Windows 7 Resource Kit- P12

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
69
lượt xem
4
download

Windows 7 Resource Kit- P12

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p12', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows 7 Resource Kit- P12

  1. FIgURE 14-2 The folder structure for the central store where ADMX template files are stored for the domain note For a list of ISO language identifiers, see http://msdn.microsoft.com/en-us /library/dd318691.aspx. After you create this folder structure for the central store on the PDC Emulator, the FRS will replicate this structure to all domain controllers in the domain . You choose the PDC Emulator as the domain controller on which to create this folder structure manually because the PDC Emulator is the default choice for the focus of the GPMC . note Creating a central store is not a requirement for using Group policy to manage computers running Windows Vista or later. For example, in the absence of a central store, an administrator can use the GpMC on an RSaT administrative workstation running Windows 7 to create GpOs and then use the GpMC to configure these GpOs. The advan- tage of configuring a central store is that all GpOs created and edited after the store is configured have access to all of the aDMX files within the store, which makes the central store useful for deploying any custom aDMX files that you want to share with other admin- istrators in your domain. adding aDMX Templates to the Store After you configure the central store, you must populate it using ADMX template files . You can copy these ADMX template files from a computer running Windows 7 by following these steps: Managing Group Policy CHapTER 14 503 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. 1. Log on to an administrative workstation running Windows 7 using a user account that is a member of the Domain Admins built-in group . 2. Open a command prompt and type the following command . xcopy %SystemRoot%\PolicyDefinitions\* %LogonServer%\sysvol\%UserDNSDomain%\ policies\ PolicyDefinitions /s /y 3. Repeat this process from any administrator workstations running Windows 7 that have different languages installed . After you copy the ADMX template files to the central store, the central store will be replicated to all domain controllers in the domain as the contents of the SYSVOL share are replicated by the FRS . Whenever you want to update the files or copy a custom ADMX file, you must do this manually . diReCt FRoM tHe SoURCe Create and Populate the ADMX Central Store in a Single Step Judith Herman, Group policy programming Writer Windows Enterprise Management Division UA A s long as the aDMX central store directory exists, the Group policy Management Editor will ignore the local versions of the aDMX files. It is recommended that as soon as the central store is created, the aDMX (and associated aDML files) are used to populate the central store. If there is an empty central store directory when the Group policy Management Editor in Windows 7 is started, the aDM nodes will not display any policy settings because the Group policy Management Editor reads aDM policy settings display information only from the empty central store. Creating and Managing GpOs After your central store is configured and you have copied ADMX template files to it, you are ready to create GPOs for managing your environment . Beginning with Windows 7, you can create and manage GPOs in two ways: n From the graphical user interface (GUI) by using the GPMC . This is the only method available for managing Group Policy on earlier versions of Windows . n From the command line or via script automation by using the new Windows PowerShell Group Policy cmdlets . This method for managing Group Policy is new in Windows 7 and Windows Server 2008 R2 and is described in the section titled “Creating and Managing GPOs Using Windows PowerShell” later in this chapter . 504 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. Obtaining the GpMC The GPMC is not included in a default Windows 7 install . Instead, you must download and install the RSAT for Windows 7 to use the GPMC on a Windows 7 computer . To do this, follow these steps: 1. Obtain the appropriate RSAT package (x86 or x64) for your Windows 7 administrative workstation from the Microsoft Download Center at http://www.microsoft.com /downloads/ and install the RSAT .msu package on your computer . 2. Open Programs And Features from Control Panel and select Turn Windows Features On Or Off . 3. In the Windows Features dialog box, expand Remote Server Administration Tools, fol- lowed by Feature Administration Tools . 4. Select the check box next to Group Policy Management Tools and click OK . Alternatively, instead of managing Group Policy by installing RSAT on a computer running Windows 7, you can manage it directly from a computer running Windows Server 2008 R2 by installing the RSAT feature using the Add Features Wizard in Server Manager . Using Starter GpOs Starter GPOs, introduced in the GPMC for Windows Server 2008 and Windows Vista SP1 with RSAT, are read-only collections of configured Administrative Template ( .admx) policy settings that you can use to create a live GPO . Starter GPOs provide baselines of Group Policy settings designed for specific scenarios . By using Starter GPOs as templates for creating domain-based GPOs, you can deploy Group Policy quickly in different kinds of environments . Note that Starter GPOs can contain only policy settings (ADM settings); they cannot include preference items, security settings, or other types of Group Policy settings . In Windows Vista SP1 and Windows Server 2008, you had to download Starter GPOs before using them . Now, however, a default set of Starter GPOs are included in RSAT for Windows 7 and in the GPMC feature of Windows Server 2008 R2 . RSAT for Windows 7 includes two different categories of Starter GPOs: n Enterprise Client (EC) Client computers in this type of environment are members of an AD DS domain and need to communicate only with systems running Windows Server 2003 . The client computers in this environment may include a mixture of Windows versions, including Windows 7, Windows Vista, and Windows XP . n Specialized Security limited Functionality (SSlF) Client computers in this type of environment are members of an AD DS domain and must be running Windows Vista or later . Concern for security in this environment is a higher priority than functionality and manageability, which means that the majority of enterprise organizations do not use this environment . The types of environments that might use SSLF are military and intelligence agency computers . Managing Group Policy CHapTER 14 505 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. In addition to these two categories, the default Starter GPOs in RSAT for Windows 7 can also be categorized by whether they do the following: n Apply only to clients running Windows XP SP2 or later or Windows Vista SP1 or later . n Apply to users or to computers . The result of this categorization is the following eight types of Starter GPOs included in RSAT for Windows 7: n Windows Vista EC Computer n Windows Vista EC User n Windows Vista SSLF Computer n Windows Vista SSLF User n Windows XP EC Computer n Windows XP EC User n Windows XP SSLF Computer n Windows XP SSLF User For more information concerning the default configuration of policy settings in Starter GPOs designed for Windows Vista SP1 or later, see the Windows Vista Security Guide at http://go.microsoft.com/?linkID=5744573. For more information concerning the default configuration of policy settings in Starter GPOs designed for Windows XP SP2 or later, see the Windows XP Security Compliance Management Toolkit at http://go.microsoft.com /fwlink/?LinkId=14839. Updated information on Starter GPOs should also be available; search for Windows 7 Security Guide on the Microsoft Download Center . Before you can use Starter GPOs, you must prepare your environment by creating a sepa- rate folder for these GPOs in the SYSVOL share on your domain controllers . If your forest has more than one domain, you must create a separate Starter GPOs folder in each domain of your forest . To create the Starter GPOs folder, perform the following steps: 1. Open the GPMC and select the Starter GPOs node in the console tree for the domain . 2. Click the Create Starter GPOs Folder button in the details pane (see Figure 14-3) . 3. Repeat for each domain in your forest . After you create your Starter GPOs folder, you can use the default Starter GPOs as templates when you create new GPOs, as described in the next section . You can also create and manage your own Starter GPOs by right-clicking the Starter GPOs node in the console tree of the GPMC . 506 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. FIgURE 14-3 Creating the Starter GPOs folder in SYSVOL for the domain Creating and Managing GpOs Using the GpMC To create and configure a GPO using the GPMC, follow these steps: 1. Log on to an administrative workstation running Windows 7 with RSAT using a user account that is a member of the Domain Admins built-in group . 2. Right-click Start and then click Properties . On the Start Menu tab, click Customize . Then in the Customize Start Menu dialog box, scroll down to System Administrative Tools, select Display On The All Programs Menu And The Start Menu, and click OK . 3. Click Start, then Administrative Tools, and then Group Policy Management . (Alterna- tively, you can type gpmc.msc in the Start Search box and then click gpmc .msc when it appears under Programs in your search results .) 4. Expand the console tree to select the domain or OU to which you will link the new GPO when you create it . 5. Right-click this domain or OU and select Create A GPO In This Domain And Link It Here . 6. Type a descriptive name for your new GPO, such as Seattle Computers gPO, and (optionally) select a Starter GPO as a template for it . Then click OK . 7. Expand the domain or OU to display the GPO link for your new GPO beneath it, as shown in the following image . Managing Group Policy CHapTER 14 507 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. 8. Right-click the GPO link and then select Edit to open the GPO . 9. Configure policy settings and preference items in the GPO as desired for the comput- ers and/or users targeted by the GPO . note If a domain controller is unavailable when a computer running Windows 7 tries to log on to the network, the computer will log on using cached credentials and will use the local copies of the aDMX template files to surface aDM policy settings in the Local Group policy Editor. also, if an administrator uses a computer running Windows 7 with RSaT to start GpMC or the Local Group policy Editor and no central store is found, local copies of the aDMX template files will be used to surface aDM policy settings in the Local Group policy Editor. Creating and Managing GpOs Using Windows powerShell Beginning with Windows 7 and Windows Server 2008 R2, you can also use 25 new Windows PowerShell cmdlets to create and manage GPOs from the PowerShell command line or by us- ing PowerShell scripts . This new capability builds upon the earlier Component Object Model (COM)–based Group Policy scripting capabilities found in Windows Vista and Windows Server 2008 . This feature enables administrators to manage the full life cycle of GPOs, including cre- ating, deleting, copying, configuring, linking, backing up and restoring, generating Resultant Set of Policy (RSoP) reports, configuring permissions, and migrating (importing and export- ing) GPOs across domains and forests and from test to production environments . This new functionality is implemented using the GPMC application programming inter- faces (APIs) and is available as a module that you can import from the Windows PowerShell command line . This means that the GPMC must be installed on the computer from which you 508 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. run your Windows PowerShell commands . These new cmdlets provide functionality both for performing GPMC operations and for reading and writing registry settings to GPOs (including both policy settings and preference items) . You can also use Group Policy to configure policy settings that specify whether Windows PowerShell scripts can run before non-PowerShell scripts during user computer startup and shutdown and during user logon and logoff . By default, Windows PowerShell scripts run after non-PowerShell scripts . As shown in Table 14-3, the Windows PowerShell cmdlets in Group Policy can be organized into five different categories according to their verb . TABlE 14-3 Windows PowerShell cmdlets for Group Policy in Windows 7 and Windows Server 2008 R2 VERB CMDlETS Get Get-GPInheritance Get-GPO Get-GPOReport Get-GPPermissions Get-GPPrefRegistryValue Get-GPRegistryValue Get-GPResultantSetofPolicy Get-GPStarterGPO New New-GPLink New-GPO New-GPStarterGPO Set Set-GPInheritance Set-GPLink Set-GPPermissions Set-GPPrefRegistryValue Set-GPRegistryValue Remove Remove-GPLink Remove-GPO Remove-GPPrefRegistryValue Remove-GPRegistryValue Misc Backup-GPO Copy-GPO Import-GPO Rename-GPO Restore-GPO Managing Group Policy CHapTER 14 509 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. As an example of using these new cmdlets, the procedure described here creates a new Seattle Users GPO and links it to the Seattle Users OU beneath the Seattle OU in the contoso .com domain to complement the Seattle Computers GPO created using the GPMC in the previous section . 1. Log on to your domain controller and click the Administrator: Windows PowerShell icon pinned to the taskbar . This opens the Windows PowerShell command-prompt window . 2. Type import-module groupPolicy to import the Group Policy module into Windows PowerShell . This step is required at the beginning of each Windows PowerShell script or series of PowerShell commands that you execute to manage Group Policy . 3. Type $gpo = New-gPO "Seattle Users gPO" to create a new GPO named Seattle Users GPO and assign the GPO to the Windows PowerShell variable named $gpo . 4. Type get-gPO $gpo.DisplayName to retrieve the properties of the newly created GPO and verify its creation, as shown here . 5. Type New-gPlink $gpo.DisplayName –target "ou=Seattle Users,ou=Seattle,dc= contoso,dc=com" –order 1 to link the new GPO to the Seattle Users OU beneath the Seattle OU in the contoso .com domain and assign the GPO a link order of 1 . If you refresh the GPMC view, you should now see the newly created GPO linked to the OU you specified . For more examples on how to use these new Group Policy cmdlets to create and manage Group Policy, see the Windows PowerShell section of the Group Policy Team Blog on Microsoft TechNet at http://blogs.technet.com/grouppolicy/archive/tags/PowerShell/default.aspx. For a gen- eral introduction to the Windows PowerShell capabilities of Windows 7, see Chapter 13, “Over- view of Management Tools .” Editing GpOs After you’ve created a GPO, you can edit the settings that it contains using one of two methods: 510 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. n From the GUI by using the Group Policy Management Editor, which can be started from the GPMC . This is the only method available for editing GPOs in earlier versions of Windows . Using this method, you can modify any GPO setting, including policy set- tings, preference items, and security settings . n From the command line or via script automation by using the Set-GPRegistryValue, SetGPPrefRegistryValue, Get-GPRegistryValue, Get-GPPrefRegistryValue, Remove-GPRegistryValue, and Remove-GPPrefRegistryValue cmdlets, which are among the new Windows PowerShell Group Policy cmdlets in Windows 7 . Using this method, you can modify either policy settings or Group Policy preferences registry- based preference items (you cannot modify other types of preference items using the cmdlets) . You cannot use Windows PowerShell to modify security settings, software installation settings, or any other types of GPO settings . Configuring policy Settings To configure a policy setting in a GPO, follow these steps: 1. Right-click the GPO or its associated GPO link in GPMC and select Edit to open the GPO in the Group Policy Management Editor . 2. Expand the Policies node under either Computer Configuration or User Configuration as desired . 3. Expand the Administrative Templates node under Policy and browse to select the policy you want to configure, as shown here . Managing Group Policy CHapTER 14 511 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. 4. Double-click the policy setting to open its properties, then enable or disable the set- ting as desired, and (optionally) type a comment to document your action, as shown here . 5. Click OK to apply the change to the GPO . After Group Policy is updated for the users or computers targeted by the GPO, the policy setting will be applied . This policy setting, which applies only to Windows 7 and later versions, displays a Search The Internet link above the Start menu button whenever a user types some- thing into the Search box on the Start menu . In addition to using the Group Policy Management Editor to configure policy settings, you can use Windows PowerShell to do this if you have the GPMC installed on a computer running Windows 7 or Windows Server 2008 R2 . For example, to edit the Seattle Users GPO and enable the Add Search Internet Link To Start Menu policy setting as was done previously, open a Windows PowerShell command-prompt window and follow these steps: 1. Type Import-module groupPolicy to import the GroupPolicy module into Windows PowerShell . 2. Type $key = "HKCU\Software\Policies\Microsoft\Windows\Explorer" to assign the registry path for the Add Search Internet Link To Start Menu policy setting to the variable named $key . 3. Use the Set-GPRegistryValue cmdlet, as shown in Figure 14-4, to create a new DWORD registry value named AddSearchInternetLinkinStartMenu under the registry key and assign a value of 1 to this registry value . 512 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. FIgURE 14-4 Configuring a policy setting in a GPO using Windows PowerShell To verify that the policy setting has been modified as desired in the GPO, open the GPO in the Group Policy Management Editor and double-click the policy setting to display its properties . You can also select the GPO under the Group Policy Objects node in the GPMC and then select the Settings tab in the details pane to view details concerning all configured policy settings within the GPO . note To modify a policy setting using the Set-GpRegistryValue cmdlet, you need to know the registry setting associated with the policy setting. a simple way to obtain this information is to download the Group policy Settings Reference spreadsheet for Windows Server 2008 R2 and Windows 7 from the Microsoft Download Center, open it in Microsoft Office Excel, select the administrative Templates worksheet, find the row that has the name of the policy setting under the policy Setting Name column, and then find the registry key and value name for the policy under the Registry Information column for the selected row. Note that this spreadsheet doesn’t state the value type or range of possible values of the registry value—to determine this (if it’s not obvious), you can enable, disable, or otherwise configure the policy setting on a test computer and then open the registry value for the policy using Registry Editor to view the results. Configuring preference Items To configure a preference item in a GPO, follow these steps: 1. Right-click the GPO or its associated GPO link in GPMC and select Edit to open the GPO in the Group Policy Management Editor . 2. Expand the Preferences node under either Computer Configuration or User Configura- tion as desired . Managing Group Policy CHapTER 14 513 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. 3. Right-click a preference setting node and select the appropriate menu option to create, replace, update, or remove a preference setting, as shown here . You can also use the Get-GPPrefRegistrySetting cmdlet to configure preference items using Windows PowerShell . For more examples on how to use the Group Policy cmdlets, see the Windows PowerShell section of the Group Policy Team Blog on Microsoft TechNet at http://blogs.technet.com/grouppolicy/archive/tags/PowerShell/default.aspx. diReCt FRoM tHe SoURCe group Policy Settings vs. group Policy Preferences* William R. Stanek Author O ne way to think of Group policy is as a set of rules that you can apply through- out the enterprise. although you can use Group policy to manage servers and workstations running Windows 2000 or later, Group policy has changed since it was first implemented with Windows 2000. For Windows Vista with Sp1 or later and Windows Server 2008, Group policy includes both managed settings, referred to as policy settings, and unmanaged settings, referred to as policy preferences. When you deploy the Group policy CSEs to Windows Xp with Sp2 or later, Windows Vista, or Windows Server 2003 with Sp1 or later, these older operating systems can use Group policy preferences as well. 514 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. n Group policy settings enable you to control the configuration of the oper- ating system and its features. You can also use policy settings to configure computer and user scripts, folder redirection, computer security, software installation, and more. n Group policy preferences enable you to configure, deploy, and manage operat- ing system and application settings that you were not able to manage using earlier implementations of Group policy, including data sources, mapped drives, environment variables, network shares, folder options, shortcuts, and more. In many cases, you’ll find that using Group policy preferences is a better approach than configuring these settings in Windows images or using logon scripts. n The key difference between preferences and policy settings is enforcement. Group policy strictly enforces policy settings. You use policy settings to control the configuration of the operating system and its features. You also use policy settings to disable the user interface for settings that Group policy is manag- ing, which prevents users from changing those settings. Most policy settings are stored in policy-related branches of the registry. The operating system and compliant applications check the policy-related branches of the registry to determine whether and how various aspects of the operating system are controlled. Group policy refreshes policy settings at a regular interval, which is every 90 to 120 minutes by default. n In contrast, Group policy does not strictly enforce policy preferences. Group policy does not store preferences in the policy-related branches of the regis- try. Instead, it writes preferences to the same locations in the registry that an application or operating system feature uses to store the setting. This allows Group policy preferences to support applications and operating system fea- tures that aren’t Group policy–aware and also does not disable application or operating system features in the user interface to prevent their use. Because of this behavior, users can change settings that were configured using policy preferences. Finally, although Group policy by default refreshes preferences using the same interval as Group policy settings, you can prevent Group policy from refreshing individual preferences by choosing to apply them only once. When working with policy settings, keep the following in mind: n Most policy settings are stored in policy-based areas of the registry. n Settings are enforced. n User interface options might be disabled. n Settings are refreshed automatically. n Settings require Group policy–aware applications. n Original settings are not changed. n Removing the policy setting restores the original settings. Managing Group Policy CHapTER 14 515 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. When working with policy preferences, keep the following in mind: n preferences are stored in the same registry locations as those used by the operating system and applications. n preferences are not enforced. n User interface options are not disabled. n Settings can be refreshed automatically or applied once. n preferences support non-Group policy–aware applications. n Original settings are overwritten. n Removing the preference item does not restore the original setting. In the real world, the way you use policy settings or policy preferences depends on whether you want to enforce the item. To configure an item without enforcing it, use policy preferences and then disable automatic refresh. To configure an item and enforce the specified configuration, use policy settings or configure preferences and then enable automatic refresh. *Excerpted with permission from the Windows Group Policy Administrator’s Pocket Consultant (Microsoft Press, 2009) . Managing MLGpOs To edit different MLGPOs on a computer running Windows 7, follow these steps: 1. Log on to an administrative workstation running Windows 7 using a user account that is a member of the local Administrators built-in group . 2. Type mmc in the Start menu and then click mmc .exe when it appears under Programs in your search results . 3. Select File and then select Add/Remove Snap-in . 4. Select Group Policy Management Editor from the list of available snap-ins and then click Add . 5. Do one of the following: • To create a custom Microsoft Management Console (MMC) for editing the Local Computer Policy, click Finish . • To create a custom MMC for editing the Administrators Local Group Policy, click Browse, click the Users tab, select Administrators, click OK, and then click Finish . • To create a custom MMC for editing the Non-Administrators Local Group Policy, click Browse, click the Users tab, select Non-Administrators, click OK, and then click Finish . • To create a custom MMC for editing the Local Group Policy for a specific local user account, click Browse, click the Users tab, select that user account, click OK, and then click Finish . 516 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. 6. Alternatively, instead of creating multiple different custom MMCs, you can add multiple instances of the Group Policy Management Editor snap-in to a single custom MMC con- sole with each snap-in having a different MLGPO as its focus, as shown in Figure 14-5 . FIgURE 14-5 Editing Local Computer Policy, Administrators Local Group Policy, and Non-Administrators Local Group Policy, all from a single MMC console MLGPOs do not exist until you actually configure their settings using the Local Group Policy Editor . You can delete MLGPOs that you no longer need by following these steps: 1. Log on to an administrative workstation running Windows 7 using a user account that is a member of the local Administrators built-in group . 2. Click the Start button, type mmc in the Start menu Search box, and then click mmc .exe when it appears under Programs in your search results . 3. Respond to the User Account Control (UAC) prompt by clicking Continue . 4. Select File and then select Add/Remove Snap-in . 5. Select Group Policy Management Editor from the list of available snap-ins and then click Add . 6. Click Browse and then click the Users tab, as shown here . 7. Right-click the user or group (Administrators or Non-Administrators) for which you want to delete the associated MLGPO, select Remove Group Policy Object, click Yes, and then click OK . Managing Group Policy CHapTER 14 517 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. note You can also disable an MLGpO temporarily by right-clicking its associated user or group, selecting properties, and then selecting the check boxes to disable the user and machine (if available) portions of the MLGpO. You can also choose to edit only the Local Computer Policy on a computer running Windows 7 (similar to the way it is done in earlier versions of Windows) by following these steps: 1. Log on to an administrative workstation running Windows 7 using a user account that is a member of the Administrators built-in group . 2. Type gpedit.msc in the Start menu and then click gpedit .msc when it appears under Programs in your search results . 3. Respond to the UAC prompt by clicking Continue . 4. Configure policy settings as desired . Migrating aDM Templates to aDMX Format ADMX Migrator is an MMC snap-in developed and supported by FullArmor Corporation (http://www.fullarmor.com) that simplifies the task of converting existing Group Policy ADM template files to ADMX template files so that your enterprise can take advantage of the additional capabilities of this new format . ADMX Migrator is available from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=103774 and can be installed on Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003 SP1 or later, and Windows XP SP2 or later, provided that MMC 3 .0 and the Microsoft .NET Framework 2 .0 are installed . iMpoRtAnt aDMX Migrator was developed by and is supported by Fullarmor Corporation. For support issues involving aDMX Migrator, go to http://www.fullarmor.com /admx-migrator-issue-report.htm. With ADMX Migrator, administrators can do any of the following: n Use a GUI called ADMX Editor to convert ADM files to ADMX format and to create and edit custom ADMX template files . n Use a command-line tool called ADMX Migrator Command Window to control tem- plate migration settings granularly . n Choose multiple ADM template files for conversion to ADMX format . n Detect collisions resulting from duplicate names . During the conversion process, any items that cannot be validated against the ADMX schema are preserved in an Unsupported section instead of being deleted . 518 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. note annotations within aDM template files are removed during the conversion process. Converting aDM Template Files to aDMX Format To convert a custom ADM file into ADMX format, install ADMX Migrator and then follow these steps: 1. Click Start, click All Programs, click FullArmor, expand FullArmor ADMX Migrator, and then click ADMX Editor . 2. Respond to the UAC prompt as required to open ADMX Migrator . 3. Right-click the root node in the console tree and then select Generate ADMX From ADM . 4. Browse to locate and select your custom ADM file and then click Open . 5. Click Yes when the message appears stating that the ADM file was successfully con- verted to ADMX format . This will load the new ADMX file into the ADMX Migrator, as shown here . The converted ADMX template file is saved in the %UserProfile%\AppData\Local\Temp folder using the same name as the .adm file but with the .admx extension . Copy this .admx file to the central store for your domain and you’ll be able to configure the policy settings defined by it when you create and edit domain-based GPOs . Creating and Editing Custom aDMX Template Files You can create new ADMX template files and modify existing ones by using ADMX Migrator . Follow these steps: 1. Click Start, click All Programs, click FullArmor, expand FullArmor ADMX Migrator, and then click ADMX Editor . 2. Respond to the UAC prompt as required to open ADMX Migrator . 3. Right-click the ADMX Templates node under the root node and select one of the following: Managing Group Policy CHapTER 14 519 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. • Select New Template to create a new ADMX template file . After you create this file, you can right-click this template and select New Category to add categories of poli- cy settings . After you add categories, you can right-click these categories and select New Policy Setting to define new registry-based policy settings . Type a descriptive name, a full path to the registry key, and a default value (optional) for the key . • Select Load Template to open an existing ADMX template file for editing . After you open the file, you can add or delete categories and policy settings as desired . WARning Do not modify the default aDMX template files included with Windows 7. Configuring Group policy processing Beginning with Windows Vista, there are two policy settings you can configure that affect how Group Policy processing is performed: n Turn Off local group Policy Objects Processing This policy setting is found under Computer Configuration\Policies\Administrative Templates\System\Group Policy . Enabling this policy setting prevents LGPOs from being applied when Group Policy is processed on the computer . WARning Do not enable this policy setting within LGpOs on a stand-alone computer; the Group policy service does not honor this policy setting from an LGpO when in a workgroup. Enable this policy only on domain-based GpOs if you want to disable application of LGpOs completely during Group policy processing. n Startup Policy Processing Wait Time This policy setting is found under Computer Configuration\Policies\Administrative Templates\System\Group Policy . Enabling and configuring this policy setting determines how long Group Policy must wait for net- work availability notifications during startup policy processing . The default value for this policy setting when it is enabled is 120 seconds, and configuring this policy setting overrides any system-determined wait times . (The default wait time for computers run- ning Windows 7 is 30 seconds .) If you are using synchronous startup policy processing, the computer is blocked until the network becomes available or the configured wait time is reached . If you are using asynchronous startup policy processing, the computer is not blocked and policy processing takes place in the background . In either case, configuring this policy setting overrides any system-computed wait times . 520 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. Using advanced Group policy Management Microsoft Advanced Group Policy Management (AGPM) 4 .0, which supports Windows 7 and Windows Server 2008 R2, will be part of the R2 release of the Microsoft Desktop Optimization Pack (MDOP) 2009, a dynamic desktop solution available to Software Assurance (SA) custom- ers that helps application deployment costs, supports delivery of applications as services, and allows for easier management and control of enterprise desktop environments . AGPM was originally based on GPOVault Enterprise Edition, a software solution developed by Desktop- Standard and acquired by Microsoft . AGPM integrates seamlessly with the GPMC and provides the following benefits relating to Group Policy management in enterprise environments: n More granular administrative control through role-based administration, a robust delegation model, and change-request approval n Reduced risk of Group Policy failures by supporting offline editing of GPOs, recovery of deleted GPOs, repair of live GPOs, difference reporting, and audit logging n More effective Group Policy change management through the creation of GPO template libraries, version tracking, history capture, quick rollback of deployed changes, and subscription to policy change e-mail notifications MoRe inFo For more information about aGpM and other MDOp technologies, see http://www.microsoft.com/windows/enterprise/default.aspx. For detailed task-oriented help on using aGpM to manage Group policy in enterprise environments, see the Windows Group Policy Administrator’s Pocket Consultant by William R. Stanek (Microsoft press, 2009). Troubleshooting group Policy Beginning with Windows Vista SP1, the Group Policy engine no longer records information in the Userenv .log . Instead, you can find detailed logging of information concerning Group Policy issues by using the following methods: n Use Event Viewer to view events in the Group Policy operational log for resolving issues relating to Group Policy processing on the computer . n Enable debug logging for the Group Policy Management Editor to generate a GpEdit .log for resolving issues relating to malformed ADMX files . MoRe inFo For additional information on how to troubleshoot Group policy application issues for Windows 7 and Windows Vista Sp1, see “Troubleshooting Group policy Using Event Logs” at http://technet2.microsoft.com/WindowsVista/en/library/7e940882-33b7- 43db-b097-f3752c84f67f1033.mspx?mfr=true. Troubleshooting Group Policy CHapTER 14 521 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. diReCt FRoM tHe SoURCe An Ordered Approach to Troubleshooting group Policy Mark Lawrence, Senior program Manager* Windows Enterprise Management Division (WEMD) T o successfully troubleshoot Group policy issues on Windows Vista and later ver- sions, we recommend performing the following sequence of steps: 1 . Start with administrative Events under Custom Views in Event Viewer. Identify any policy failures that occurred and then examine their descriptions, the Details tab, and the More Information link for these events. 2. Open the Group policy Operational log and obtain the activity ID from a failure event. Then use GpLogView.exe with the –a option to filter events for this activity ID and export the results as either HTML or XML for analysis and archiving. 3. analyze the GpLogView.exe output to review step-by-step policy-processing scenario events to identify any failure point and error codes for possible future troubleshooting. *With the help of information provided by Dilip Radhakrishnan of the Group Policy Program Managers Team . Using Event Viewer The operational log for Group Policy processing on the computer can be found in Event Viewer under Applications And Service Logs\Microsoft\Windows\Group Policy\Operational, as shown in Figure 14-6 . FIgURE 14-6 Operational log for Group Policy in Event Viewer 522 CHapTER 14 Managing the Desktop Environment Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản