Before tasks are assigned to workstations what must be known? (select all that apply)

Letting That One Client Through: Configuring GPOs in Mixed Environments

Many organizations still use multiple operating systems on client machines. It should be noted that Microsoft's WMI features have only begun to mature, and client support for WMI only exists on Windows XP. Therefore, note that when configuring WMI filters for GPOs, Windows 2000 and earlier clients will ignore the WMI filter and the GPO will always apply regardless.

What Happens to My Distributed File System When I Rename My Domain?

First, those of you who are not using DFS should think seriously about it. DFS allows you to redirect specific folders like My Documents out to a high-availability network location where each user’s files can be backed up and protected. Folder redirection is a Group Policy extension that allows you to identify a connection between network servers or DFS roots and the local folders that you want to redirect.

What happens to DFS when you rename a domain ail depends on how you have it configured. Think about it, If you use a domain-based DFS path like \\domainName\DFSRoot, then when the domainName goes away, what happens to the path?

It goes dead, and everyone’s documents disappear, or become inaccessible. As far as the users know, all of their data is gone. Your telephone will ring by 5 a.m. the next day—guaranteed. What does it depend on, and how can you keep your telephone from ringing? If your Folder Redirection policy specifies the NetBIOS name of the domain in your domain-based DFS path, and you keep the NetBIOS name of your domain the same instead of changing it along with the DNS name, then you’re okay.

What if you want to change your NetBIOS name along with your DNS name? You could push out a new group policy and move the files to another location. Temporarily, you could point your folder redirection to a stand-alone DFS path, or even to a simple server-based share. You should do that a couple of days before the rename just to be sure it works before shaking things up again—you’ll be too busy renaming to worry about DFS at that point. Since \\hostName\DFSRoot stays rock solid through a domain rename, your documents should still be available the next morning. When things settle down, restore the user files back to your domain- based DFS root and push out the old DFS policy again. That isn’t without risk, but it keeps things working.

What about home directories and roaming profiles? Same thing. Look at the pathname you specify in your policy to determine whether they’ll break when you rename the domain. Make sure to fix those beforehand.

Overview of Group Policy

Group Policy was first introduced in Windows Server 2000 AD and was widely adopted as the standard method to manage user and computer configurations for Windows networks. Group Policy allows administrators to set and enforce settings on users and computers within the domain. These settings include security settings, restricting access to specific parts of the OS, and deploying software. At the core of the Group Policy is GPOs. GPOs contain the settings you wish to apply to computers or users and are applied locally or to sites, domains, or OUs within AD.

Group Policy links and security filtering

GPOs can be linked to AD sites, domains, or OUs. They can also be set up locally on individual computers. As you develop your GPOs, you will need to understand what objects you wish to apply the settings to. For example, if you want to prevent access to the Windows control panel for all users in the HR department, you could apply a GPO with those settings to the OU containing all the users in HR. Maybe you want to configure a specific Internet Explorer homepage for every user in the New York location. You could create a GPO with the IE settings defined and apply it to the New York AD site.

In addition to linking GPOs, you can also filter them based upon security. A user or computer must have read and apply permissions to a GPO before it applies to him. You can limit which users or computers can apply a specific GPO by adding or removing them to the GPO permissions as seen in Figure 4.40.

Figure 4.40. GPO permissions.

Notes from the field

GPOs apply to users and computers only

GPOs apply to users and computers only. They do not apply to groups. Groups can be used to security-filter GPOs but you cannot apply a GPO to an AD group.

Creating and managing Group Policy Objects

GPOs are created using the Group Policy Management console in Server Manager. To create a new GPO, perform the following tasks:

Log on to a DC and open Server Manager.

Expand the nodes Features | Group Policy Management | <your forest name> | Domains | <your domain name>.

Right-click an OU where you want to create a new GPO and select the option Create a GPO in this domain and link it here. Optionally, you could right-click on the Domain itself if you wanted to assign the GPO to the entire domain.

Enter a name that describes the use of this policy. For example, HR Computer Policy. The new policy will appear under the OU you selected to apply it to (see Figure 4.41).

Right-click on the newly created policy and select Edit.

The GPO management editor window will open. Here, you can configure specific settings for users and computers. In our example, we will configure the HR GPO to turn on branch cache as seen in Figure 4.42. After editing the setting, close the GPO management editor window.

The new GPO will now apply to all computers in the HR OU as seen in Figure 4.43.

We will now assume that we have a VPs OU that we want to be sure they do not get the new settings. To prevent them from having the GPO applied, we need to block inheritance. By blocking inheritance, we tell the OU to not apply any parent GPOs. To block inheritance to the VPs child OU, right-click the OU and select the option Block Inheritance. You should now notice that a blue exclamation appears over the OU as seen in Figure 4.44.

Troubleshooting Group Policy

Group Policy can be one of the toughest technologies to troubleshoot in an AD deployment. Luckily, Microsoft has provided some good tools to assist with troubleshooting issues.

Using the RSoP Wizard

You can use the RSoP Wizard to create an RSoP query on your Windows Server 2003 server. You begin by adding the RSoP snap-in to an empty MMC console. You can also access RSoP through the Active Directory Users and Computers console and the Active Directory Sites and Services console.

To access RSoP planning through the Active Directory Users and Computers MMC and start the RSoP Wizard, do the following:

Select Start | Programs | Administrative Tools | Active Directory Users and Computers.

Right-click the name of the domain or OU and select All Tasks.

Choose Resultant Set of Policy (Planning).

To access RSoP planning through the Active Directory Sites and Services MMC and start the RSoP Wizard, do the following:

Click Start | Programs | Administrative Tools | Active Directory Sites and Services.

Expand the Sites node in the left pane.

Right-click the name of a site and select All Tasks.

Select Resultant Set of Policy (Planning).

To start the RSoP Wizard from a stand-alone RSoP MMC, right-click Resultant Set of Policy in the left pane and select Generate RSoP Data (or select it from the Action menu). The Wizard will display the query results in the RSoP snap-in. You can save, change, or refresh your RSoP queries. You can create more than one query by adding the RSoP snap-in to your console. The information that RSoP gathers comes from the CIMOM database through Windows Management Instrumentation (WMI).

NOTE

The RSoP Wizard differs depending on which method you use to open RSoP. When you open the RSoP Wizard through the Active Directory Users and Computers or Active Directory Sites and Services console (under Administrative Tools), you can use only planning mode. When you open the Wizard from the RSoP MMC, the first selection you make is whether to use logging or planning mode.

Selecting the RSoP Mode for IPSec-related Queries

As mentioned earlier, RSoP can be run in either of two modes: logging or planning. In the following sections, we will take a closer look at the differences between these two modes and help you determine when to use each for queries related to IPSec.

Understanding Group Policy Software Installation Terminology and Concepts

1.

As a network administrator, you need to deploy software to your user's workstations. What must you create on the network so the workstations will be able to locate, read, and execute the .msi file associated with an application?

A distribution point

An Admin C$ Share

A share named "SFDeployment"

Nothing has to be created; everything necessary for software deployment is created by default when you select to deploy a package.

When you assign an application to a user, which of the following actions on the part of the user will cause the software to be installed? (Choose all that apply.)

Clicking on the shortcut that represents the application in the Start menu or Desktop.

Opening Add/Remove Programs in Control Panel and selecting the application. from the list.

Double-clicking a file that has an extension that is associated with the application.

Contacting an administrator to request pre-staging of the user's workstation.

What term describes what happens when a user double-clicks on a file with an associated extension that launches the installation of a package configured in Group Policy?

Folder redirection

Document invocation

Blocking inheritance

No override

You have configured Group Policy Software Installation to deploy several assigned and published applications. Which of the following is created automatically for each deployed application and stored in the GPO in Active Directory to contain advertisement information about the application configuration?

Microsoft Installer Package

Logon Script

Application Assignment Script

Microsoft Software Transform

Using Group Policy Software Installation to Deploy Applications

5.

You want to add a new package to deploy to users in the Marketing OU. What are the steps required to complete this task?

Open Active Directory Users and Computers. Navigate to the Marketing OU, right-click, and select Properties. Click the Group Policy tab and select Edit. In the GPO Editor window, expand the User Configuration node, select Software Installation, right-click, choose New, and then choose Package.

Open Active Directory Users and Computers. Navigate to the Marketing OU, right-click, and select Properties. Select Edit. In the GPO Editor window, expand the User Configuration node, select Software Installation, right-click, choose New, and then choose Package.

Open Active Directory Users and Computers. Navigate to the domain node, right-click, and select Properties. Click the Group Policy tab and select Edit, In the GPO Editor window, expand the User Configuration node, select Software Installation, right-click, choose New, and then choose Package.

Open Active Directory Users and Computers. Navigate to the Marketing OU, right-click, and select Properties. Click the Group Policy tab and select Edit. In the GPO Editor window, expand the Computer Configuration node, select Software Installation, right-click, choose New, and then choose Package.

What steps should you take to set up a new category for software distribution?

Right-click Software Installation in the GPO Editor and select Properties. Go to the Categories tab, Click Add.

Right-click Software Installation in the GPO Editor and select Properties. Go to the General tab. Click Add.

Right-click the package in the right pane of the GPO Editor, select Properties, and then click the Categories tab. Click New.

Right-click the package in the right pane of the GPO Editor, select Properties, and then click the General tab. Click New.

Which of the following tabs and options are used to force applications to update when deploying upgrades, regardless of whether the user wants to upgrade the application?

"Required upgrade for existing package" on the Upgrades tab

"Mandatory upgrade" on the Upgrades tab

"Required upgrade" on the Modifications tab

"Mandatory upgrade" on the Modifications tab

You are a network administrator and you have a number of legacy applications that need to be repackaged. You will be using WinINSTALL LE 2003 to create .msi packages for these applications. You have decided to set up a workstation that will be dedicated to creating these application packages. Which of the following is the best type of machine to use for this purpose?

An existing computer configured with an optimized operating system that has been in service for at least two years.

A newly installed computer with a clean Registry and default operating system configuration.

An existing computer that has all of your organization's applications installed.

A new computer running only the critical applications but the original Registry settings.

You need to deploy an older application to users on your network, and you want to use Group Policy Software Installation to make the deployment easier. However, you are undecided as to whether you should use a program such as WinINSTALL to repackage the application or use a .zap file to install it. In making this decision, you consider the limitations of using .zap files and whether these limitations will affect your deployment. Which of the following are limitations of using .zap files that should be factored into your decision? (Choose all that apply.)

Applications deployed with .zap files cannot be installed by double-clicking a shortcut.

Automatic repair and removal doesn't work for applications deployed with .zap files.

Creating .zap files requires more programming expertise than repackaging applications does.

.Zap files install applications with elevated user privileges.

You are the network administrator for a medium-sized financial services company. The users in the Accounts Receivable department all use a popular spreadsheet application that was deployed via Group Policy Software Installation. A new version of the spreadsheet program has been released and includes features that will be useful for some of your users; however, these new features are not required by all users. You want users who are comfortable with the old version and don't need the new features to be able to continue using their current version, but there are several new employees coming on board and you want them to start out with the latest version of the application. How can you disable new installations of an application but not remove the old application from users' workstations?

Right-click Software Installation in the left pane of the GPO Editor and click Removal.

Right-click the application in the right pane of the GPO Editor and select Remove.

Right-click the application in the right pane of the GPO Editor and select Uninstall.

Right-click Software Installation in the left pane of the GPO Editor and select Delete.

You are the network administrator for a company that manufactures housewares. You need to deploy a particular software application to all members of the Sales department. All members of this department are already members of the Sales group in Active Directory. Now that you are setting up distribution of software to this same group of people, you would like to use their membership in this security group to define to whom the software will be deployed, if possible. How can you ensure that only the members of the Sales group will receive the software?

You can move all their accounts to a newly created OU for deployment purposes.

You can use the Security tab on the GPO to configure the appropriate permissions for the Sales group only.

You can associate the GPO used to deploy the software with the domain so that new users will also receive the application.

You can remove the existing policy and create a new one that is applied to the group in question.

You are the network administrator for a medical billing company. You want to deploy a new billing program to all the users in your organization. It is mandatory that every user have this new software installed. You decided to deploy the application via Group Policy Software Installation, but when you initially added the new package, you mistakenly configured the application to be published. You realize this will not accomplish your purpose because users can choose not to install the application You want to change the application to assigned status."What is the best way to accomplish this?

Right-click the application in the right pane of the GPO Editor, select Properties, and edit the General tab.

Right-click the application in the right pane of the GPO Editor, select Properties, and edit the Deployment tab.

Right-click Software Installation in the left pane of the GPO Editor, and click Assigned.

You will have to remove the package and add it again to change the status from published to assigned.