0 or 2.0 from
                                Add/Remove Programs. Document invocation will install version 2.0 only if the
                                GPO that is deploying version 2.0 has a higher order of precedence than version
                                1.0.
                                If version 1.0 has not yet been installed, the next time that the user logs on and
                                clicks the advertised shortcuts, an installation of version 2.0 will start. The user
                                can install version 1.0 or 2.0 from Add/Remove Programs. Document
                                invocation will install version 2.0 only if the GPO that is deploying version 2.0
                                has a higher order of precedence than version 1.0.
56         Module 8: Using Group Policy to Manage the Desktop Environment



Redeploying Software
Topic Objective                      Example
To illustrate the concept of
software redeployment.
Lead-in                              The software                        The Group
Redeployment offers a way            patch is on            Patch        Policy object
for administrators to                the server                          is redeployed
automatically apply service
packs or software patches
throughout their entire
organization.                              The user logs on and
                                           invokes the application
                                                                            The software
                                                                            patch is
                                                                                            Patch
                                                                            applied




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               Windows 2000 makes deploying service packs and software patches easy.
Delivery Tip                   When you mark a package file for redeployment, the application is re-
Discuss the three bulleted
scenarios, and how
                               advertised to everyone who has been granted access to the program and is
redeployment is used in        redeployed by using the method that was used for the previous deployment—
each.                          assignment or publishing. Depending on how the original package was
                               deployed, one of three actions will occur:
Show students how to
redeploy an application.          If the application was published and installed, the Start menu, desktop
Emphasize the fact that           shortcuts, and registry settings relevant to that application will be updated
redeployment involves not         the next time that the user logs on. The first time that the user starts the
only obtaining the updated        application, the service pack or software patch will be automatically
application files, but also       applied.
obtaining a new Windows
Installer package file.
                                  If the application was assigned to a user, the Start menu, desktop shortcuts,
                                  and registry settings relevant to that application will be updated the next
                                  time that the user logs on. The first time that the user starts the application,
                                  the service pack or software patch will be automatically applied.
                                  If the application has been assigned to a computer, the service pack or
                                  software patch will be automatically applied the next time that the computer
                                  is turned on. The application does not need to be activated for this to occur.

                               To redeploy a software package, perform the following steps:
                               1. Obtain the service pack or software patch from the application vendor, and
                                  place the files in the appropriate installation folders. The service pack must
                                  include a new Windows Installer package file (.msi file). If it does not, you
                                  will be unable to redeploy the software because the original package file
                                  will not contain instructions for deploying the new files that are added by
                                  the service pack or software patch.
                               2. Open the GPO that originally deployed the application. In software
                                  installation and maintenance, right-click the package file name, point to All
                                  Tasks, and then click Redeploy Application. In the confirmation dialog
                                  box, click Yes.
                                           Module 8: Using Group Policy to Manage the Desktop Environment      57



Removing Software
Topic Objective
To identify the options for
removing software by using                               Forced Removal
software installation and                                Software is automatically deleted from a
maintenance.                                             computer, and cannot be reinstalled

Lead-in
Software installation and
maintenance provides two                                 Optional Removal
different ways to remove                                 Software is not deleted from a computer, but
deployed software:                                       can no longer be installed
Administrators can invoke
either a forced removal or
an optional removal.                                     Removal Process
                                                         Only software that was installed from a
                                                         Windows Installer package file can be
                                                         removed through Group Policy



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               There are two options for dealing with software that you no longer want to
Delivery Tip                   deploy in your organization. You can initiate either a forced removal or an
Discuss the differences
between forced removal and
                               optional removal.
optional removal.
                               Forced Removal
Explain why software
                               A forced removal immediately uninstalls software. Software is automatically
installation and maintenance
cannot be used to remove
                               deleted from a computer, either the next time the computer is turned on (in the
non–Windows Installer          case of a computer Group Policy setting), or the next time a user logs on (in the
software.                      case of a user Group Policy setting). Removal occurs before the desktop
                               appears.

                               Optional Removal
                               Optional removal enables users to continue to use the software but prevents
                               new installations. Software is not actually removed from computers. If users
                               already have Microsoft Word 2000 installed, they will be able to continue
                               running that application. However, no new users will be able to install
                               Word 2000. The application will no longer be available for installation in
                               Add/Remove Programs. If users remove the application, they will not be able to
                               reinstall it.
58   Module 8: Using Group Policy to Manage the Desktop Environment


                       The Removal Process
                       When software is installed from a package file, an information cache is created
                       on the local hard disk. This cache contains information regarding the
                       applications that were installed, and instructions on how to uninstall them.
                       To remove deployed software:
                       1. Right-click the package file name in Software Installation, point to All
                          Tasks, and then click Remove.
                       2. In the Remove Software dialog box, click one of the following options:
                           a. Immediately uninstall software from users and computers. Selecting
                              this option results in a forced removal.
                           b. Allow users to continue to use the software but prevent new
                              installations. Selecting this option results in an optional removal.
                       3. Click OK.

                       When you issue a Group Policy command to remove software, that command is
                       directed to the local cache. If the steps for removing the software can be found
                       in the information cache, the program will be removed. If those steps cannot be
                       found, the order to remove the software will be ignored. You can use Group
                       Policy to remove software only if you originally installed the software from a
                       Windows Installer package file. If you did not use Windows Installer, you must
                       remove the software manually.
                                           Module 8: Using Group Policy to Manage the Desktop Environment         59



Identifying Solutions to Software Deployment Problems
Topic Objective
To identify troubleshooting
                                           Verify that the application appears in Add/Remove
options for resolving the
                                           Programs
problems that may occur
when deploying software
with Group Policy.
                                           Verify user access to the network distribution point
Lead-in
These are resolutions to
common problems
encountered when you use                   Look for Group Policy conflicts
Group Policy to deploy
software.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                               You may encounter problems when you use Group Policy to deploy software.
                               Suggested strategies for resolving some of these problems include the
                               following:
                                  Verify that the application appears in Add/Remove Programs.
                                  If applications do not appear as expected, this is probably the result of a
                                  problem in how those applications were deployed. To determine whether an
                                  application has been assigned or published to a user, log on as that user, and
                                  then start Add/Remove Programs. If the application appears in Add/Remove
                                  Programs but there is no Start menu shortcut, the application has been
                                  published rather than assigned. If the application does not appear in
                                  Add/Remove Programs, the application was never deployed, or it was
                                  deployed in the wrong organizational unit, or the user is a member of a
                                  security group that is blocking the application of this GPO.
                                  Verify that the user has access to the network distribution point.
                                  Sometimes an application cannot be installed because a user cannot gain
                                  access to the network distribution point. For example, the server hosting that
                                  network may be unavailable. You can verify access to the network
                                  distribution point by clicking Start, clicking Run, typing the UNC name of
                                  the shared folder, and then clicking OK. For example, to verify access to a
                                  folder named Software located on a server named Server1, type
                                  \\Server1\Software and then click OK.
                                  Look for Group Policy conflicts.
Delivery Tip
Group Policy conflicts can        If applications are not appearing as expected, it may be due to a Group
be complex. Discuss a             Policy conflict. It is possible to assign an application to a user at one level of
scenario in which a conflict      Active Directory, such as the domain, and then deny the user access to that
would produce unexpected          application at a lower level, such as an organizational unit. In addition,
results.                          applications can be assigned to computers, and computer policy always
                                  overrides user policy. If a user has been assigned Word, but Word has been
                                  marked for mandatory removal from a computer, that user will not get Word
                                  if logging on from that computer.
60        Module 8: Using Group Policy to Manage the Desktop Environment



       Best Practices
Topic Objective
To introduce some best
practices for using Group
Policy to manage the                    Best Practices for Managing Group Policy
desktop environment.
                                        Best Practices for Folder Redirection
Lead-in
Here we review the best                 Best Practices for Software Installation and
practices for managing a                Management
desktop environment with
Group Policy.




*****************************ILLEGAL FOR NON-TRAINER USE******************************
                            When reviewing best practices for using Group Policy to manage the desktop
                            environment, it is easiest to break them down into the different areas that the
                            policies will cover.
                            We will review best practices for:
                                Managing Group Policy. Using Group Policy in a mixed Windows 2000 and
                                Windows XP environment.
                                Folder redirection. Tips for Group Policy settings related to redirecting
                                folders.
                                Software Installation and Management. Ease of maintenance of Group
                                Policy when used for installing and managing software.
                                      Module 8: Using Group Policy to Manage the Desktop Environment        61



Best Practices for Managing Group Policy
Topic Objective
To highlight some best
practices when managing             Use Windows XP .adm Files to Manage a Mixed Environment
                                    Use Windows XP .adm Files to Manage a Mixed Environment
Group Policy.
Lead-in
First we will address some          Apply the Same Policies to Windows XP and Windows 2000
                                    Apply the Same Policies to Windows XP and Windows 2000
best practices to use when
managing Group Policy.

                                    Test Settings Before Deployment
                                    Test Settings Before Deployment



                                    Only use GPOs for Editing the Registry
                                    Only use GPOs for Editing the Registry



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             Use Windows XP .adm files to administer your GPOs in a mixed
                             environment.
                             When both Windows 2000 Professional and Windows XP Professional
                             clients operate in your environment, it is best to use the Windows XP .adm
                             files for administering you GPOs because the Windows XP .adm files
                             include all the settings for both environments.
                             Apply the same policy settings to Windows XP Professional and to
                             Windows 2000 Professional wherever possible.
                             Consistency in policy settings between these two operating systems, when
                             used in the same environment, produces less policy management overhead
                             and allows roaming users to have a consistent experience.
                             Test settings before deployment.
                             Before deploying GPOs into your production environment, always test all
                             settings that your GPO applies. This will ensure the interoperability of the
                             various settings and allow for a cleaner deployment.
                             Only use GPOs for making changes to the registry.
                             Do not try to create these registry values by other methods. Configuring
                             policy settings on client computers by using GPOs ensures that the settings
                             will be consistent, and avoids the risk of causing damage to the registry by
                             editing it directly.
62        Module 8: Using Group Policy to Manage the Desktop Environment



Best Practices for Folder Redirection
Topic Objective
To highlight some best
practices when using Group              Enable Client-Side Caching
                                        Enable Client-Side Caching
Policy to redirect folders.
Lead-in
Here we address some best
practices for using Group               Incorporate %Username% Variable
                                         Incorporate %Username% Variable
Policy to redirect folders.


                                        My Pictures Follow My Documents
                                        My Pictures Follow My Documents



                                        Policy Removal Considerations
                                        Policy Removal Considerations



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                                 Enable client-side caching.
                                 Client-side caching is especially important for users with laptops, allowing
                                 them to work on network documents, when not attached to the network.
                                 Incorporate the %username% variable into fully qualified universal naming
                                 convention (UNC) paths.
                                 This allows users to have their own folders. For example,
                                 \\server\share\%username%\My Documents. Each user this policy setting is
                                 applied to will have their own folder created in the \\server\share shared
                                 folder based on their own user name, with a My Documents folder created
                                 below it. Also, if it is created on a share using the NTFS file system, the
                                 correct user permissions will be set up automatically.
                                 Have My Pictures follow My Documents.
                                 This default setting is advisable unless there is a compelling reason not to
                                 accept it. An example of a compelling reason is file share scalability, where
                                 the amount of disk space on a server hosting the My Documents folder is
                                 restricted.
                                 Policy removal considerations.
                                 When a policy that redirects folders is removed, keep in mind the behavior
                                 of your folder redirection Policy Removal settings. For example, the default
                                 is to leave the folder and its contents in redirected location. It is possible to
                                 set the removal policy to return the redirected folders to the local user
                                 profile location.


                              Note The default settings for folder redirection will fit most circumstances.
                                      Module 8: Using Group Policy to Manage the Desktop Environment      63



Best Practices for Software Installation and Management
Topic Objective
To highlight some best              Use Application Categories
                                    Use Application Categories
practices when using Group
Policy for installing and
managing software.                  Use Transform Files for Packages
                                    Use Transform Files for Packages
Lead-in
Here we address some best
practices for using Group
                                    Use Only One Deployment Option per Group Policy
                                    Use Only One Deployment Option per Group Policy
Policy for installing and
managing software.
                                    Repackage Existing Software
                                    Repackage Existing Software


                                    Deploy Software as High in the Hierarchy as Possible
                                    Deploy Software as High in the Hierarchy as Possible



*****************************ILLEGAL FOR NON-TRAINER USE******************************
                             Use application categories for your organization.
                             Using categories makes it easier for users to find an application in
                             Add/Remove Programs in Control Panel. For example, you could define
                             categories such as Sales Applications, Accounting Applications, and so on.
                             Use Transform (.mst) files for packages.
                             Make sure Windows Installer packages are correctly transformed before
                             they are published or assigned. Transforms are applied to packages at the
                             time of assignment or publication, not at the time of installation. They are
                             customizations applied to Windows Installer packages. Make sure that the
                             Modifications tab of the package properties dialog box is set up as you
                             intend before you click OK. If you neglect to do this, and assign or publish a
                             transformed package before you have completely configured it, then you
                             can either remove the software and republish or reassign it or upgrade the
                             software with a completely transformed version.
                             Use one deployment option once per Group Policy object.
                             A Windows Installer package should be assigned or published no more than
                             once in the same Group Policy object. For example, if you assign Microsoft
                             Office to the computers affected by a Group Policy object, then do not
                             assign or publish it to users affected by the same Group Policy object.
64   Module 8: Using Group Policy to Manage the Desktop Environment


                           Repackage existing software.
                           You can use commercially available tools to create Windows Installer
                           packages for software that does not include natively authored .msi files.
                           These work by comparing a computer’s state before and after installation.
                           Deploy software at a high level in the Active Directory hierarchy.
                           Because Group Policy settings apply by default to child Active Directory
                           containers, it is efficient to assign or publish by linking a Group Policy
                           object to a parent organizational unit or domain. Use security descriptors
                           (such as access control entries) on the Group Policy object for finer control
                           over who receives the software.
                                            Module 8: Using Group Policy to Manage the Desktop Environment       65



Lab B: Using Group Policy to Deploy Software
Topic Objective
To introduce the lab.
Lead-in
In this lab, you will use
Group Policy to assign the
Windows 2000 Support
Tools, test the assignment,
publish an application to an
OU, install a published
application by using
Add/Remove Programs, and
deploy, test and remove
both an optional upgrade
and a mandatory upgrade.




*****************************ILLEGAL FOR NON-TRAINER USE******************************

Key Points                      Objectives
The lab does not reflect the    After completing this lab, you will be able to:
real-world environment. It is
recommended that you               Use Group Policy to assign software to users in an organizational unit.
always use complex
passwords for any                  Use Group Policy to publish software to users in an organizational unit.
administrator accounts, and        Use Group Policy to deploy mandatory upgrades of software.
never create accounts
without a password.                Use Group Policy to deploy optional upgrades of software.
                                   Use Group Policy to remove software previously deployed by using Group
Outside of the classroom
                                   Policy.
environment, it is strongly
advised that you use the
most recent software            Prerequisites
updates that are necessary.
                                Before working on this lab, you must have the knowledge and skills to create
Because this is a classroom
environment, we may use         Group Policy objects.
software that does not
include the latest updates.     Estimated time to complete this lab: 30 minutes
                                Important Outside of the classroom environment, it is strongly advised that
                                you use the most recent software updates that are necessary. Because this is a
                                classroom environment, we may use software that does not include the latest
                                updates.
66        Module 8: Using Group Policy to Manage the Desktop Environment


     Lab Setup
      Tasks                                Detailed steps

      •     Log on to your domain as        a.   Press CTRL+ALT+DEL to open the logon page.
            Administrator with a            b.   In the User Name box, type Administrator
            password of password.
                                            c.   In the Password box, type password
                                            d.   In the Domain box, ensure that your domain is listed.
                                            e.   Click OK.


                            Important This Lab does not reflect the real-world environment. It is
                            recommended that you always use complex passwords for any user or
                            administrator accounts, and never create accounts without a password.
                                       Module 8: Using Group Policy to Manage the Desktop Environment           67


Exercise 1
Assigning Software
In this exercise, you will use Group Policy to assign the Windows 2000 Support Tools to users in
the Information Services organizational unit.


Scenario
Northwind Traders has decided to centrally manage the deployment of applications to users. You
want to ensure that Windows 2000 Support Tools are available to all users in the Information
Services department.


  Tasks                                 Detailed steps

  1.   Create a GPO named                a.   Share the C:\MOC\2126\Labfiles\Lab08B\Packages folder, by using
       Application Assignment                 the default settings.
       Policy in the Information         b.   On the Administrative Tools menu, open Active Directory Users and
       Services organizational unit.          Computers.
                                         c.   Expand domain.nwtraders.msft (where domain is your assigned
                                              domain name), if necessary.
                                         d.   Right-click Information Services, and then click Properties.
                                         e.   On the Group Policy tab, click New.
                                         f.   Type Application Assignment Policy and then press ENTER.
                                         g.   Leave the Information Services Properties dialog box open.
  2.   Modify the Application            a.   In the Information Services Properties dialog box, click the
       Assignment GPO to assign               Application Assignment Policy GPO, if necessary, and then click Edit.
       the Veritas WinInstall LE         b.   Under User Configuration, expand Software Settings, and then click
       package:                               Software installation.
       ● Assigned File Name:             c.   Right-click Software installation, point to New, and then click
          \\server_name\Packages\             Package.
          Swiadmle.msi (where
          server_name is your            d.   In the File name box, type \\server_name\Packages (where
          assigned server name).              server_name is your assigned server name), and then click Open.
                                         e.   Click SWIADMLE, and then click Open.
                                         f.   In the Deploy Software dialog box, click Assigned, and then click OK.

                                                    WinINSTALL LE appears in the list of deployed
                                                    applications.


                                         g.   Close Group Policy, and then click Close to close the Information
                                              Services Properties dialog box.
                                         h.   Close all open windows, and then log off.
68          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 2
     Testing Software Assignment
     In this exercise, you will test the software assignment from the previous exercise.


     Scenario
     After making changes to the Group Policy settings, you want to test that the software is assigned
     correctly.


       Tasks                                 Detailed steps

       1.    Log on as Hduser to confirm      a.   Log on as Hduser with a password of password.
             that the Veritas WinInstall      b.   In the Windows 2000 Configure Your Server dialog box, clear the
             LE package is being                   Show this screen at startup check box, and then close the
             assigned.                             Windows 2000 Configure Your Server dialog box.
               Does VERITAS Software appear on the Programs menu? Why or why not?


               Yes. The Veritas WinINSTALL LE package was assigned to users in the Information Services
               organizational unit, and that Group Policy was enforced during the user logon process.




       1.     (continued)                     c.   On the VERITAS Software menu, open the VERITAS Software
                                                   Console.
               What happens?


               Windows Installer installs Veritas WinINSTALL LE and then opens the VERITAS Software
               Console.




       1.     (continued)                     d.   Close the VERITAS Software Console, and then log off.
                                    Module 8: Using Group Policy to Manage the Desktop Environment           69


Exercise 3
Publishing Applications
In this exercise, you will use Group Policy to publish Cosmo to the Information Services
organizational unit.


Scenario
The Information Services department uses the Cosmo application. You want to make it available to
all users, but Cosmo is not an essential application. Users must be able to install Cosmo from
Add/Remove Programs, but Cosmo must not automatically install.


  Tasks                              Detailed steps

  1.   Create a GPO named             a.   Log on as Administrator with a password of password.
       Application Publishing         b.   On the Administrative Tools menu, open Active Directory Users and
       Policy and linked to the            Computers.
       Information Services
       organizational unit.           c.   Expand domain.nwtraders.msft, if necessary.
                                      d.   Right-click Information Services, and then select Properties.
                                      e.   On the Group Policy tab, click New.
                                      f.   Type Application Publishing Policy and then press ENTER.
                                      g.   Leave the Information Services Properties dialog box open.
  2.   Modify the Application         a.   In the Information Services Properties dialog box, click the
       Publishing GPO to publish           Application Publishing Policy GPO if necessary, and then click Edit.
       Cosmo:                         b.   Under User Configuration, expand Software Settings, and then click
       ● Assigned file name:               Software installation.
          \\server_name\Packages\     c.   Right-click Software installation, point to New, and then click
          Cosmo1\Cosmo1.msi                Package.
          (where server_name is
          your assigned computer      d.   Double-click cosmo1, click cosmo1.msi, and then click Open.
          name).                      e.   In the Deploy Software dialog box, verify that Published is selected,
                                           and then click OK.
                                      f.   Close all open windows and dialog boxes, and the log off.
70          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 4
     Installing a Published Application
     In this exercise, you will install a published application by using Add/Remove Programs and by
     opening a document.


     Scenario
     After making changes to the Group Policy settings to enable them to publish applications, you want
     to test those settings to verify that the published applications are installed correctly.


       Tasks                                 Detailed steps

       1.    Log on as Hduser, and then       a.   Log on as Hduser with a password of password.
             install the published            b.   In Control Panel, double-click Add/Remove Programs, and then click
             application by using                  Add New Programs.
             Add/Remove Programs.
                                                        Cosmo 1 appears in the list of programs available from the
                                                        network.

                                              c.   Click Add.

                                                         Windows Installer installs Cosmo 1.
                                              d.   In the Cosmo 1 dialog box, click OK.
                                              e.   Close Add/Remove Programs, and then close Control Panel.
                                              f.   Verify that Cosmo 1 is installed, and then log off.
       2.    Log on as Csuser with a          •    Log on as Csuser with a password of password.
             password of password.
               Is Cosmo 1 installed? Why or why not?


               Cosmo 1 is not installed because it was published. It will be installed only when a user chooses to
               install it.
                                   Module 8: Using Group Policy to Manage the Desktop Environment          71




Tasks                                Detailed steps

3.   Install a published             a.   In the Run dialog box, in the Open box, type \\server_name\packages
     application through                  and then click OK.
     document invocation:
     ● Open the following file:
        \\server_name\Packages\
        Cosmo.cs00 (where
        server_name is your
        assigned computer name)
      Is the file Cosmo.cs00 associated with any application?


       No.




3.   (continued)                     b.   Double-click Cosmo.cs00.
      What happens? Why?


       Windows Installer installs Cosmo 1, and then Cosmo 1 opens the Cosmo.cs00 file. Double-clicking
       the file causes a query to be sent to Active Directory to check for applications that have registered the
       .cs00 extension. Because Cosmo 1 has been published and has registered the .cs00 extension, the
       application is automatically installed.




3.   (continued)                     c.   Close all open windows, and then log off.
72          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 5
     Deploying Application Upgrades
     In this exercise, you will deploy both an optional upgrade and a mandatory upgrade to previously
     deployed applications.


     Scenario
     At Northwind Traders, all of your users currently use the Cosmo1 application. Now you want to
     perform an optional upgrade to Cosmo2 for most of the organization. However, you want to force
     the users in the Customer Support organizational unit to perform a mandatory upgrade. You do not
     want to visit every computer to install the software manually, so you will use Group Policy to
     perform the upgrades.


       Tasks                                 Detailed steps

       1.    Deploy an optional upgrade       a.   Log on as Administrator with a password of password.
             from Cosmo1 to Cosmo2            b.   On the Administrative Tools menu, open Active Directory Users and
             for the Information Services          Computers.
             organizational unit:
                                              c.   Open the Properties dialog box for Information Services.
             ● GPO: Application
                Publishing Policy             d.   On the Group Policy tab, click Application Publishing Policy, and
                                                   then click Edit.
             ● Application: Cosmo2
                upgrades Cosmo1.              e.   Under User Configuration, expand Software Settings, and then click
                                                   Software installation.
                                              f.   Right-click Software installation, point to New, and then click
                                                   Package.
                                              g.   In the Open dialog box, in the File Name box, type
                                                   \\server_name\packages and then click Open.
                                              h.   Double-click cosmo2, click cosmo2.msi, and then click Open.
                                              i.   In the Deploy Software dialog box, click Advanced published or
                                                   assigned, and then click OK.
                                              j.   On the Upgrades tab, click Add.
                                              k.   Under Package to upgrade, select Cosmo 1, click OK, and then click
                                                   OK to close the Cosmo 2 Properties dialog box.
                                                         Cosmo 2 appears in the list of deployed software. Notice that
                                                         the upgrade type is set to Optional.
                                              l.   Close Group Policy, and then click OK to close the Information
                                                   Services Properties dialog box.
                                              m. Leave Active Directory Users and Computers open.
       2.    Create a new GPO linked to       a.   If necessary, expand the Information Service tree, right-click
             the Customer Support                  Customer Support, and then select Properties.
             organizational unit. Name        b.   On the Group Policy tab, click New.
             the GPO Mandatory
             Upgrade Policy.                  c.   Type Mandatory Upgrade Policy and then press ENTER.
                                              d.   Leave the Customer Support Properties dialog box open.
                                    Module 8: Using Group Policy to Manage the Desktop Environment           73




Tasks                                Detailed steps

3.   Deploy a mandatory               a.   In the Customer Support Properties dialog box, on the Group
     upgrade from Cosmo1 to                Policy tab, make sure Mandatory Upgrade Policy is selected, and
     Cosmo2 for the Customer               then click Edit.
     Support organizational unit:     b.   Under User Configuration, expand Software Settings, and then click
     ● GPO: Mandatory                      Software installation.
        Upgrade Policy                c.   Right-click Software installation, point to New, and then click
     ● Application: Cosmo2                 Package.
        upgrades Cosmo1               d.   Click cosmo2.msi, and then click Open.
                                      e.   Click Advanced published or assigned, and then click OK.
                                      f.   On the Upgrades tab, click Add.
                                      g.   In the Add Upgrade Package dialog box, click A specific GPO, and
                                           then click Browse.
                                      h.   In the Domains, OUs and linked Group Policy Objects list, double-
                                           click domain.nwtraders.msft, and then double-click Information
                                           Services.domain.nwtraders.msft, and then click Application
                                           Publishing Policy, and then click OK.
                                      i.   In the Add Upgrade Package dialog box, ensure that Cosmo 1
                                           (Application Publishing Policy) is selected, and then click OK.
                                      j.   In the Cosmo 2 Properties dialog box, select the Required upgrade
                                           for existing packages check box, and then click OK.
                                                 Cosmo 2 appears in the list of deployed software. Notice
                                                 that the upgrade type is set to Required.
                                      k.   Close all open windows and dialog boxes, and then log off.
74          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 6
     Testing Application Upgrades
     In this exercise, you will test the results of mandatory and optional upgrades.


     Scenario
     After making changes to the Group Policy settings for the mandatory upgrade and the optional
     upgrade, you want to test those settings to verify that the software is upgraded, and that all of the
     components work correctly.


       Tasks                                 Detailed steps

       1.    Log on as Hduser to test the     a.   Log on as Hduser with a password of password.
             optional upgrade.
               Which version of Cosmo appears on the Programs menu? Why?


               Cosmo 1 still appears on the Start menu because Cosmo 2 was deployed to the Information Services
               organizational unit as an optional upgrade.




               How would this user upgrade to Cosmo 2?


               The upgrade to Cosmo 2 would be performed through Add/Remove Programs in Control Panel.




       1. (continued)                         b.   Upgrade to Cosmo 2, and then log off.
       2.    Log on as Csuser to test the     a.   Log on as Csuser with a password of password.
             mandatory upgrade.
               Which version of Cosmo appears on the Start menu? Why?


               Cosmo 2 appears on the Start menu because Cosmo 2 was deployed to the Customer Support
               organizational unit as a mandatory upgrade.
                                 Module 8: Using Group Policy to Manage the Desktop Environment   75




Tasks                              Detailed steps

2.   (continued)                   b.   On the Start menu, open Cosmo 2.
      What happens when you open Cosmo 2?


      Windows Installer installs Cosmo 2, and then the application is opened.




2.   (continued)                   c.   Close all open windows, and then log off.
76          Module 8: Using Group Policy to Manage the Desktop Environment


     Exercise 7
     Removing Deployed Software
     In this exercise, you will use both forced removal and optional removal to remove an application
     that was deployed in a previous exercise.


     Scenario
     Your trial period for Cosmo 2 has expired, and you have decided to upgrade to the new package.
     You have been told that to get the best results from the Cosmo program, you must remove
     Cosmo 2, which is a limited trial version, before deploying the full version. You also will be
     phasing out the Veritas WinINSTALL LE application, which means that you want users to be able
     to continue using Veritas WinINSTALL LE, but you do not want users to be able to install it. You
     want to remove the software without visiting each computer. You can use Group Policy settings to
     perform this function.


       Tasks                                 Detailed steps

       1.    Implement a forced removal       a.   Log on as Administrator with a password of password.
             of Cosmo 2, which was            b.   On the Administrative Tools menu, open Active Directory Users and
             previously deployed in the            Computers.
             Application Publishing
             Policy GPO.                      c.   Open the Properties dialog box for Information Services.
                                              d.   On the Group Policy tab, click Application Publishing Policy, and
                                                   then click Edit.
                                              e.   Under User Configuration, expand Software Settings, and then click
                                                   Software installation.
                                              f.   Right-click Cosmo 2, point to All Tasks, and then click Remove.
                                              g.   In the Remove Software dialog box, ensure that Immediately
                                                   uninstall the software from users and computers is selected, and
                                                   then click OK.
                                              h.   Close Group Policy.
                                              i.   Leave the Information Services Properties dialog box open.
       2.    Implement an optional            a.   On the Group Policy tab, click Application Assignment Policy, and
             removal of Veritas                    then click Edit.
             WinINSTALL LE, which             b.   Under User Configuration, expand Software Settings, and then click
             was previously deployed in            Software installation.
             the Application Assignment
             Policy GPO.                      c.   Right-click WinINSTALL LE, point to All Tasks, and then click
                                                   Remove.
                                              d.   In the Remove Software dialog box, click Allow users to continue to
                                                   use the software, but prevent new installations, and then click OK.
                                              e.   Close all open windows and dialog boxes, and then log off.
                                      Module 8: Using Group Policy to Manage the Desktop Environment   77


Exercise 8
Testing the Removal of Deployed Applications
In this exercise, you will test the results of forced and optional removal of deployed applications.


Scenario
Now that you have made the changes necessary to remove the deployed software, you must test the
results.


  Tasks                                Detailed steps

  1.   Log on as Hduser to test the     a.   Log on as Hduser with a password of password.
       removal of the applications.
        Is Cosmo 2 still installed? Why or why not?


        No, Cosmo 2 was removed during the logon process because it was marked as a forced removal.




        Is Veritas WinINSTALL LE still installed? Why or why not?


        Yes, Veritas WinINSTALL LE is still installed because it was marked as an optional removal.




  1.   (continued)                      b.   Log off.
78        Module 8: Using Group Policy to Manage the Desktop Environment



Review
Topic Objective
To reinforce module
objectives by reviewing key
points.                                  Introduction to Managing User Environments
Lead-in                                  Using Administrative Templates in Group Policy
The review questions cover               Assigning Scripts by Using Group Policy
some of the key concepts
taught in the module.                    Using Group Policy to Redirect Folders
                                         Troubleshooting User Environment Management
                                         Introduction to Managing Software Deployment
                                         Deploying Software
                                         Managing Software
                                         Identifying Solutions to Software Deployment Problems
                                         Best Practices


*****************************ILLEGAL FOR NON-TRAINER USE******************************
                              1. You do not want users to be able to open Control Panel and gain access to
                                 Display or any of the other applications. What do you do?
                                 Configure an administrative template setting (Start Menu &
                                 Taskbar\Disable Changes to Control Panel) that prevents users from
                                 modifying the Start menu and taskbar. Control Panel will not appear
                                 on the Start menu, and users will not be able to gain access to it.



                              2. Your network no longer needs a User Administrative Template setting that
                                 you configured. What do you do to change the registry back to the way it
                                 was before you configured the settings?
                                 Select the not configured state for the setting. Then, the setting is not
                                 present in the Registry.pol file. The next time that the user starts the
                                 computer and logs on, the Registry.pol file does not contain this setting
                                 or its value, and it is not applied.



                              3. The Research department employees need a shortcut on their desktops to a
                                 special third-party application that resides on a network server. There are no
                                 existing Group Policy settings that can provide this shortcut. There is a
                                 Research Department organizational unit. What can you do?
                                 Write a script to create shortcuts on users’ desktops that connect to the
                                 applications and documents. Use Group Policy script settings to
                                 automate the running of the script at logon and link the GPO that
                                 contains the settings to the Research Department organizational unit.
            Module 8: Using Group Policy to Manage the Desktop Environment        79


4. Employees in the Production department may log on at any of several
   different client computers at any given time. All users need their work data
   available to them at all times. What must you do?
   Redirect the My Documents folder to a shared folder on a network
   server. Regardless of where users log on, they can access their
   documents.



5. What two technologies in Windows 2000 provide the ability to manage
   software?
   The two technologies are the Windows Installer and Windows 2000
   software installation and maintenance.



6. You must deploy two new applications, Microsoft Excel 2000 and
   Word 2000, to users in your organization. All users in your company use
   Word 2000 on a daily basis. All users in the accounting department also use
   Excel 2000 on a daily basis. Some users outside the accounting department
   need occasional access to Excel 2000. If you have a single domain, and each
   department has its own organizational unit, how do you deploy these two
   applications?
   Assign Word 2000 to users in a GPO at the domain level. Assign
   Excel 2000 to users in a GPO at the accounting department’s
   organizational unit, and publish Excel 2000 to users in a GPO at the
   domain level.



7. Under what circumstances would you choose to assign an application to
   computers instead of users?
   If the application is required for all users, regardless of which computer
   they log on to, you assign the application to computers.



8. You have deployed an application to all users in your organization, and now
   you must upgrade the application to the latest version. For compatibility
   reasons, you must allow some users to continue to use the old version. How
   do you accomplish this?
   Deploy the new version as an optional upgrade. This will allow users to
   continue to use the previous version until they are able to upgrade to
   the new version.
80   Module 8: Using Group Policy to Manage the Desktop Environment


                       9. You want to assign a spreadsheet program to your accounting department,
                          but you must test the application before deploying to the whole department.
                          What options are available to you for testing the deployment?
                           Create a security group for testing. Use permissions to restrict the
                           Group Policy deployment to this testing group.



                       10. After you publish an application to an organizational unit that contains 200
                           users, you receive several calls from users who cannot install the
                           application. They are receiving an error message stating that the file was not
                           found. What is the problem?
                           The users do not have Read access to the shared folder that contains the
                           package and installation files.

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:23
posted:11/1/2012
language:
pages:86
Description: Microsoft Training and Certification