NMAPractical 23 Manage Desktop Configuration using group policy and remote installation services.

Group Policy Collection:-

Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory. Consequently, Group Policy is one of the top reasons to deploy Active Directory because it allows you to manage user and computer objects.Group Policy is one of a group of management technologies, collectively known as IntelliMirror management technologies, which provide users with consistent access to their applications, application settings, roaming user profiles, and user data, from any managed computereven when they are disconnected from the network. IntelliMirror is implemented through a set of Microsoft Windows features, including Active Directory, Group Policy, Software Installation, Windows Installer, Folder Redirection, Offline Folders, and Roaming User Profiles.This collection includes detailed information about each of the following areas of Group Policy: Core Group Policy Group Policy Components Group Policy Administrative ToolsThis page introduces Group Policy management concepts and architecture, summarizes the areas included in the Group Policy collection, and describes Group Policy scenarios.Group Policy ManagementAdministrators face increasingly complex challenges in managing the IT infrastructure. You must deliver and maintain customized desktop configurations for more types of workers such as mobile users, information workers, or others assigned to strictly defined tasks, such as data entry. Security settings and updates must be delivered efficiently to all the computers and devices in the organization. New users need to be productive quickly without costly training. In the event of a computer breakdown or disaster, service must be restored with a minimum of data loss and interruption. All of these tasks, known collectively as Change and Configuration Management, must be achieved at the lowest possible cost. You need to be able to implement change quickly and affect large numbers of users and computers. Group Policy is the infrastructure that allows you to implement change on the object level in Active Directory.You need to be able to define configurations once and rely on the operating system to enforce that state. With Active Directory, GPOs can be linked to sites, domains, and OUs, allowing Group Policy settings to be applied to users and computers. In addition, GPOs can be used to help manage server computers, through many server-specific operational and security settings. This infrastructure provides a high degree of flexibility, allowing you to customize configurations, such as delivering a specific piece of software to specialized users based on their membership in an OU. In addition, the Group Policy Management Console (GPMC) simplifies implementation and management of Group Policy.Group Policy ArchitectureGroup Policy uses a document-centric approach to creating, storing, and associating Group Policy settings. Similar to the way in which Microsoft Word stores information in .doc files, Group Policy settings are contained in GPOs. A GPO is a virtual object; policy-setting information is stored in two locations: the Active Directory container to which the GPO is linked, and the Sysvol on the domain controller.Group Policy is configured primarily through the use of two tools: Group Policy Object Editor, (previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit) and Group Policy Management Console (GPMC), available for download from the Microsoft Web site. Whereas Group Policy Object Editor is used to configure and modify settings within GPOs, GPMC is used to create, view, and manage GPOs. Group Policy architecture is shown in the following diagram, which shows how the primary components interact through read or write access. Components are described in the figure below.

Group Policy Architecture

Group Policy ComponentsComponentDescription

Server (Domain Controller)In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources.

Active DirectoryActive Directory, the Windows-based directory service, stores information about objects in a network and makes this information available to users and network administrators. Administrators link GPOs to Active Directory containers such as sites, domains, and OUs that include user and computer objects. In this way, Group Policy settings can be targeted to users and computers throughout the organization.

Group Policy object (GPO)A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a Group Policy container (GPC) and a Group Policy template (GPT). The GPC, which contains information on the properties of a GPO, is stored in Active Directory on each domain controller in the domain. The GPT contains the data in a GPO and is stored in the Sysvol in the/Policiessub-directory. GPOs affect users and computers that are contained in sites, domains, and OUs.

SysvolSysvol is a shared directory that stores the server copy of the domains public files, which are replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes Administrative Template-based Group Policy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated using the File Replication Service (FRS).

Local Group Policy objectThe local Group Policy object (local GPO) is stored on each individual computer, in the hidden%systemroot%\System32\GroupPolicydirectory. Each computer running Windows2000, WindowsXP Professional, WindowsXP 64-Bit Edition, Windows XP Media Center Edition, or Windows Server2003 has exactly one local GPO, regardless of whether the computers are part of an Active Directory environment.Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of Group Policy Object Editor does not support remote management of local GPOs. Local GPOs are always processed, but are the least influential GPOs in an Active Directory environment, because Active Directory-based GPOs have precedence.Although you can configure local GPOs on individual computers, the full power of Group Policy can only be realized in a Windows Server network with Active Directory installed. In addition, some features and Group Policy settings require client computers running WindowsXP.

Group Policy Object EditorGroup Policy Object Editor is a Microsoft Management Console (MMC) snap-in that is used to edit GPOs. It was previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit.

Server-Side Snap-InsThe MMC snap-in is loaded, by default, in Group Policy Object Editor. Server-side snap-in extensions provide the user interface to allow you to configure various policy settings while client-side extensions implement the actual policy settings on target client computers.Snap-in extensions include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, Internet Explorer Maintenance, Disk Quotas, Wireless Network Policy, and QoS Packet Scheduler. Snap-ins may in turn be extended. For example, the Security Settings snap-in includes several extension snap-ins. Developers can also create their own MMC extension snap-ins to Group Policy Object Editor to provide additional Group Policy settings.

Client-Side ExtensionsClient-side extensions (CSEs) run within dynamic-link libraries (DLLs) and are responsible for implementing Group Policy at the client computer. The following CSEs are loaded, by default, in Windows Server 2003:Administrative Templates, Wireless Network Policies, Folder Redirection, Disk Quotas, QoS Packet Scheduler, Scripts, Security, Internet Explorer Maintenance, EFS Recovery, Software Installation, and IP Security.

Group Policy Management Console (GPMC)GPMC is a new tool designed to simplify implementation and management of Group Policy. It consists of a new MMC snap-in and a set of scriptable interfaces for managing Group Policy. The Group Policy Management Console provides: A user interface based on how customers use and manage Group Policy, rather than on how the technology is built. Import/Export, Copy/Paste, and searching of GPOs. Simplified management of Group Policy-related security. Reporting (printing, saving, read-only access to GPOs) for GPO and Resultant Set of Policy (RSoP) data. Backup/Restore of GPOs. Scripting of GPO operations that are exposed within this tool (but NOT scripting of settings within a GPO).

Resultant Set of Policy (RSoP) snap-inThe Resultant Set of Policy (RSoP) snap-in is an MMC snap-in that that simplifies Group Policy implementation and troubleshooting. RSoP uses Windows Management Instrumentation (WMI) to determine how Group Policy settings are applied to users and computers. For RSoP functionality, it is recommended to use the reporting features in GPMC.

WinlogonA component of the Windows operating system that provides interactive logon support, Winlogon is the service in which the Group Policy engine runs.

Group Policy engineThe Group Policy engine is the framework that handles common functionalities across client-side extensions including scheduling of Group Policy application, obtaining GPOs from relevant configuration locations, and filtering and ordering of GPOs.

File SystemThe NTFS file system on client computers.

RegistryA database repository for information about a computers configuration, the registry contains information that Windows continually references during operation, such as:1. Profiles for each user.2. The programs installed on the computer and the types of documents that each can create.3. Property settings for folders and program icons.4. The hardware on the system.5. Which ports are being used.The registry is organized hierarchically as a tree, and it is made up of keys and their subkeys, hives, and entries. The Group Policy engine has read and write access to the Registry.Registry settings can be controlled via the Group Policy Administrative Templates extension.

Event LogThe Event log is a service, located in Event Viewer, which records events in the system, security, and application logs. The Group Policy engine has write access to the Event Log on client computers and domain controllers. The Help and Support Center on each computer has read access to the Event Log.

Help and Support CenterThe Help and Support Center is a component on each computer that provides HTML reports on the Group Policy settings currently in effect on the computer.

Resultant Set of Policy (RSoP) infrastructureAll Group Policy processing information is collected and stored in a Common Information Model Object Management (CIMOM) database on the local computer. This information, such as the list, content and logging of processing details for each GPO, can then be accessed by tools using WMI.In logging mode (Group Policy Results), RSoP queries the CIMOM database on the target computer, receives information about the policies and displays it in GPMC. In planning mode (Group Policy Modeling), RSoP simulates the application of policy using the Group Policy Directory Access Service (GPDAS) on a domain controller. GPDAS simulates the application of GPOs and passes them to virtual client-side extensions on the domain controller. The results of this simulation are stored to a local CIMOM database on the domain controller before the information is passed back and displayed in GPMC.

WMIWMI is a management infrastructure that supports monitoring and controlling of system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status.WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data. WMI Filtering in Windows Server2003 allows you to create queries based on this data. These queries (also called WMI filters) determine which users and computers receive all of the policy configured in the GPO where you create the filter.

Core Group PolicyThis subject explains Group Policy infrastructure including how the Group Policy engine controls policy processing, including retrieval of GPOs, invocation of individual extensions, and other infrastructure functionality.Group Policy ComponentsThe Group Policy Components subcollection describes the role of extensions including server-side snap-in extensions and client-side extensions. These extensions include: Administrative Templates, Software Installation, Security Settings, Scripts, Remote Installation Services, Internet Explorer Maintenance, Folder Redirection, QoS Packet Scheduler, Disk Quotas, and Wireless Network Policies.Group Policy Administrative ToolsThis subcollection explains administrative tools including the Group Policy Object Editor, Group Policy Management Console, and the Resultant Set of Policy (RSoP) snap-in.Group Policy ScenariosGroup Policy is used to define configurations for groups of users and computers. With Group Policy, you can specify specific configurations for a wide range of areas including Administrative Templates (registry-based policies), security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. Group Policy settings are contained in a GPO. By associating a GPO with selected Active Directory system containerssites, domains, and organizational unitsthe GPO's Group Policy settings are applied to the users and computers in those Active Directory containers. This section provides an overview of what you can do with Group Policy.Managing Desktops, Applications, and Components with Registry-Based PoliciesAdministrative Templates (or .adm files) enable you to control registry settings using Group Policy, providing the means to configure the behavior and appearance of the desktop, including the operating system, components, and applications. Windows comes with a predefined set of Administrative template files, which are implemented as text files (with an .adm extension), that define the registry settings that can be configured in a GPO. These .adm files are stored in two locations by default: inside GPOs in theSysvolfolder and in the%windir%\infdirectory on the local computer.Managing SecurityGroup Policy is used to manage the following types of securityoptions for users, clients, servers, and domain controllers: Security settings. These Group Policy settings are used to define values for various security-relevant operating system parameters, such as password policy, user rights assignment, audit policy, registry values, file and registry ACLs, and service startup modes. IPSec policies. These Group Policy settings are used to configure IPSec services for authenticating or encrypting network traffic. An IPSec policy consists of a set of security rules, and each security rule consists of an IP filter with an action. Software restriction policies. These Group Policy settings are used to help protect computers from code that is not trusted by identifying and specifying which applications are permitted to run. Wireless network policies. These Group Policy settings are used to configure settings for the Wireless Configuration Service, a user-mode service that operates on each of the IEEE 802.11 wireless network adapters that are installed on a computer. Public Key Policies. These Group Policy settings are used to: Specify that computers automatically submit a certificate request to an enterprise certification authority and install the issued certificate. Create and distribute a certificate trust list. Establish common trusted root certification authorities. Add encrypted data recovery agents and change the encrypted data recovery policy settings.Implementing Group Policybased Software InstallationThe Software Installation snap-in is used to centrally manage software. Software can be assigned or published to users and assigned to computers. Group Policy-based software installation can be used to install software applications when a computer is started, when the user logs on, or on demand. Software installation Group Policy settings can be applied to users or computers in an Active Directory structure.Group Policy-based software installation can also be used to upgrade deployed applications or remove earlier applications that are no longer required. Users can be restricted from installing any software from local media, such as a CD-ROM, or disk, or other unapproved applications.Medium and large organizations may wish to consider using Systems Management Server (SMS). SMS provides advanced capabilities such as inventory-based targeting, status reporting, server- and client-side scheduling, multisite facilities, complex targeting, centralized hardware and software inventory, remote diagnostic tools, software metering, software distribution-point population and maintenance, support for Windows 95, Windows 98, Windows NT 4.0, Windows 2000, and Windows XP clients, and enhanced software deployment features. SMS does not require Active Directory.Managing Remote Operating System InstallationsRemote Installation Services (RIS) is used to control the behavior of the Remote Operating System Installation feature as displayed to client computers. Remote Installation enables administrators to perform a new installation of Windowson Preboot eXecution Environment (PXE) remote boot-enabled client computers throughout an organization. Using a customized, fully automated installation process from a remote source, an administrator does not have to visit the new computer to install a new operating system and core applications.

Remote Installation Services Extension Overview

Administrators who install multiple client operating systems on bare-metal computerscomputers that do not have an operating systemone at a time from the installation CD, can spend a lot of time at each computer. This takes administrators away from their other responsibilities. Customizing and configuring each newly installed operating system to meet organization needs is susceptible to errors and takes even more time. Having an inexperienced end user install the operating system from the CD can be frustrating for the end user, result in installation errors, and increase the number of technical support service calls.With WindowsServer2003, Microsoft provides two features to help administrators deploy Windows clients and servers over a network. These two features are RIS and Automated Deployment Services (ADS). Administrators can use ADS for deploying server farms. For more information about ADS, see AutomatedDeploymentServicesSupportResources under ManagementServices onWindows Server 2003 Support Center.You can use RIS to:Provide an operating system to users on demand.Provide an operating system image that includes specific settings and applications.Create automated installation images of products in the WindowsServer2003 family, WindowsXP, and Windows2000.You can also combine RIS with IntelliMirror features such as user documents and settings, Software Installation, and Group Policy. This combination can improve the efficiency of computer management in your organization, and reduce the number of technical support service calls.The following figure shows the Remote Installation Services node of the Group Policy Object Editor, which is used to configure RIS policy settings. This figure shows the RIS server-side extension user interface, provided by rigpsnap.dll. There is no RIS client-side extension.

Group Policy Object Editor

The settings you make in the RIS SSE determine which of the four options the user sees in the Client Installation Wizard of the target computer, as seen in the following figure. Client Installation Wizard

This figure shows each of the options that are presented to the user on the target computer during a remote installation of an operating system. Because all four settings are enabled in the SSE, all four settings appear in the wizard. Maintenance and Troubleshooting in the wizard corresponds to Tools in the SSE.Remote Installation Services Extension Core ScenariosThe core scenario for Remote Installation Services is operating system installation with no involvement of the administrator during client installation. By using the Remote Installation Services Extension node in the Group Policy Object Editor to configure RIS policy settings, the administrator can predetermine the options presented to users during installation. This saves the administrator time, and ensures consistent deployment of client computers across the organization.Remote Installation Services Extension DependenciesYou can edit Remote Installation Group Policy settings on any computer that has the Group Policy Object Editor with the Remote Installation Services node (rigpsnap.dll). However, note the following about Remote Installation Services:The Microsoft version of Active Directory is required.The client computer using RIS to install an operating system must have a network card that: Supports Pre-boot Execution Environment (PXE), or Is supported by the RIS remote boot floppy disk.WindowsXPProfessional must have Windows Server 2003 Administration Tools Pack installed to show RIS settings in Group Policy Object Editor.RIS Help is not available by default in the Group Policy Management Console (GPMC) running on WindowsXPProfessional. Install Windows Help from the WindowsServer2003 CD onto the computer running WindowsXP Professional.RIS is not included in the WindowsServer2003, Web Edition operating system.RIS installation image files must be located on a WindowsNT File System (NTFS) partition not containing the system or boot files.