1 / 29

Module 7 Managing User Desktop with Group Policy

Module 7 Managing User Desktop with Group Policy. Module Overview. Implement Administrative Templates Configure Group Policy Preferences Manage Software with GPSI. Lesson 1: Implement Administrative Templates. What Are Administrative Templates? How Administrative Templates Work

bjorn
Télécharger la présentation

Module 7 Managing User Desktop with Group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 7 Managing User Desktop with Group Policy

  2. Module Overview • Implement Administrative Templates • Configure Group Policy Preferences • Manage Software with GPSI

  3. Lesson 1:Implement Administrative Templates • What Are Administrative Templates? • How Administrative Templates Work • Managed Settings, Unmanaged Settings, and Preferences • Central Store • Demonstration: Work with Settings and the GPOs

  4. What Are Administrative Templates? .ADMX .ADML Registry

  5. How Administrative Templates Work • Policy settings in the Administrative Templates node make changes to the registry • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System • DisableRegeditMode • 1–Regedit UI tool only • 2–Also disable regedit /s

  6. Managed Settings, Unmanaged Settings, and Preferences • Administrative templates • Managed policy setting • User interface (UI) is locked; user cannot make a change to the setting • Changes are made in one of four reserved registry keys • Change and UI lock are "released" when the user/computer falls out of scope • Unmanaged policy setting • UI not locked • Makes a change that is persistent; "tattoos" the registry • Only managed setting shown by default • Set Filter Options to view unmanaged settings • Preferences • Effects vary

  7. Central Store • .ADM files • Stored in the GPT • Leads to version control and GPO bloat problems • .ADMX/.ADML files • Retrieved from the client • Problematic if the client doesn't have the appropriate files • Central Store • Create a folder called PolicyDefinitionson a DC • Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions • Locally: %SystemRoot%\SYSVOL\contoso.com\Policies\PolicyDefinitions • Copy .ADMX files from your %SystemRoot%\PolicyDefinitions • Copy .ADML file from language-specific subfolders (such as en-us)

  8. Demonstration: Work with Settings and GPOs In this demonstration, you will see how to: • Use filter options to locate policies in administrative templates • Add comments to a policy setting • Add comments to a GPO • Create a new GPO from a starter GPO • Create a new GPO by copying an existing GPO • Create a new GPO by importing settings that were exported from another GPO

  9. Lab A: Manage Settings and GPOs • Exercise 1: Manage Administrative Templates Logon information Estimated time: 30 minutes

  10. Lab Scenario • You were recently hired as the domain administrator for Contoso, Ltd, replacing the previous administrator, who retired. You are not certain what policy settings have been configured, so you decide to locate and document GPOs and policy settings. You also discover that the company has not leveraged either the functionality or the manageability of administrative templates.

  11. Lab Review • Describe the relationship between administrative template files (both .ADMX and .ADML files) and the GPME. • When does an enterprise get a central store? What benefits does it provide? • What are the advantages of managing Group Policy from a client running the latest version of Windows? Do settings you manage apply to previous versions of Windows?

  12. Lesson 2: Configure Group Policy Preferences What Are Group Policy Preferences? Differences Between Group Policy Preferences and Settings Demonstration: Configure Group Policy Preferences

  13. What Are Group Policy Preferences? Group Policy preferences expand the range of configurable settings within a GPO and: Features of Group Policy Preferences: • Are not enforced • Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable by using Group Policy • Create: Create a new item on the targeted computer • Delete: Remove an existing item from the targeted computer • Replace: Delete and re-create an item on the targeted computer • Update: Modify an existing item on the targeted computer

  14. Differences Between Group Policy Preferences and Settings

  15. Demonstration: Configure Group Policy Preferences In this demonstration, you will see how to configure some Group Policy Preferences

  16. Lab B: Manage Group Policy Preferences • Exercise 1: Configure Group Policy Preferences • Exercise 2: Verify Group Policy Preferences Application Logon information Estimated time: 20 minutes

  17. Lab Scenario • You were recently hired as the domain administrator for Contoso, Ltd. To simplify Group Policy management, which includes eliminating the need for logon scripts to map drives, you need to deploy several Group Policy Preferences settings that will allow for more flexibility for corporate users..

  18. Lab Review • What is the alternate way to provide drive mapping to users, instead of using Preferences? • If you apply the Group Policy preferences setting, can you change this setting on client side?

  19. Lesson 3: Manage Software with GPSI • Understand GPSI • Software Deployment Options • Demonstration: Create a Software Distribution Point • Create and Scope a Software Deployment GPO • Maintain Software Deployed with GPSI • GPSI and Slow Links

  20. Understand GPSI • Client-side extension (CSE) • Installs supported packages • Windows Installer packages (.msi) • Optionally modified by Transform (.mst) or patches (.msp) • GPSI automatically installs with elevated privileges • Downlevel application package (.zap) • Supported by “publish” option only • Requires user to have admin privileges • System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages • No “feedback” • No centralized indication of success or failure • No built-in metering, auditing, license management

  21. Software Deployment Options • Software deployment options • Assign application to users • Start menu shortcuts appear • Install-on-demand • File associations made (optional “Auto Install”) • Install-on-document invocation • Optionally, configure to install at logon • Publish application to users • Advertised in Programs And Features (Control Panel) • Install-on-request • Assign to computers • Install at startup

  22. Demonstration: Create a Software Distribution Point In this demonstration, you will see how to: • Create a software distribution point

  23. Create and Scope a Software Deployment GPO • Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation • Right-click  New  Package • Browse to .msi file through network path (\\server\share) • Choose deployment option(Recommended: Advanced) • Managing the scope of asoftware deployment GPO • Typically easiest to manage withsecurity group filtering • Create an app group such as APP_XML Notepad • Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary • Put computers into the group if assigning to computers

  24. Maintain Software Deployed with GPSI • Redeploy application • After successful install, client will not attempt to reinstall app • You might make a change to the package • Package  All Tasks  Redeploy Application • Upgrade application • Create new package in same or different GPO • Advanced  Upgrades  Select package to upgrade • Uninstall old version first; or install over old version • Remove application • Package  All Tasks  Remove • Uninstall immediately (forced removal) orPrevent new installations (optional removal) • Don’t delete or unlink GPO until all clients have applied setting

  25. GPSI and Slow Links • The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link • Less than 500 kbps by default • Each CSE uses the “slow link” determination to decide whether to process • By default, GPSI does not process over a slow link • You can change slow link processing behavior of each CSE • Computer Configuration\Policies\Administrative Templates\ System\Group Policy • You can change the slow link threshold • Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy

  26. Lab C: Manage Software with GPSI • Exercise 1: Deploy Software with GPSI • Exercise 2: Upgrade Applications with GPSI Logon information Estimated time: 15 minutes

  27. Lab Scenario • You are an administrator at Contoso, Ltd. Your developers require XML Notepad to edit XML files, and you want to automate the deployment and life cycle management of the application. You decide to use Group Policy Software Installation. Most applications are licensed per computer, so you will deploy XML Notepad to the developers' computers, rather than associating the application with their user accounts.

  28. Lab Review • Consider the NTFS permissions you applied to the Software and XML Notepad folders on NYC-SVR1. Explain why these least privilege permissions are preferred to the default permissions. • Consider the methods used to scope the deployment of XML Notepad: Assigning the application to computers, filtering the GPO to apply to the APP_XML Notepad group that contains only computers, and linking the GPO to the Client Computers OU. Why is this approach advantageous for deploying most software? What would be the disadvantage of scoping software deployment to users rather than to computers?

  29. Module Review and Takeaways • Review Questions • Common Issues Related to Group Policy Management • Real-World Issues and Scenarios • Best Practices Related to Group Policy Management • Tools

More Related