Module 5: Using Group Policy to Manage User Environments v
Module Strategy
Use the following strategy to present this module:
?? Introduction to Managing User Environments
In this topic, you will introduce managing user environments by configuring
the Administrative Templates and Scripts Group Policy extensions.
Emphasize that configuring user environments by using Group Policy
allows you to immediately apply the environments to users or computers by
adding the user or computer to the organizational unit (OU) affected by the
settings. Briefly mention the task for managing user environments.
?? Using Administrative Templates
In this topic, you will explain how to use administrative template settings to
manage user environments. First, present administrative templates.
Emphasize that although they are registry-based settings, they do not
permanently change the registry. Then present how computers apply Group
Policy registry settings. Use the animated slide. Emphasize that settings and
values are located in the Registry.pol file. Next, present information on the
loopback Group Policy settings. Show students the loopback settings in
Administrative Templates.
Next, present the different types of settings in Administrative Templates.
Then present the type of settings to use if an administrator wants to
lockdown user environments. Emphasize that this is only an example and
not a recommendation. Finally, present information on implementing
administrative template settings while demonstrating the process.
?? Lab A: Using Administrative Templates to Assign Registry-Based Policies
Prepare students for the lab in which they will configure administrative
template settings for users and computers and then test the configuration.
Make sure that students run the command file for the lab and tell them that
they will have to initiate replications between their domain controllers and
their partner’s domain controllers. After students have completed the lab,
ask them if they have any questions.
?? Using Scripts
In this topic, you will explain how to use Group Policy to run scripts. First,
present how Group Policy handles scripts. Emphasize that script settings
allow an administrator to automate the running of scripts at specific times
(startup, shutdown, and when a user logs on or logs off). Then present the
order in which Microsoft® Windows® 2000 processes scripts. Emphasize
that startup scripts run synchronously, and define the term if needed.
Finally, present information on how to implement scripts. Demonstrate
the process.
?? Lab B: Assigning Script Policies to Users and Computers
Prepare students for the lab in which they will configure script settings for
logon and logoff scripts and then test the configuration. After students have
completed the lab, ask them if they have any questions.
?? Best Practices
Present best practices for using Group Policy to manage user environments.
vi Module 5: Using Group Policy to Manage User Environments
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 1558A, Advanced Administration
for Microsoft Windows 2000.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
The labs in this module require a regular user account for the student. To
prepare student computers to meet this requirement, create the user
account manually.
Setup Requirement 2
The labs in this module require the Log on locally right for domain controllers
to be assigned to the Everyone group. To prepare student computers to meet
this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05.cmd.
?? Assign the right manually.
Setup Requirement 3
The labs in this module require that a shortcut for Active Directory Domains
and Trusts, Active Directory Users and Computers, and Active Directory Sites
and Services exists on the desktop of the regular user account. To prepare
student computers to meet this requirement, perform one of the
following actions:
?? Log on to the domain by using the regular user account and run
C:\MOC\Win1558a\Labfiles\Lab05\Setup\Lab05.cmd.
?? Create the shortcuts manually and place them in
C:\Winnt\Profiles\All Users\Desktop.
Important
Module 5: Using Group Policy to Manage User Environments vii
Setup Requirement 4
The labs in this module require the following OUs and users in the student’s
domain. A number (1 or 2) assigned by you is to be substituted for the
variable x in the labs. One student in each pair uses number 1, the other student
uses number 2.
This OU In this organizational unit
East Domain Controllers
West Domain Controllers
Sales x Top Level OU in the domain
Telemarketing Sales x
Retail Sales x
This user account In this organizational unit
Sales User x Sales x
Telemarketing User x Telemarketing
Retail User x Retail
To prepare student computers to meet this requirement, perform one of the
following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05.cmd.
?? Create the OUs and user accounts manually.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
?? Students move their domain controllers to the East OU or West OU if they
have not been moved already.
?? Students create a Group Policy object (GPO) linked to the East OU or
West OU in their domains that contains security template and Audit
policy settings.
?? Students remove GPOs linked to the East OU or West OU in their domains.
You can run
C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05rm.cmd to remove most
configuration changes introduced during the labs in the module. Remove the
Log on locally right from the Everyone group manually. Manually delete the
GPOs created by students.
Important
Module 5: Using Group Policy to Manage User Environments 1
Overview
? Introduction to Managing User Environments
? Using Administrative Templates
? Using Scripts
? Best Practices
To manage user environments effectively, you need to ensure that users have
access to the resources that they require do to their jobs—and only those
resources. Microsoft® Windows® 2000 allows you to reduce the complexity of
user environments and remove the possibility of users corrupting their
environments or spending time on unnecessary applications, software, or files.
This can lower your total cost of ownership (TCO) by ensuring that users are
always able to perform their job responsibilities and are not distracted by
unnecessary software or configuration options.
By using the Administrative Templates and Script extensions in Group Policy,
you can set up the environments for multiple users once, and then rely on
Windows 2000 to continually implement and apply the settings that you specify
to computers and users.
At the end of this module, you will be able to:
?? Identify the benefits of controlling user environment settings by using
Group Policy.
?? Use the administrative template settings in Group Policy to control and
configure user environments.
?? Use script settings in Group Policy to run scripts that help control
user environments.
?? Apply best practices for managing user environments.
Slide Objective
To provide an overview
of the module topics
and objectives.
Lead-in
In this module, you will learn
about using Group Policy to
manage user environments.
The Group Policy settings
that you use most frequently
to manage user
environments are
administrative templates
and scripts.
Briefly present the course
objectives. Do not go into
detail on this topic.
2 Module 5: Using Group Policy to Manage User Environments
Introduction to Managing User Environments
? Use Group Policy to Immediately Define a User Environment for
a New User or Computer
? Perform the Tasks to Manage User Environments
? Control What Users Can Do in Their User Environments
? Provide Users with Only the Resources That They Need to Do
Their Jobs
? Use Group Policy Settings to Manage User Environments
Administrative Templates
(Registry-Based) Settings
Administrative Templates
(Registry-Based) Settings
Scripts Settings
Scripts Settings
Control User Environments
Control User Environments
Managing user environments means controlling what users can do when logged
on to the network. You do this by controlling their desktops, network
connections, and user interfaces. You want to ensure that users have what
they need to perform their jobs, but you do not want to give them the ability
to accidentally corrupt their environments by incorrectly configuring
the environments.
The types of Group Policy settings that you typically use to manage user
environments are administrative template settings (registry-based settings) and
script settings. You configure these settings in Group Policy in the
Administrative Templates and Script extensions.
If you have used Group Policy to set up user environments for an Active
Directory
™
directory service container, such as an organizational unit (OU), any
computer or user that you add to that OU has the Group Policy applied to him
or her automatically.
To manage user environments, perform the following tasks:
?? Enforce standard desktops. Group Policy settings provide a quick and easy
way to enforce standards, ranging from logon and password settings to
mandating the use of a particular wallpaper or screen saver. In this way, you
prevent users from making changes to their desktops that could make them
more complex than necessary.
?? Limit user access to selected portions of the operating system. You can
remove users’ ability to open Control Panel and prevent users from shutting
down their computers. By preventing users from gaining access to critical
operating system components and configuration options, you reduce the
possibility of users corrupting their systems and the number of technical
support calls required. For example, you can remove users’ ability to open
Control Panel or prevent users from shutting down their computers.
Slide Objective
To explain how managing
user environments by using
Group Policy settings
simplifies network
administration.
Lead-in
Managing user
environments means
controlling what users can
do when logged on to the
network, as well as what
appears on their desktops.
Describe the tasks involved
in managing user
environments with Group
Policy. Do not go into too
much detail, because this is
an introductory topic.
Remind students that they
can set up Group Policy
once, and then
Windows 2000 will
continually enforce it.
Key Points
If Group Policy settings that
control user environments
are set up for an OU, when
an administrator adds a new
user or computer to that OU,
the Group Policy settings
immediately apply. This
means that the user
environment is immediately
set up for that user
or computer.
Administrators can use
Group Policy to provide
users with what they need to
do their jobs while curtailing
user actions that could
accidentally corrupt the user
environments.
Module 5: Using Group Policy to Manage User Environments 3
?? Ensure that users always have their desktops and personal data. By
managing user desktop settings with registry-based policies, you ensure that
users have the same computing environments even if they log on from
different computers. You can control how Windows 2000 manages user
profiles. This includes how users’ personal data is made available to them
when connecting across slow links, what the user profiles contain when they
are downloaded, and the size of the profiles.
?? Restrict the use of Windows 2000 tools and components. These tools and
components include Microsoft Internet Explorer, Windows Explorer, and
the Microsoft Management Console (MMC). You can ensure that users
never see these tools unless they have a genuine need for them.
?? Populate user desktops. You can ensure that users have the files, shortcuts,
and network connections (including maps to network drives and printer
connections) that they need for their work.
?? Clean up client computers and the desktop. You configure settings to
automatically clean up a computer when the user logs off or shuts down the
computer. For example, when the user logs off, you can remove all the
items with which you populated the desktop when the user logged on. Then,
if different users log on to the same client computer, you can ensure that
items set up for one particular user are not on the desktop.
4 Module 5: Using Group Policy to Manage User Environments
? Using Administrative Templates
? What Are Administrative Template Settings?
? How Computers Apply Group Policy Registry Settings
? What Is Group Policy Loopback?
? Types of Administrative Template Settings
? Settings for Locking Down User Environments
? Implementing Administrative Template Settings
Administrative template settings are a multitude of registry-based Group Policy
settings that you can use to control user environments. These settings apply to
both computers and user accounts and allow you to lockdown user
environments. Locking down user environments prevents users from changing
desktop configurations, using certain applications, and making changes to
system files.
Slide Objective
To introduce administrative
template settings.
Lead-in
Administrative template
settings provide you with
the capability of managing
user environments.
Make sure that students
know what it means to
lockdown user
environments.
Module 5: Using Group Policy to Manage User Environments 5
What Are Administrative Template Settings?
? Administrative Template Settings Modify Registry
Settings That Control User Environments
? Settings Modify Registry Settings in the Registry Hives
? HKEY_LOCAL_MACHINE for computer settings
? HKEY_CURRENT_USER for user settings
? Group Policy Registry Settings Are Not Permanent
Because They Write to:
? \Software\Policies
? \Software\Microsoft\Windows\CurrentVersion\Policies
? Windows 2000 Applies Both Group Policy and Local
Default-Registry Settings Unless There Is a Conflict
Administrative templates are a collection of Group Policy settings that modify
registry settings. You use the Administrative Templates extension in Group
Policy to configure user and computer registry-based settings that control the
user’s working environment. This includes controlling users’ desktops,
interface options, network connections, the behavior of system services,
operating system components, and the default values for application settings.
Administrative template settings modify the settings stored in two
Windows 2000 registry hives of a computer. The hives are:
?? HKEY_LOCAL_MACHINE (HKLM). When a computer starts, the
Group Policy settings that apply to the computer are written to this registry
location. The computer then continues initializing and replacing its local
default-registry settings with settings from Computer
Configuration\Administrative Templates.
?? HKEY_CURRENT_USER (HKCU). When a user logs on to a computer,
Group Policy settings that apply to the user are written to this registry
location. The computer then continues initializing and replacing its local
default-registry settings from User Configuration\Administrative Templates.
The administrative templates settings that Group Policy provides do
not permanently change the registry, because registry settings
specified by Group Policy write to special locations in the registry hives
(HKLM and HKCU). These locations are \Software\Policies or
\Software\Microsoft\Windows\CurrentVersion\Policies. When settings reside
in these locations, Windows 2000 enforces them without removing the local
default-registry settings.
Windows 2000 applies both the Group Policy and the default registry settings to
users and computers. If there are conflicts, the Group Policy settings prevail. If
you delete the Group Policy object (GPO) containing the settings, or unlink it
from a container, the settings are removed from the registry hive the next time
that Group Policy is refreshed, and the local default-registry settings apply.
Slide Objective
To explain what
administrative template
settings are and where
they reside.
Lead-in
Group Policy administrative
template settings are
registry-based settings that
you can use to manage
user environments.
Make sure that students
remember what a registry
hive is.
Key Points
Administrative template
settings modify the settings
stored in the two registry
hives. The hives are
HKEY_LOCAL_MACHINE
for computer settings, and
HKEY_CURRENT_USER
for user settings.
Registry settings specified
by Group Policy write to
special locations in the
registry. They do not
permanently change the
local registry settings.
If you remove the Group
Policy settings, only the
local registry settings apply.
6 Module 5: Using Group Policy to Manage User Environments
How Computers Apply Group Policy Registry Settings
Registry.pol Files Contain the Registry Settings and Values
Sysvol
Sysvol
Registry
.pol
Registry
.pol
Registry
.pol
Registry
.pol
GPT
GPT
GPO List
Registry
.pol
Registry
.pol
HKCU
HKCU
Registry
.pol
Registry
.pol
HKLM
HKLM
Client computer starts, user logs on, and the domain controller
provides a list of GPOs
Client computer starts, user logs on, and the domain controller
provides a list of GPOs
1
1
1
Client computer connects to Sysvol and locates the Registry.pol files
Client computer connects to Sysvol and locates the Registry.pol files
2
2
2
Client computer writes to the registry hives (HKLM and HKCU)
Client computer writes to the registry hives (HKLM and HKCU)
3
3
3
The administrative templates settings and the values for the settings that
Windows 2000 applies are stored in a Registry.pol file in the Group Policy
template (GPT) on domain controllers. There are two files: one for computer
settings, and one for user settings.
The path for the Registry.pol file is
systemroot\SYSVOL\Sysvol/domain_name\Policies\GPO_GUID_identifier
\Machine or \User. Typically, the systemroot folder (the folder that contains the
Windows 2000 system files) is C:\Winnt.
The process that a Windows 2000 computer uses to apply administrative
template settings and write them to the registry hives is as follows:
1. When the client computer starts or the user logs on, the domain controller
provides the client computer with the list of GPOs to apply and the order in
which to apply them.
2. The client computer connects to the Sysvol folder on the domain controller,
and then locates the Registry.pol files under Machine\Registry.pol and
the User\Registry.pol files in the GPT for each GPO that contains registry-
based settings.
3. The client computer writes the registry settings and their values in the
Registry.pol file to the appropriate registry hives (HKLM and HKCU). The
computer continues initializing the operating system and enforces the
registry settings—applying computer settings to computers, and user
settings to users.
The settings in the Group Policy section of the registry hives apply even
when there is a conflict with settings in the local default registry settings.
Slide Objective
To describe the Registry.pol
file and the process for
applying administrative
template settings.
Lead-in
Now let us look at the
process in which Group
Policy registry settings
are applied.
The slide for this topic is
animated. Display a new
step on the slide as you talk
about it.
Delivery Tip
Open Windows Explorer
and show students the
Registry.pol files in the path
provided in the Note in the
student text.
Key Points
The administrative template
settings that Windows 2000
applies are stored in the
Registry.pol file in the GPT
on domain controllers.
The values for the registry
settings are contained in the
Registry.pol file.
Note
Không có nhận xét nào:
Đăng nhận xét