Ben’s Blog

We had a big day today, covering 3 chapters, and finishing up our discussion on Group Policy.  Next week, we’ll finish up the remaining two chapters in the book and work the remaining time on our “Show Me the Money” network implementation!!

Anyway, chapter 8 covered the user and computer environments when configured by Group Policy.  The first area of focus was the area of security policies.  As you know from previous discussion (earlier today!?) that we can configure security policies on our machines to allow or disallow (or block, even) certain kinds of behavior, or limit that behavior to certain individuals.  The nice thing is is that, using Group Policy, we can configure those settings once in a GPO and then assign it to a large number of computers by attaching that GPO to an object associated with the computers we wish to control (inside the Sales OU, for example).

We also looked at a concept called Folder Redirection.  With Folder Redirection, we are able to control where user files end up during backup or in day-to-day use.  A common use of Folder Redirection is to configure a GPO that makes the client computers store files on a network location instead of on the local computer when a user saves in the “Documents” folder.  To the end user, nothing is too different from their home machine, but the files are actually saved to the server without the user having to know to save their documents to the \\srv-01\files\ directory.  It’s just easier that way.  Especially if we ever have to move those files!   Oh, and also, the .zap files only work on software assigned to user groups — not computers.  Very important!

Disk Quotas, we’ve looked at before, are ways of limiting your users from gobbling up a bunch of server space.  Especially in this day of digital media, it’s not uncommon for users to rip a  bunch of CDs to their computers thinking they’re storing them on their local HDD, when in fact they are being stored on the server (aha! Folder Redirection!).  Disk Quotas ensures that your server doesn’t get filled up with a bunch of 320 kbps Menudo .mp3 files.

Chapter 9 talked about the installation of software titles via Group Policy.  This is perhaps one of the most useful things you can do with GP — imagine having to install something like MS Office onto 200 computers (especially if you only had 1 disc) — it would be a nightmare!

By copying the disc to a network share and then configuring a GPO to put that software onto the computers that fell within its scope, you could install that software automatically, with no walking around and mindlessly configuring.

There is a downside, however.  In order for GP to install software programs, the program installation file must be a Windows Installer file (.msi extension).  .EXEs won’t work, unfortunately, unless you want to configure a .zap file.  .Zap files work like old .ini files and simply are directions for GP to use .EXEs in their deployments.  The downside is that the installations often will need user intervention and in many cases will need someone with local administrator rights present.

Finally, Chapter 10 covered GP management, and here’s where things can get fun.  Or hairy.  Or both, if that’s your thing.

Group Policy is an object just like anything else, and can therefore have an ACL attached to it.  This ensures that certain users within an OU keep from having GPOs attached to them.  For example, if I wnated a particular user in an OU to *not* have their taskbar locked, I could place a deny read on that particular GPO for that particular user.

In addition, I can use something called WMI filters.  WMI stands for Windows Management Instrumentation, and is used in Windows 2003 to filter down for particular requirements on our machines.  For example, if I want to apply a certain GPO to only Windows XP machines, I could apply a WMI filter that selects out Windows XP machines.  How, you ask?  Well, WMI uses a mechanism that is very similar to the SQL database language, and a query is written in very much the same way.  So to only apply a particular GPO to Windows XP machines, I would apply a WMI filter that looks like this:

SELECT * from Win32_operatingsystem WHERE caption = "Microsoft Windows XP Professional"

The downside here, of course, is that I can only apply 1 WMI filter to a GPO.  (I can use the same WMI filter attached to several GPOs though).

Homework:

• Take Home Test #05 – download it here!
• Continue working on MS E-Learning Modules!