Module 7_ Managing User Desktop With Group Policy

07/06/13 Module 7: Managing User Desktop with Group Policy

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=9&FontSize=3&FontType=segoe 1/83

Module 7: Managing User Desktop with Group Policy

Contents:

Lesson 1: Implement Administrative Templates

Lab A: Manage Administrative Templates and Central Store

Lesson 2: Configure Group Policy Preferences

Lab B: Manage Group Policy Preferences

Lesson 3: Manage Software with GPSI

Lab C: Manage Software with GPSI

Module Overview

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=9&FontSize=3&FontType=segoe#p3








In an environment managed by a wellimplemented Group Policy infrastructure, littleor no configuration needs to be made by directly touching a desktop. The entireconfiguration is defined, enforced, and updated by using the settings in Group Policyobjects (GPOs) that affect a portion of the enterprise as broad as an entire site or adomain, or as narrow as a single organizational unit (OU) or a group. In this module,you will learn what Group Policy is, how it works, and how best to implement it inyour organization. In this module, you will learn how to configure desktopenvironments by using Administrative templates and Group Policy Preferences. Youwill also see how to properly scope Group Policy. In addition, you will learn how todeploy software by using Group Policy.

Objectives



After completing this module, you will be able to:

• Describe Administrative templates.

• Understand and configure Group Policy preferences.

• Deploy software by using Group Policy.

Lesson 1: Implement Administrative Templates

Administrative Templates allow you to control the environment of the operating



system and user experience. There are two sets of Administrative Templates: one forusers and one for computers. Using the administrative template sections of the GPO,you can deploy hundreds of modifications to the registry.

Objectives

After completing this lesson, you will be able to:

• Describe Administrative Templates and how they work.

• Describe managed settings, unmanaged settings, and preferences.

• Describe Central Store.

What Are Administrative Templates?



An administrative template is a text file that specifies the registry change to be madeand that generates the user interface to configure the Administrative Templates policysettings in the GPME. The screenshot here shows the properties dialog box for thePrevent Access To Registry Editing Tools policy setting.



The fact that the setting exists and that it provides a dropdown list with which todisable Regedit.exe from running silently is determined in an administrative template.The registry setting that is made based on how you configure the policy is alsodefined in the administrative template.

Some software vendors provide administrative templates as a mechanism to managethe configuration of their application centrally. For example, you can obtainadministrative templates for all recent versions of Microsoft Office from theMicrosoft Downloads Center. You can also create your own custom administrativetemplates. A tutorial on creating custom administrative templates is beyond the scopeof this course.

®



Administrative Templates have the following characteristics:

• They are organized into subfolders that deal with specific areas of the environment,such as network, system, and Windows components.

• The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in theregistry, and settings in the user section edit the HKEY_CURRENT_USER hive in theregistry.

• Some settings exist for both user and computer. For example, there is a setting toprevent Windows Messenger from running in both the user and the computertemplates. In case of conflicting settings, the computer setting prevails.

• Some settings are available only to certain versions of Windows operating systems,such as a number of new settings can be applied only to the Windows 7® familyof operating systems. Doubleclicking the settings will display the supportedversions for that setting.

.ADM Files

In versions of Windows prior to Windows Vista , an administrative template had an.ADM extension. .ADM files have several drawbacks. First, all localization must beperformed within the .ADM file. That is, if you want to create an .ADM file to helpdeploy configuration in a multilingual organization, you would need separate .ADMfiles for each language to provide a user interface for administrators who speak that

®

®



language. If you were to decide later to make a modification related to the registrysettings managed by the templates, you would need to make the change to each.ADM file.

The second problem with .ADM files is the way they are stored. An .ADM file is storedas part of the GPT in the SYSVOL. If an .ADM file is used in multiple GPOs, it isstored multiple times, contributing to SYSVOL bloat. There were also challenges inmaintaining version control over .ADM files.

To add classic administrative templates to the GPME, rightclick the AdministrativeTemplates node and then click Add/Remove Templates.

.ADMX/.ADML Files

In Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008R2, an administrative template is a pair of XML files, one with an .ADMX extensionthat specifies changes to be made to the registry and the other with an .ADMLextension that provides a languagespecific user interface in the GPME. When changesneed to be made to settings managed by the administrative template, they can bemade to the single .ADMX file. Any administrator who modifies a GPO that uses thetemplate accesses the same .ADMX file and calls the appropriate .ADML file topopulate the user interface.

To add .ADMX/.ADML administrative templates to the GPME, copy the .ADMX file intothe %SystemRoot%\PolicyDefinitions folder on your client or in the central store.

®



Copy the .ADML file into the languageandregion–specific subfolder, such as enus,of %SystemRoot%\PolicyDefinitions on your client or in the central store. The centralstore will be discussed in the next topic.

No Need to Take Sides

.ADM and .ADMX/.ADML administrative templates can coexist. Settings generated by

.ADM files will appear under the Administrative Templates node in a node labeledClassic Administrative Templates (ADM).

Migrate Classic Administrative Templates to .ADMX

The ADMX Migrator enables you to convert ADM files to the ADMX format. For moreinformation, see:

• ADMX Migrator

http://go.microsoft.com/fwlink/?LinkId=99466

• ADMX Migrator download (Blog)

http://go.microsoft.com/fwlink/?LinkId=113124

How Administrative Templates Work

http://go.microsoft.com/fwlink/?linkid=99466

http://go.microsoft.com/fwlink/?linkid=113124



In the Administrative Templates node, you will find several settings that allow you tocontrol many aspects of Windows.

On the slide, you can see the Properties dialog box for the Prevent Access ToRegistry Editing Tools policy setting.

If this setting is enabled and the user tries to start a registry editor, a messageappears, explaining that a setting prevents the action.

Note To prevent users from using other administrative tools, use the RunOnly Specified Windows Applications setting or use Software RestrictionPolicies, which are beyond the scope of this course.



Policies in the Administrative Templates node make changes to the registry. Settingsprovided in the Computer Configuration node will modify registry values in theHKEY_LOCAL_MACHINE (HKLM) key on the machine where Group Policy is applied.Settings in the Administrative Templates node in the User Configuration node modifyregistry values in the HKEY_CURRENT_USER (HKCU) key.

In the case of this policy setting, the following registry value is modified:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegeditMode

If you choose to restrict Regedit from running silently, that value is set to 2. If youchoose to restrict only the Registry Editor UI tool, the value is set to 1.

Managed Settings, Unmanaged Settings, and Preferences



There is a nuance to the registry policy settings configured by the AdministrativeTemplates node that is important to understand—the difference between managedand unmanaged policy settings.

A managed policy setting has the following characteristics:

• The user interface (UI) is locked, so a user cannot change the setting. Managedpolicy settings result in the appropriate UI being disabled. For example, if youconfigure the Screensaver Timeout policy setting, a user cannot change the timeoutdelay.

• Changes are made in one of four keys in the registry reserved for managed policy



settings:

• HKLM\Software\Policies (computer settings)

• HKCU\Software\Policies (user settings)

• HKLM\Software\Microsoft\Windows\Current Version\Policies (computer settings)

• HKCU\Software\Microsoft\Windows\Current Version\Policies (user settings)

These keys are secured so that only administrators can make a change. Togetherwith UI lockout, this means that nonadministrative users will receive the changespecified by the policy setting and cannot modify the setting on their computer.

• Changes made by a Group Policy setting and the UI lockout are released if the useror computer falls out of scope of the GPO. For example, if you delete a GPO,managed policy settings that had applied to a user will be released. This meansthat, generally, the setting resets to its previous state.

Additionally, the UI interface for the setting is enabled.

The registry policy settings that have been discussed so far and that are encounteredin the practices of this topic are examples of managed policy settings. A managedpolicy setting effects a configuration change when the setting is applied by a GPO.When the user or computer is no longer within the scope of the GPO, theconfiguration is released automatically.



In contrast, an unmanaged policy setting makes a change that is persistent in theregistry. If the GPO no longer applies, the setting remains. This is often called"tattooing" the registry, in other words, making a permanent change. To reverse theeffect of the policy setting, you must deploy a change that reverts the configurationto the desired state. Additionally, an unmanaged policy setting does not lock the UIfor that setting.

By default, the GPME hides unmanaged policy settings to discourage you fromimplementing a configuration that is difficult to revert. However, you can make manyuseful changes with unmanaged policy settings, particularly for custom administrativetemplates to manage configuration for applications.

To control which policy settings are visible, rightclick Administrative Templatesand click Filter Options, and then select from the Managed dropdown list.

Later in this module, you will work with Group Policy Preferences. When a change ismade by a preference, the change is not forced, but rather recommended.

Central Store



As was previously stated, .ADM files are stored as part of the GPO itself in the GPT.When you edit a GPO that uses administrative templates in the .ADM format, theGPME loads the .ADM from the GPT to produce the user interface. When.ADMX/.ADML files are used as administrative templates, the GPO contains only thedata that the client needs for processing Group Policy, and when you edit the GPO,the GPME pulls the .ADMX and .ADML files from the local workstation.

This works well for smaller organizations, but for complex environments that includecustom administrative templates or that require more centralized control, WindowsServer 2008 introduces Central Store. Central Store is a single folder in SYSVOL thatholds all the .ADMX and .ADML files that are required. After you have set up CentralStore, the GPME recognizes it and loads all administrative templates from Central



Store instead of from the local machine.

To create a central store:

1. Create a folder called PolicyDefinitions in the \\FQDN\SYSVOL\FQDN\Policiespath.

For example, the central store for the contoso.com domain would be.

\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions

If you log on to a domain controller, locally or by using Remote Desktop, the localpath to the PolicyDefinitions folder is.

%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions

2. Copy all .ADMX files from the %SystemRoot%\PolicyDefinitions folder of aWindows Server 2008 system to the new SYSVOL PolicyDefinitions folder.

3. Copy the .ADML files from the appropriate languagespecific subfolder of%SystemRoot%\PolicyDefinitions into the languagespecific subfolder of the



new SYSVOL PolicyDefinitions folder.

For example, English (United States) .ADML files are located in%SystemRoot%\PolicyDefinitions\enus. Copy them into\\FQDN\SYSVOL\FQDN\Policies\PolicyDefinitions\enus.

4. If additional languages are required, copy the folder that contains the .ADMLfiles to Central Store.

When you have copied all .ADMX and .ADML files, the PolicyDefinitions folder on thedomain controller should contain the .ADMX files and one or more folders containinglanguagespecific .ADML files.

Note You can use the Central Store in a mixed environment with clients andservers running operating systems earlier than Windows Vista and WindowsServer 2008. However, you must use a Windows Vista, Windows Server 2008,or later to manage Group Policy. That is, your administrative workstation mustbe running a version of Windows that is able to

work with the Central Store. The GPOs you create can be applied to previous versionsof Windows.

Demonstration: Work with Settings and GPOs



Group Policy editing tools in Windows Server 2008 R2 provide several newfunctionalities that ease configuration and management of GPOs. In thisdemonstration, we will review these options.

Filter Administrative Template Policy Settings

A weakness of the Group Policy editing tools in previous versions of Windows is theinability to search for a specific policy setting. With thousands of policies to choosefrom, it can be difficult to locate exactly the setting you want to configure. The newGPME in Windows Server 2008 solves this problem for Administrative Templatesettings—you can now create filters to locate specific policy settings.



To create a filter:

1. Rightclick Administrative Templates and click Filter Options.

2. To locate a specific policy, select the Enable keyword filters check box, enterthe words with which to filter and select the fields within which to search. Thescreen shot here shows an example of a search for policy settings related to thescreen saver.



In the top section of the Filter Options dialog box shown, you can filter the view toshow only policy settings that are configured. This can help you locate and modifysettings that are already specified in the GPO.

You can also filter for Group Policy settings that apply to specific versions of



Windows, Internet Explorer, and other Windows components.

Unfortunately, the filter only applies to settings in the Administrative Templatesnodes.

Comments

You can also search and filter based on policysetting comments. Windows Server2008 enables you to add comments to policy settings in the Administrative Templatesnode. To do so, doubleclick a policy setting and click the Comment tab.

It is a best practice to add comments to configured policy settings to document thejustification for a setting and its intended effect. You should also add comments tothe GPO itself. Windows Server 2008 enables you to attach comments to a GPO. Inthe GPME, rightclick the root node in the console tree, click Properties, and thenclick the Comment tab.

Starter GPOs

Another new Group Policy feature in Windows Server 2008 is starter GPOs. A starterGPO contains Administrative Template settings. You can create a new GPO from astarter GPO, in which case the new GPO is prepopulated with a copy of the settings inthe starter GPO. A starter GPO is, in effect, a template. When you create a new GPO,you can still choose to begin with a blank GPO, or you can select one of thepreexisting starter GPOs or a custom starter GPO.



After you have created a GPO from a starter GPO, there is no link to the starter GPO.Changes to the starter GPO do not affect the GPOs that were previously created fromthe starter GPO.

Other Ways to Copy GPO Settings

Starter GPOs can contain only Administrative Templates policy settings. There are twoother ways to copy settings from one GPO into another new GPO.

• You can copy and paste entire GPOs in the Group Policy Objects container of theGPMC so that you have a new GPO with all settings of the source GPO.

• To transfer settings between GPOs in different domains or forests, rightclick aGPO and click Back Up. In the target domain, create a new GPO, rightclick it, andclick Import Settings. You will be able to import the settings of the backed upGPO.

Lab A: Manage Administrative Templates and CentralStore



Lab Setup

For this lab, you will use the available virtual machine environment. Before you beginthe lab, you must complete the following steps:

1. On the host computer, click Start, point to Administrative Tools, and thenclick HyperV Manager.

2. In HyperV™ Manager, click 6425CNYCDC1, and in the Actions pane, clickStart.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.



4. Log on by using the following credentials:

• User name: Pat.Coleman

• Password: Pa$$w0rd

• Domain: Contoso

Lab Scenario

You were recently hired as the domain administrator for Contoso, Ltd, replacing theprevious administrator, who retired. You are not certain what policy settings havebeen configured, so you decide to locate and document GPOs and policy settings.You also discover that the company has not leveraged either the functionality or themanageability of administrative templates.

Exercise 1: Manage Administrative Templates

Administrative templates provide the instructions with which the GPMEcreates a user interface to configure Administrative Templates policysettings and specify the registry changes that must be made based on thosepolicy settings. In this exercise, you will examine and manageadministrative templates. You will also create a central store ofadministrative templates to centralize the management of templates.



The main tasks for this exercise are as follows:

1. Explore the syntax of an administrative template.

2. Manage classic administrative templates (.ADM files).

3. Manage .ADMX and .ADML files.

4. Create the central store.

Task 1: Explore the syntax of an administrative template.

1. On NYCDC1, click Start, click Run, type%SystemRoot%\PolicyDefinitions, and press Enter. ThePolicyDefinitions folder opens.

2. Open the enUS folder or the folder for your region and language.

3. Doubleclick ControlPanelDisplay.adml.

4. Select the Select a program from a list of installed programs option andclick OK.

5. Select Notepad and click OK.

6. Click the Format menu and select Word wrap.



7. Search for the text ScreenSaverIsSecure.

This is a definition of a string variable called ScreenSaverIsSecure.

8. Note the text between the <string> and </string> tags.

9. Note the name of the variable on the following line,ScreenSaverIsSecure_Help, and the text between the <string> and</string> tags.

10. Close the file.

11. Go to the PolicyDefinitions folder.

12. Doubleclick ControlPanelDisplay.admx.

13. Choose the Select a program from a list of installed programs option andclick OK.

14. Select Notepad and click OK.

15. Search for the text, ScreenSaverIsSecure.

16. Examine the code in the file, also shown below:

<policy name="ScreenSaverIsSecure" class="User"

displayName="$(string.ScreenSaverIsSecure)"

explainText="$(string.ScreenSaverIsSecure_Help)"

key="Software\Policies\Microsoft\Windows\Control



Panel\Desktop" valueName="ScreenSaverIsSecure">

<parentCategory ref="Personalization" /> <supportedOn

ref="windows:SUPPORTED_Win2kSP1" /> <enabledValue>

<string>1</string> </enabledValue> <disabledValue>

<string>0</string> </disabledValue> </policy>

17. Identify the parts of the template that define the following:

• The name of the policy setting that appears in the GPME

• The explanatory text for the policy setting

• The registry key and value affected by the policy setting

• The data put into the registry if the policy is enabled

• The data put into the registry if the policy is disabled

18. Close the file, and then close Windows Explorer.

Task 2: Manage classic administrative templates (.ADM files).

1. On NYCDC1, open Group Policy Management console asPat.Coleman_Admin



2. Right click Default Domain Policy object and select Edit

3. Expand User Configuration\Policies\Administrative Templates folder,

4. Add the office12.adm template from D:\Labfiles\Lab07b\Office 2007Administrative Templates.

Classic administrative templates (.ADM files) are provided primarily forenterprises that do not manage Group Policy with Windows Vista or WindowsServer 2008 or newer operating systems.

You should use a computer running the most recent version of Windows tomanage Group Policy. By doing so, you will be able to view and modify allavailable policy settings, including those that apply to previous versions ofWindows. If you have at least one computer running Windows Vista, WindowsServer 2008, or later, you should use that computer to manage Group Policy,and then you will not need classic administrative templates (.ADM files) when.ADMX/.ADML files are available.

Note that the template format affects only the management of Group Policy.Settings will apply to versions of Windows as described in the Supported on orRequirements section of the policy setting properties.

5. Examine the settings in this administrative template.

6. Remove the template.



Task 3: Manage .ADMX and .ADML files.

1. Copy all .ADMX files and the enus subfolder (or the appropriate subfolder foryour language and region) from D:\Labfiles\Lab07b\Office 2007Administrative Templates to %SystemRoot%\PolicyDefinitions. Whenyou paste the files, you will be prompted for administrative credentials. Use theuser name Pat.Coleman_Admin and the password Pa$$w0rd.

2. Close and then reopen the GPME for 6425C. In the console tree, expand UserConfiguration\Policies\Administrative Templates. Note the addition ofMicrosoft® Office 2007 policy setting folders.

Task 4: Create the central store.

1. In the GPME, select the Administrative Templates node under UserConfiguration\Policies and note the heading in the details pane reports:Policy definitions (ADMX files) retrieved from the local machine.

2. Close the GPME.

3. Copy all .ADMX files from %systemroot%\PolicyDefinitionsto\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions.

4. Copy all .ADML files from %systemroot%\PolicyDefinitions\enus (or theappropriate folder for your language and region)to



\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions\enus(or the appropriate folder for your language and region).

5. Edit the 6425C GPO and, in the GPME, select the Administrative Templatesnode under User Configuration\Policies, and note the heading in the detailspane reports: Policy definitions (ADMX files) retrieved from the centralstore.

Results: In this exercise, you created a central store of administrative templatesand added the Microsoft Office 2007 templates.

Note Do not shut down the virtual machines after you finish this lab becausethe settings you have configured here will be used in subsequent labs.

Lab Review Questions

Question: Describe the relationship between administrative template files (both.ADMX and .ADML files) and the GPME.

Question: When does an enterprise get a central store? What benefits does itprovide?

Question: What are the advantages of managing Group Policy from a client



running the

latest version of Windows? Do the settings you manage apply to the previousversions of Windows?

Lesson 2: Configure Group Policy Preferences

In the previous versions of Windows Server, many common settings, such as mappeddrives, that affect the user and computer environment could not be delivered throughordinary Group Policy settings. These settings were usually delivered through logon



scripts or imaging solutions. Windows Server 2008and Windows Server 2008 R2include the new builtin feature called Group Policy Preferences in the GPMC. GroupPolicy Preferences enable IT professionals to configure, deploy, and manage manycommon operating system and application settings that they were not able to manageby using Group Policy.

Objectives


• Describe Group Policy Preferences.

• Describe the differences between Group Policy settings and Group PolicyPreferences.

• Configure and deploy Group Policy Preferences.

What Are Group Policy Preferences?



Group Policy Preferences are a new feature in the Windows Server 2008 and WindowsServer 2008 R2 operating systems, and they include more than 20 new Group Policyextensions that expand the range of configurable settings within a GPO. In contrastto policy settings, you allow the users to change preferences after you’ve deployedthe Group Policy Preferences.

Benefits of Group Policy Preferences

Group Policy preferences provide the following benefits:

• Reduces the need for logon scripts. Although preferences might not eliminate theneed for logon scripts, it significantly reduces their need. The most common tasks



performed by logon scripts are installing printers, mapping network drives,configuring registry settings, and copying files and folders. You can accomplishthese tasks by using preferences.

• Limits configuration errors. Configuration errors during and after deployment areoften the reason for support calls and escalations that lead to higher deploymentcosts. Group Policy preferences significantly help reduce these costs.

• Minimizes image maintenance. Using Group Policy preferences, you can significantlyreduce the time and cost of maintaining disk images. Instead of updating imagesto reflect configuration changes, you can deploy a generic image and update GroupPolicy preferences.

Deploying Group Policy Preferences

Group Policy preferences do not require you to install any services on servers. Bydefault, Windows Server 2008 includes Group Policy Preferences as part of the GPME.Group Policy Preferences can be deployed in a Windows Server 2003 environment byinstalling Remote Server Administration Tools (RSAT) on a computer runningWindows Vista SP1 or Windows 7.

Although you do not have to install any services to create GPOs that contain GroupPolicy Preferences, you must deploy the Group Policy Preferences CSE to any clientcomputer to which you want to deploy preferences. The CSE is available as a separatedownload from Microsoft. It supports the following Windows versions:



• Windows XP SP2

• Windows Vista

• Windows Server 2003 SP1

• Windows Server 2008 and Windows Server 2008 R2 already includes the CSE.

• Windows 7

You must use the new version of the GPME to configure preferences. This newversion is part of the RSAT that can be installed on Windows Server 2008, WindowsVista, and newer operating systems.

Features of Group Policy Preferences

Preferences support a number of features that settings do not. Most Group PolicyPreferences extensions support the following actions for each preference item:

• Create. Create a new item on the targeted computer.

• Delete. Remove an existing item from the targeted computer.

• Replace. Delete and recreate an item on the targeted computer. The result is thatGroup Policy preferences replace all existing settings and files associated with thepreference item.



• Update. Modify an existing item on the targeted computer.

Every Group Policy Preference item has a Common tab that you can use to configureadditional options that control the behavior of the item. The following table describesthe settings.

Option Description

Stop processing

items in this

extension if an

error occurs

By default, errors do not prevent Group Policy Preferences from processing the

remaining preference items in the same extension. If you want preferences to stop

processing additional items if an error occurs, enable this option.

Run in loggedon

user's security

context

By default, Group Policy preferences process preference items by using the local System

account. As a result, these items can only access system environment variables and

local resources. To access user environment variables and network resources, including

network drives, you must enable this option to process the item by using the logged

on user’s account.

Remove this item

when it is no

longer applied

Unlike policy settings, Group Policy does not remove preferences when the GPO is

removed from the user or the computer. Choosing this option changes the default

behavior: when the GPO is removed from the user or the computer.

Apply once and do

not reapply

Group Policy refreshes preference items during the regular refresh interval, by default.

As a result, Group Policy restores preference items, even though users can change the

settings they create.

Itemlevel Targeting determines to which users and computers a preference item applies. Enable



targeting this option, and then click the Targeting button to configure targeting items

for the preference item.

Targeting Control

Itemlevel targeting determines the users and computers to which Group Policyapplies individual preference items within a GPO. You can target different preferenceitems within a single GPO at computers based on different criteria. You can use logicaloperators to join criteria. For example, you can apply a preference if the computermatches a specific IP Address range and operating system version.

Differences Between Group Policy Preferences andSettings



The key difference between preferences and policy settings is enforcement. GroupPolicy strictly enforces policy settings. Organizations typically deploy two types ofsettings, managed and unmanaged. Managed settings are policy settings that youenforce. Unmanaged settings are preferences. In contrast to policy settings, you allowusers to change preferences after you have deployed them.

The following table describes the differences between policies and preferences.

Preferences Policies

Preferences are not enforced. Settings are enforced.



User interface is not disabled. User interface is disabled.

Import individual registry settings or

entire registry branches from a local or a

remote computer.

Cannot create policy settings to manage files, folders, and so on.

Not available in local Group Policy. Available in local Group Policy.

Supports nonGroup Policy–aware

applications.

Requires Group Policy–aware applications.

Original settings are overwritten. Original settings are not changed.

Removing the preference item does not

restore the original setting.

Removing the policy setting restores the original settings.

Targeting is granular with a user

interface for each type of targeting item.

Filtering is based on Windows Management Instrumentation

(WMI) and requires writing WMI queries.

Supports targeting at the individual

preference item level.

Supports filtering at a GPO level.

When choosing whether to deploy an item by using Group Policy settings orpreferences, the most important factor you must consider is whether you want toenforce the setting. To configure a setting without enforcing it, use preferences. Thenext factor to consider is whether the application or feature is Group Policy–aware. Toenforce items for which no policy setting is available, you can deploy them aspreference items and then disable the Apply Once And Do Not Reapply option inthe configuration of the setting.



Demonstration: Configure Group Policy Preferences

In this demonstration, your instructor will show you how to configure some GroupPolicy Preferences.

Demonstration Steps

• Add a shortcut to Notepad for NYCCL1.

• Add a folder named Reports to all computers running Windows Server 2008 R2.



Lab B: Manage Group Policy Preferences

Lab Setup

For this lab, you will use the available virtual machine environment. Before you beginthe lab, you must complete the following steps:


2. In HyperV Manager, click 6425CNYCDC1, and in the Actions pane, clickStart.







• Domain: Contoso

Lab Scenario

You were recently hired as the domain administrator for Contoso, Ltd. To simplifyGroup Policy management, which includes eliminating the need for logon scripts tomap drives, you need to deploy several Group Policy Preferences settings that willallow for more flexibility for corporate users.

Exercise 1: Configure Group Policy Preferences

The main tasks for this exercise are:

1. Add a shortcut to Notepad on the desktop of NYCDC1.

2. Create a new folder named Reports on the C: drive of all computers runningWindows Server 2008.



3. Configure drive mapping.

Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1.

1. On 6425CNYCDC1, in the Group Policy Management window, configure theDefault Domain Policy GPO with the following settings:

• Under Computer Configuration, Preferences, Windows Settings, rightclick Shortcuts, point to New, and then click Shortcut.

• In the New Shortcut Properties dialog box, create a shortcut forNotepad.exe in the All Users Desktop location.

• On the Common tab, configure itemlevel targeting for the computer NYCDC1.

2. Leave the Group Policy Management Editor window open for the next task.

Task 2: Create a new folder named Reports on drive C of all computers runningWindows Server 2008.

1. In the Group Policy Management Editor window, under Windows Settings,rightclick Folders, point to New, and then click Folder.



2. In the New Folder Properties dialog box, create the C:\Reports folder.

3. On the Common tab, configure itemlevel targeting for the Windows Server2008R2 operating system.

4. Leave the Group Policy Management Editor window open for the next task.

Task 3: Configure drive mapping.

1. In the Group Policy Management Editor window, under User Configuration,Preferences, Windows Settings, Drive Maps, rightclick Drive Maps, pointto New, and then click Mapped Drive.

2. Create a new mapped drive labeled Data for \\NYCDC1\Data by using thedrive letter P and select the Reconnect option.

Exercise 2: Verify Group Policy Preferences Application

The main tasks for this exercise are:

1. Verify that the preferences have been applied.

Task 1: Verify that the preferences have been applied



1. On NYCDC1, log off, and then log on again as Contoso\Pat.Coleman.

2. Verify that drive P is mapped to the Data share on NYCDC1.

3. Verify that the C:\Reports folder exists.

Note It may take a few moments for this folder to appear.

Note Do not shut down the virtual machines after you are finish with thislab because the settings you have configured here will be used in thesubsequent labs.

Result: In this exercise, you configured and tested Group Policy Preferences andverified their application.


Question: What is the alternate method of providing drive mapping to users,instead of



using Preferences?

Question: If you apply a Group Policy preferences setting, can you change thissetting on

the client side?

Lesson 3: Manage Software with GPSI

You might be aware of several tools that can be used to deploy software within an



organization, including Microsoft System Center Configuration Manager and itspredecessor Microsoft Systems Management Server (SMS). Although these toolsprovide great benefits, including features to meter software use and inventorysystems, you can effectively deploy most software without these tools by using onlyGroup Policy software installation (GPSI).

Objectives


• Deploy software by using GPSI.

• Describe software deployment options.

• Remove software originally installed with GPSI.

Understand GPSI



GPSI is used to create a managed software environment that has the followingcharacteristics:

1. Users have access to the applications they need to do their jobs, no matterwhich computer they log on to.

2. Computers have the required applications, without intervention from a technicalsupport representative.

3. Applications can be updated, maintained, or removed to meet the needs of theorganization.



The software installation extension is one of the many clientside extensions (CSEs)that support change and configuration management by using Group Policy. CSEswere discussed in Module 6. The extension enables you to manage centrally the initialdeployment, the upgrades, and the removal of software. All configuration of thesoftware deployment is managed within a GPO by using procedures detailed later inthis lesson.

Windows Installer Packages

GPSI uses the Windows Installer service to install, maintain, and remove software.The Windows Installer service manages software by using information contained inthe application’s Windows Installer package. The Windows Installer package is in afile with an .msi extension that describes the installed state of the application. Thepackage contains explicit instructions regarding the installation and removal of anapplication. You can customize Windows Installer packages by using one of thefollowing types of files:

• Transform (.mst) files. These files provide a means for customizing the installationof an application. Some applications provide wizards or templates that permit auser to create transforms. For example, Adobe provides an enterprise deploymenttool for Adobe Acrobat Reader that generates a transform. Many enterprises usethe transform to configure agreement with the enduser license agreement and todisable certain features of the application, such as automatic updates that involveaccess to the Internet.



• Update (.msp) files. These files are used to update an existing .msi file for securityupdates, bug fixes, and service packs. An .msp file provides instructions aboutapplying the updated files and registry keys in the software patch, service pack, orsoftware update. For example, updates to Microsoft Office 2003 and later areprovided as .msp files.

Note You cannot deploy .mst or .msp files alone. They must be applied toan existing Windows Installer package.

GPSI can make limited use of nonMSI application files (.zap file), also known asdownlevel application packages, that specify the location of the softwaredistribution point (SDP) and the setup command. See knowledge base article231747 at http://go.microsoft.com/fwlink/?LinkID=214197for details.Most organizations do not use .zap files, because the installation of the applicationrequires the user to have administrative privileges on the system. When GPSIinstalls an application by using a Windows Installer package, the user does notrequire administrative privileges, allowing for a more secure enterprise.

Note GPSI can fully manage applications only if the applications aredeployed by using Windows Installer packages. Other tools, includingConfiguration Manager and SMS, can manage applications that use otherdeployment mechanisms.

http://go.microsoft.com/fwlink/?linkid=214197for



The .msi file, transforms, and other files required to install an application are storedin a shared software distribution point (SDP).

Software Deployment Options

You can deploy software by assigning applications to users or computers or bypublishing applications for users. You assign required or mandatory software to usersor to computers. You publish software that users might find useful in performing theirjobs.

Assigning Applications



When you assign an application to a user, the application’s local registry settings,including file name extensions, are updated and its shortcuts are created on the Startmenu or desktop, advertising the availability of the application. The applicationadvertisement follows the user, regardless of which physical computer the user logson to. This application is installed the first time the user activates the application onthe computer, either by selecting the application on the Start menu or by opening adocument associated with the application. When you assign an application to thecomputer, the application is installed during the computer’s startup process.

Publishing Applications

When you publish an application to users, the application does not appear as if it isinstalled on the users’ computers. No shortcuts are visible on the desktop or Startmenu. Instead, the application appears as an available application for the user toinstall using Add Or Remove Programs in Control Panel on a Windows XP system orin programs and features on a Windows Server 2008, Windows Vista®, or Windows 7system. Additionally, the application can be installed when a user opens a file typeassociated with the application. For example, if Acrobat Reader is advertised to users,it will be installed if a user opens a file with a .pdf extension.

Given that applications can be either assigned or published and targeted to users orcomputers, you can establish a workable combination to meet your softwaremanagement goals. The following table details the different software deploymentoptions.



Software Deployment Options

Publish(User Only)

Assign(User)

Assign (Computer)

After deployment

of the GPO, the

software is

available for

installation:

The next time a

user logs on.

The next time a

user logs on.

The next time the computer starts.

Typically, the

user installs the

software from:

Add Or Remove

Programs in

Control Panel

(Windows XP) or

programs and

features (Windows

Server 2008,

Windows Vista,

and Windows 7).

Start menu or

desktop shortcut.

An application can

also be configured

to install

automatically at

logon.

The software is installed automatically when

the computer starts.

If the software is

not installed and

the user opens a

file associated

with the

software, does

the software

install?

Yes (if autoinstall

is enabled).

Yes. Does not apply; the software is already

installed.



Can the user

remove the

software by using

Control Panel?

Yes, and the user

can choose to

install it again

from Control

Panel.

Yes, and the

software is available

for installation

again from the

Start menu

shortcuts or file

associations.

No. Only a local administrator can remove

the software; a user can run a repair on the

software.

Supported

installation files:

Windows Installer

packages (.msi

files), .zap files.

Windows Installer

packages (.msi

files).

Windows Installer packages (.msi files).

Demonstration: Create a Software Distribution Point

Now that you understand GPSI at a high level, you can prepare the SDP. The SDP is



simply a shared folder from which users and computers can install applications. Createa shared folder and a separate folder for each application. Then, copy the softwarepackage, modifications, and all other necessary files to the application folders. Setappropriate permissions on the folders that allow users or computers Read & Executepermission—the minimum permission required to successfully install an applicationfrom the SDP. The administrators of the SDP must be able to change and delete filesto maintain the SDP over time.

Demonstration Steps

1. Start 6425CNYCDC1 and log on as Pat.Coleman with the password,Pa$$w0rd.

2. Start 6425CNYCSVR1, but do not log on.

3. Switch to NYCDC1.

4. Run Active Directory Users and Computers with administrative credentials.Use the account Pat.Coleman_Admin with the password Pa$$w0rd.

5. In the console tree, expand the contoso.com domain and the Groups OU, andthen click the Application OU.

6. Rightclick the Application OU, point to New, and then click Group.

7. Type APP_XML Notepad, and then press Enter.

8. In the console tree, expand the contoso.com domain and the Servers OU, and



then click the File OU.

9. In the details pane, rightclick NYCSVR1, and then click Manage.

The Computer Management console opens, focused on NYCSVR1.

10. In the console tree, expand System Tools and Shared Folders, and then clickShares.

11. Rightclick Shares, and then click New Share. The Create a Shared FolderWizard appears.

12. Click Next.

13. In the Folder Path box, type C:\Software, and then click Next.

A message appears asking if you want to create the folder.

14. Click Yes.

15. Accept the default Share name, Software, and then click Next.

16. Click Customize permissions, and then click Custom.

17. Click Security.

18. Click Advanced.

The Advanced Security Settings dialog box appears.

19. Click Change Permissions.



20. Clear the Include inheritable permissions from this object's parentoption.

A dialog box appears asking if you want to Add or Remove inheritedpermissions.

21. Click Add.

22. Select the first permission assigned to the Users group, and then click Remove.

23. Select the remaining permission assigned to the Users group, and then clickRemove.

24. Select the permission assigned to Creator Owner, and then click Remove.

25. Click OK two times to close the Advanced Security Settings dialog boxes.

26. In the Customize Permissions dialog box, click the Share Permissions tab.

27. Select the Full Control check box.

The security management best practice is to configure least privilege permissionsin the ACL of the resource, which will apply to users, regardless of how usersconnect to the resource, at which point you can use the Full Control permissionon the SMB shared folder. The resultant access level will be the more restrictivepermissions defined in the ACL of the folder.

28. Click OK.



29. Click Finish.

30. Click Finish to close the wizard.

31. Click Start, click Run, type \\NYCSVR1\c$, and then press Enter.

The Connect to NYCSVR1 dialog box appears.

32. In the User name box, type CONTOSO\Pat.Coleman_Admin.

33. In the Password box, type Pa$$w0rd, and then press Enter.

A Windows Explorer window opens, focused on the root of the drive C on NYCSVR1.

34. Open the Software folder.

35. Click New folder.

A new folder is created and is in "rename mode."

36. Type XML Notepad, and then press Enter.

37. Rightclick the XML Notepad folder, and then click Properties.

38. Click Security.

39. Click Edit.

40. Click Add. The Select Users, Computers, Service Accounts, or Groupsdialog box appears.



41. Type APP_XML Notepad, and then press Enter.

The group is given the default, Read & Execute permission.

42. Click OK twice to close all open dialog boxes.

43. Open the XML Notepad folder.

44. Open the D:\Labfiles\Lab07c folder in a new window.

45. Rightclick XMLNotepad.msi, and then click Copy.

46. Switch to the Windows Explorer window, displaying \\NYCSVR1\c$\Software\XML Notepad.

47. Rightclick in the empty details pane, and then click Paste.

XML Notepad is copied into the folder on NYCSVR1.

48. Close all open Windows Explorer windows.

49. Close the Computer Management console.

Create and Scope a Software Deployment GPO



To create a software deployment GPO, you must perform the following steps:

1. Use the Group Policy Management console to create a new GPO or select anexisting GPO.

2. Edit the GPO by using the Group Policy Management Editor.

3. Expand the console nodes Computer Configuration\Policies\SoftwareSettings\Software Installation. Alternatively, select the SoftwareInstallation node in the User Configuration branch.

4. Rightclick Software Installation, choose New, and then select Package.



5. Browse to locate the .msi file for the application. Click Open.

The Deploy Software dialog box appears, shown in the following screen shot:

6. Select Published, Assigned, or Advanced.

You cannot publish an application to computers, so the option will not beavailable if you are creating the package in the Software Installation node inComputer Configuration.

The Advanced option enables you to specify whether the application is publishedor assigned and gives you the opportunity to configure advanced properties ofthe software package. Therefore, select Advanced. The package properties dialogbox then appears. Among the more important properties that you can configureare the following choices:

• Deployment Type: On the Deployment tab, configure Published or Assigned.



• Deployment Options: Based on the selected deployment type, differentchoices appear in the Deployment Options section. These options, along withother settings on the Deployment tab, manage the behavior of the applicationinstallation.

• Uninstall This Application When It Falls Out Of the Scope Of Management: Ifthis option is selected, the application will be automatically removed when theGPO no longer applies to the user or computer.

• Upgrades: On the Upgrades tab, you can specify the software that thispackage will upgrade. Upgrades are discussed in the “Maintain SoftwareDeployed with GPSI” section later in this lesson.

• Categories: The Categories tab enables you to associate the package withone or more categories. Categories are used when an application is publishedto a user. When the user opens the Control Panel to install a program,applications published by using GPSI are presented in groups based on thesecategories.

• To create categories that are available to associate with packages, rightclickSoftware Installation and click Properties. Then, click the Categories tab.

• Modifications: If you have a transform (.mst file) that customizes the package,click the Add button to associate the transform with the package. Most tabs inthe package Properties dialog box are available for you to change settings atany time. However, the Modifications tab is available only when you createthe new package and select the Advanced option.



Managing the Scope of a Software Deployment GPO

After you have created a software deployment GPO, you can scope the GPO todistribute the software to appropriate computers or users. In many softwaremanagement scenarios, applications should be assigned to computers rather than tousers. This is because most software licenses allow an application to be installed onone computer, and if the application is assigned to a user, the application is installedon each computer to which the user logs on.

You can scope a GPO by linking the GPO to an OU or by filtering the GPO so that itapplies only to a selected global security group. Many organizations have found that itis easiest to manage software by linking an application’s GPO to the domain andfiltering the GPO with a global security group that contains the users and computersto which the application should be deployed. For example, a GPO that deploys theXML Notepad tool (available from the Microsoft downloads site athttp://go.microsoft.com/fwlink/?LinkID=214198)would be linked to thedomain and filtered with a group containing developers that require the tool. Thegroup would have a descriptive name that indicates its purpose to manage thedeployment of XML Notepad such as APP_XML Notepad.

Maintain Software Deployed with GPSI

http://go.microsoft.com/fwlink/?linkid=214198)would



After a computer has installed an application by using the Windows Installer packagespecified by a GPO, the computer will not attempt to reinstall the application at eachGroup Policy refresh. There might be scenarios in which you want to force systems toreinstall the application. For example, small changes might have been made to theoriginal Windows Installer package.

To redeploy an application deployed with Group Policy:

• Rightclick the package in the GPO, click All Tasks, and then select RedeployApplication.



You can also upgrade an application that has been deployed with GPSI.

1. Create a package for the new version of the application in the SoftwareInstallation node of the GPO.

The package can be in the same GPO as the package for the previous version orin any different GPO.

2. Rightclick the package and click Properties.

3. Click the Upgrades tab, and then click the Add button.

The Add Upgrade Package dialog box appears.

4. Select whether the package for the previous version of the application is in thecurrent GPO or in another GPO. If the previous package is in another GPO, clickBrowse to select that GPO.



5. Then, select the package from the Package to upgrade list.

6. Based on your knowledge of the application’s upgrade behavior, choose one ofthe upgrade options shown at the lower part of the dialog box.

• Uninstall the existing package, and then install the upgrade package

• Package can upgrade over the existing package

7. Click OK.

You can also remove an application that was deployed with GPSI by performing thefollowing steps:

1. Rightclick the package, click All Tasks, and then select Remove.

2. In the Remove Software dialog box, choose one of the following two options:

• Immediately uninstall the software from users and computers. Thisoption, known as forced removal, causes computers to remove the application.The software installation extension will remove an application when thecomputer restarts if the application was deployed with a package in theComputer Configuration portion of the GPO. If the package is in the UserConfiguration portion, the application is uninstalled the next time the user logson.

• Allows Users To Continue To Use The Software, But Prevents New



Installations. This setting, known as optional removal, causes the softwareinstallation extension to avoid adding the package to systems that do not yethave the package installed. Computers that had previously installed theapplication do not forcibly uninstall the application, so users can continueusing it.

If you use one of these two options to remove software by using GPSI, it isimportant that you allow the settings in the GPO to propagate to all computers withinthe scope of the GPO before you delete, disable, or unlink the GPO. Clients need toreceive this setting, which specifies forced or optional removal. If the GPO is deletedor no longer applied before all clients have received this setting, the software is notremoved according to your instructions. This is particularly important in environmentswith mobile users on laptop computers that might not connect to the network on aregular basis.

If, when creating the software package, you chose the Uninstall this applicationwhen it falls out of the scope of management option, you can simply delete,disable, or unlink the GPO, and the application will be forcibly removed by all clientsthat have installed the package with that setting.

GPSI and Slow Links



When a client performs a Group Policy refresh, it tests the performance of thenetwork to determine whether it is connected by using a slow link defined by defaultas 500 kilobits per second (kbps). Each clientside extension is configured to processGroup Policy or to skip the application of settings on a slow link. By default, GPSIdoes not process Group Policy settings over a slow link because the installation ofsoftware over a slow link could cause significant delays.

You can change the slow link policy processing behavior of each clientside extensionby using policy settings located in Computer Configuration\Policies

\Administrative Templates\System\Group Policy. For example, you could modify the



behavior of the software installation extension so that it does process policies over aslow link.

You can also change the connection speed threshold that constitutes a slow link. Byconfiguring a low threshold for the connection speed, you can convince the clientsideextensions that a connection is not a slow link, even if it actually is. There areseparate Group Policy Slow Link Detection policy settings for computer policyprocessing and user policy processing. The policies are in the AdministrativeTemplates\System\Group Policy folders in Computer Configuration and UserConfiguration.

Lab C: Manage Software with GPSI



Lab Setup

For this lab, you will use the same virtual machine environment used in previous labs.If required, you must complete the following steps:


2. In HyperV Manager, click 6425CNYCDC1, and in the Actions pane, clickStart.







• Domain: Contoso

5. Repeat steps 2 and 3 for 6425CNYCSVR1. Do not log on to the machine untildirected to do so.

Lab Scenario

You are an administrator at Contoso, Ltd. Your developers require XML Notepad toedit XML files, and you want to automate the deployment and life cycle managementof the application. You decide to use Group Policy Software Installation. Mostapplications are licensed per computer, so you will deploy XML Notepad to thedevelopers' computers, rather than associating the application with their useraccounts.

Exercise 1: Deploy Software with GPSI

In this exercise, you will use GPSI to deploy XML Notepad to computers,including NYCCL1.

The main tasks for this exercise are as follows:



1. Create a software distribution folder.

2. Create a software deployment GPO.

3. Deploy software to computers.

4. Confirm the successful deployment of software.

Task 1: Create a software distribution folder.

1. On NYCDC1, run Active Directory Users and Computers as anadministrator, with the user name Pat.Coleman_Admin and the passwordPa$$w0rd.

2. In the Groups\Application OU, create a new global security group namedAPP_XML Notepad.

3. In the Servers\File OU, rightclick NYCSVR1, and then click Manage.

4. Use the Shared Folders snapin to create a new shared folder, C:\Software,with a share name of Software. Configure the NTFS permissions as describedbelow:

• System: Allow: Full Control

• Administrators: Allow: Full Control



Then, configure the Share permission such that the Everyone group is allowed FullControl.

Security management best practice is to configure least privilege permissions in theACL of the resource, which will apply to users, regardless of how users connect to theresource, at which point you can use the Full Control permission on the SMB sharedfolder. The resultant access level will be the more restrictive permissions defined inthe ACL of the folder.

5. Open the administrative share for drive C on NYCSVR1 (\\NYCSVR1\c$) asPat.Coleman_Admin with the password Pa$$w0rd.

6. Inside the Software folder on NYCSVR1, create a folder called XMLNotepad.

7. Add permission to the XML Notepad folder so that the APP_XML Notepadgroup is allowed Read & Execute permission.

8. Copy XML Notepad.msi from D:\Labfiles\Lab07c to \\NYCSVR1\c$\Software\XML Notepad.

9. Close any open Windows Explorer windows.

10. Close the Computer Management console.



Task 2: Create a software deployment GPO.

1. Run Group Policy Management as an administrator, with the user namePat.Coleman_Admin and the password Pa$$w0rd.

2. In the Group Policy Objects container, create a new GPO called XMLNotepad. Edit that GPO.

3. Expand Computer Configuration, Policies, Software Settings, and thenclick Software Installation.

4. Rightclick Software Installation, point to New, and then click Package.

5. In the File name text box, type the network path to the software distributionfolder, \\NYCSVR1\software\XML Notepad, and then press Enter.

6. Select the Windows Installer package, XmlNotepad.msi; and then click Open.

After a few moments, the Deploy Software dialog box appears.

7. Click Advanced, and then click OK.

8. On the General tab, note that the name of the package includes the version,XML Notepad 2007.

9. Click the Deployment tab.

Note that when deploying software to computers, Assigned is the only option.Examine the options that would be available if you were assigning or publishing



the application to users.

10. Select Uninstall This Application When It Falls Out Of The Scope OfManagement.

11. Click OK.

12. Close the Group Policy Management Editor.

13. Scope the GPO to apply only to members of APP_XML Notepad, and not toAuthenticated Users.

14. Link the GPO to the Client Computers OU.

Task 3: Deploy software to computers.

1. Add NYCCL1 to the APP_XML Notepad group.

2. Start 6425CNYCCL1, but do not log on.

Task 4: Confirm the successful deployment of software.

1. Log on to NYCCL1 as Pat.Coleman with the password Pa$$w0rd.

2. Confirm that XML Notepad installed successfully.



Note When verifying the deployment of the xml notepad, and it maytake two startups to be successful, if you do not see Notepad installed,restart the virtual machine. You may need to do this a couple of times.

Results: In this exercise, you deployed XML Notepad to NYCCL1.

Exercise 2: Upgrade Applications with GPSI

In this exercise, you will simulate deploying an upgraded version of XMLNotepad.

The main task for this exercise is as follows:

• Create an upgrade package by using GPSI.

Task 1: Create an upgrade package by using GPSI.

1. Switch to NYCDC1.

2. In the Group Policy Management console tree, rightclick the XML Notepad



GPO in the Group Policy Objects container, and then click Edit.

The Group Policy Management Editor opens.

3. In the console tree, expand Computer Configuration, Policies, SoftwareSettings, and then click Software Installation.

4. Rightclick Software Installation, point to New, and then click Package.

5. In the File name text box, type the network path to the software distributionfolder, \\NYCSVR1\software\XML Notepad, and then press Enter.

This exercise will use the existing XmlNotepad.msi file as if it is an updatedversion of XML Notepad.

6. Select the Windows Installer package, XmlNotepad.msi, and then click Open.

The Deploy Software dialog box appears.

7. Click Advanced, and then click OK.

8. On the General tab, change the name of the package to suggest that it is thenext version of the application. Type XML Notepad 2011.

9. Click the Deployment tab. Because you are deploying the application tocomputers, Assigned is the only deployment type option.

10. Click Upgrades.

11. Click Add.



12. Click the Current Group Policy Object (GPO) option.

13. In the Package to upgrade list, select the package for the simulated earlierversion, XML Notepad 2007.

14. Select the Uninstall the existing package and then select then install theupgrade package option.

15. Click OK.

16. Click OK.

If this were an actual upgrade, the new package would upgrade the previousversion of the application as clients applied the XML Notepad GPO. Because thisis only a simulation of an upgrade, you can remove the simulated upgradepackage.

17. Rightclick XML Notepad 2011, which you just created to simulate an upgrade,point to All Tasks, and then select Remove.

18. In the Remove Software dialog box, click Immediately uninstall thesoftware from users and computers, and then click OK.

Results: In this exercise, you simulated an upgrade of XML Notepad by usingGPSI.



To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this,complete the following steps:

1. On the host computer, start HyperV Manager.

2. Rightclick 6425CNYCDC1in the Virtual Machines list, and then clickRevert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat these steps for 6425CNYCCL1.


Question: Consider the NTFS permissions you applied to the Software and XMLNotepad

folders on NYCSVR1. Explain why these least privilege permissions are preferred tothe

default permissions.



Question: Consider the methods used to scope the deployment of XMLNotepad: Assigning

the application to computers, filtering the GPO to apply to the APP_XML Notepadgroup

that contains only computers, and linking the GPO to the Client Computers OU. Whyis this approach advantageous for deploying most software? What would be thedisadvantage of scoping software deployment to users rather than to computers?

Module Review and Takeaways



Review Questions

1. What is the benefit of having Central Store?

2. What is the main difference between Group Policy Settings and Group PolicyPreferences?

3. What is the difference between publishing and assigning software through GPSI?

Common Issues Related to Group Policy Management

Issue Troubleshooting tip



Group Policy Preferences are not

being applied.

Group Policy Software installation

does not work for some users

Real-World Issues and Scenarios

You have a number of logon scripts that map network drives for users. Not all usersneed these drive mappings, so you must ensure that only the right users get themappings. You want to move away from using these scripts.

Best Practices Related to Group Policy Management

• Make comments on GPO settings

• Use Central Store for Administrative templates when having clients with WindowsVista and Windows 7

• Use Group Policy preferences to configure settings not available in Group Policy setof settings

• Use Group Policy Software Installation to deploy packages in .msi format to a largenumber of users or computers.

Tools



Tool Use for Where to find it

Group policy reporting

RSoP

Reporting information about the

current policies being delivered

to clients.

Group Policy Management Console

GPResult A commandline utility that

displays RSoP information.

Commandline utility

GPUpdate Refreshing local and AD DS

based Group Policy settings.

Commandline utility

Dcgpofix Restoring the default Group

Policy objects to their original

state after initial installation.

Commandline utility

GPOLogView Exporting Group Policyrelated

events from the system and

operational logs into text, HTML,

or XML files. For use with

Windows Vista and later

versions.

Commandline utility

Module 7_ Managing User Desktop With Group Policy

Documents

Transcript of Module 7_ Managing User Desktop With Group Policy