Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 28
Note
You upgrade GPOs using a computer running Windows Vista or a later version of the Windows operating system. Once you've performed the update and made any necessary changes, you can perform basic management, such as policy linking or blocking, using any computer. However, it is recommended that the actual policy editing be done on a computer running Windows Vista or later.
You update the domain GPO by following these steps:
Using an account with domain administrator privileges, log on to a computer running Windows Vista or a later release of Windows.
Click Start, type mmc, and then press Enter. Alternatively, you can type mmc at a command prompt. This starts the Microsoft Management Console (MMC).
On the File menu, click Add/Remove Snap-In. This opens the Add/Remove Snap-In dialog box.
In the Add Or Remove Snap-Ins dialog box, click Group Policy Management Console. Click Add and then click OK.
In MMC, when you expand the Group Policy Management node, you'll see a Forest node representing the current forest to which you are connected. When you expand the Forest node, you'll then see Domains and Sites nodes. Use these nodes to work your way to the Group Policy Object (GPO) you want to work with.
When you find the GPO you want to work with, right-click it and then select edit to open the Group Policy Object Editor.
In the Group Policy Object Editor, select the Computer Configuration node by clicking it, and then select the User Configuration node by clicking it. When you select these nodes, the current administrative templates are read in, and applied to, the GPO you've selected. Once Group Policy is refreshed, you can modify policy settings as necessary, and the changes will be updated as appropriate in the selected site, domain, or OU.
Repeat this procedure to update the GPO for other sites, domains, or OUs.
Configuring Policies
To manage users and computers, you'll want to configure the administrative template policies. These policies provide easy access to registry-based policy settings that control the operating system, Windows components, and programs. Although earlier versions of Windows that support Group Policy use Administrative Template (.ADM) files with a proprietary markup language to store registry-based policy settings, Windows Vista uses a standards-based Extensible Markup Language (XML) file format called ADMX. Unlike .ADM files, which are stored in the GPO to which they relate, .ADMX files are stored in a central repository. In domains, central storage of .ADMX files makes them easier to work with and manage.
Viewing Policies and Templates
As shown in Figure 8-2, you can view the currently configured templates in the Group Policy Object Editor's Administrative Templates node, which contains policies that can be configured for local systems, OUs, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can add templates containing new policies, both manually in the Group Policy console and when you install new Windows components.
Figure 8-2: Set user and computer policies through administrative templates.
Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE, and user configurations are saved in HKEY_USER. Browsing the Administrative Templates node in the Group Policy Object Editor is the best way to become familiar with available administrative template policies. As you browse the templates, you'll find that policies are in one of three states:
Not Configured The policy isn't used, and its settings do not impact the existing configuration on the computer.
Enabled The policy is active, and its settings are saved in the registry.
Disabled The enabled behavior of the policy is not on. The policy may have a specific disabled behavior that is contrary to its enabled setting. This setting is saved in the registry.
Enabling, Disabling, and Configuring Policies
In the Group Policy Object Editor, you'll find administrative templates in two nodes: Computer Configuration and User Configuration. In most cases, the policies in these areas don't overlap or conflict with each other. If there is a conflict, however, computer policies have precedence, which means that the computer policy is the one that is enforced. Later in this chapter, you'll find details on commonly used policies and how to employ them.
You can enable, disable, and configure policies by completing the following steps:
Access the Group Policy Object Editor for the resource you want to work with. Then in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set, access the Administrative Templates folder.
In the left pane, click the subfolder containing the policies you want to work with. The related policies are displayed in the right pane.
Double-click or right-click a policy and select Properties to display its Properties dialog box.
Click the Explain tab to see a description of the policy, if one is available.
To set the policy's state, click the Setting tab and then use the following buttons to change the state of the policy:
q Not Configured The policy is not configured.
q Enabled The policy is enabled.
q Disabled The policy is disabled.
If you enabled the policy, set any additional parameters specified on the Setting tab and then click Apply.
Use the Previous Setting and Next Setting buttons to manage other policies in the current folder. Then configure them as discussed in steps 4–6.
Click OK when you're finished managing policies.
Adding or Removing Templates
You can add or remove template folders in the Group Policy Object Editor. To do this, complete the following steps:
Access the Group Policy Object Editor for the site, domain, or OU you want to work with.
In the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove, right-click the Administrative Templates folder and select Add/Remove Templates. This displays the Add/Remove Templates dialog box, shown in Figure 8-3.
Figure 8-3: Use the Add/Remove Templates dialog box to add more templates or remove existing ones.
To add new templates, click Add. Then, in the Policy Templates dialog box, select the template you want to add and click Open.
To remove an existing template, select the template to remove and then click Remove.
When you're finished adding and removing templates, click Close.
Working with File and Data Management Policies
Every system administrator should be familiar with file and data management policies, which affect the amount of data a user can store on systems, how offline files are used, and whether the System Restore feature is enabled.
Configuring Disk Quota Policies
Policies that control disk quotas are applied at the system level. You access these policies through Computer ConfigurationAdministrative TemplatesSystemDisk Quotas. The available policies are summarized in Table 8-1.
Table 8-1: Disk Quota Policies
Policy Name
Description
Apply Policy To Removable Media
Determines whether to extend quota policies to NTFS volumes on removable media. If you do not enable this policy, quota limits only apply to fixed media drives.
Default Quota Limit And Warning Level
Sets a default quota limit and warning level for all users. This setting overrides other settings and only affects new users of a volume.
Enable Disk Quotas
Turns disk quotas on or off for all NTFS volumes of the computer and prevents users from changing the setting.
Enforce Disk Quota Limit
Specifies whether quota limits are enforced. If quotas are enforced, users are denied disk space if they exceed the quota. This overrides settings on the Quota tab on the NTFS volume.
Log Event When Quota Limit Exceeded
Determines wh
ether an event is logged when users reach their limit and prevents users from changing their logging options.
Log Event When Quota Warning Level Exceeded
Determines whether an event is logged when users reach the warning level.
Whenever you work with quota limits, you'll want to use a standard set of policies on all systems. Typically, you won't want to enable all the policies. Instead, selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:
Access Group Policy for the system, site, domain, or OU you want to work with. Next, access the Disk Quotas node through Computer ConfigurationAdministrative TemplatesSystemDisk Quotas.
Double-click Enable Disk Quotas. On the Setting tab, select Enabled and then click Next Setting. This displays the Enforce Disk Quota Limit Properties dialog box.
If you want to enforce disk quotas on all NTFS volumes residing on this computer, select Enabled. Otherwise, select Disabled and then set specific limits on a per volume basis, as discussed in Chapter 11, "Configuring Advanced Windows Explorer Options, Offline Files, and Disk Quotas." Click OK.
Double-click Default Quota Limit And Warning Level. The Default Quota Limit And Warning Level Properties dialog box, shown in Figure 8-4, appears. Select Enabled.
Figure 8-4: Use the Default Quota Limit And Warning Level Properties dialog box to establish disk quota values.
Under Default Quota Limit, set a default limit that is applied to new users when they first write to the quota-enabled volume. The limit does not apply to current users and doesn't affect current limits. On a corporate share, such as a share used by all members of a team, a good limit is between 1 gigabyte (GB) and 3 GB. Of course, this depends on the size of the data files the users routinely work with. Graphic designers and data engineers, for example, might need much more disk space.
Scroll down in the subwindow provided on the Setting tab to set a warning limit as well. A good warning limit is about 90 percent of the default quota limit, meaning that if you set the default quota limit to 1 GB, you'd set the warning limit to 900 MB. Click OK.
Double-click Log Event When Quota Limit Exceeded. The Log Event When Quota Limit Exceeded Properties dialog box appears. Select Enabled so that limit events are recorded in the application log. Click OK.
Double-click Log Event When Quota Warning Exceeded. The Log Event When Quota Warning Exceeded Properties dialog box appears. Select Enabled so that warning events are recorded in the application log. Click OK.
Double-click Apply Policy To Removable Media. The Apply Policy To Removable Media Properties dialog box appears. Select Disabled so that the quota limits only apply to fixed media volumes on the computer.
Click OK.
Configuring System Restore Policies
System Restore is designed to save the state of system volumes and enable users to restore a system in the event of a problem. It is a helpful feature for the average user, but it can use a tremendous amount of disk space. As you learned in Chapter 2, "Managing Windows Vista Systems," you can turn System Restore off for individual drives or for all drives on a computer.
In the Group Policy console, you'll find the System Restore policies under Computer ConfigurationAdministrative TemplatesSystemSystem Restore. Through System Restore policies, you can override and disable management of this feature. The following policies are available:
Turn Off System Restore If you enable this policy, System Restore is turned off and can't be managed using the System utility or the System Restore Wizard. If you disable this policy, System Restore is enforced and cannot be turned off.
Turn Off Configuration If you enable this policy, you prevent configuration of the System Restore feature. Users can't access the Settings dialog box but can still turn off System Restore. If you disable this policy, users can access the Settings dialog box but can't manipulate it, and they can still turn off System Restore.
To configure System Restore policies, follow these steps:
Access Group Policy for the system, site, domain, or OU you want to work with. Next, access the System Restore node by expanding Computer ConfigurationAdministrative TemplatesSystemSystem Restore.
To enable or disable System Restore, double-click Turn Off System Restore. On the Setting tab, select either Enabled or Disabled as appropriate. Click OK.
To enable or disable configuration of System Restore, double-click Turn Off Configuration. On the Setting tab, select either Enabled or Disabled as appropriate. Click OK.
Configuring Offline File Policies
Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.
The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration Administrative TemplatesNetworkOffline Files and User Configuration Administrative TemplatesNetworkOffline Files.
Table 8-2: Offline File Policies
Policy Type
Policy Name
Description
Computer
Allow Or Disallow Use Of The Offline Files Feature
Forces enabling or disabling of the Offline Files feature and prevents overriding by users. Enables administrative control of Offline File settings for a system.
Computer
At Logoff, Delete Local Copy Of User's Offline Files
At logoff, cleans up the offline file cache on the local computer.
Computer
Configure Slow-Link Mode
Controls how slow links are used. Enabled: slow link values for each shared folder used with Offline Files are configured. Disabled: offline files will not use slow link mode.
Computer
Default Cache Size
Limits size of automatically cached offline files and prevents users from changing related options. Enabled: you can set a cache size. Disabled: the limit is 10 percent of drive space.
Computer
Encrypt The Offline Files Cache
Determines whether offline files are encrypted to improve security.
Computer
Files Not Cached
Lists types of files, by file extension, that cannot be used offline.
Computer
Subfolders Always Available Offline
Makes subfolders available offline when a parent folder is available offline.
Computer
Turn On Economical Application Of Administratively Assigned Offline Files
Determines how administratively assigned files and folders are synced at logon. Enabled: only new files and folders are synced at logon. Disabled: all files and folders are synced at logon.
ComputerUser
Action On Server Disconnect
Specifies how the system responds when a server becomes unavailable. The Work Offline action ensures offline files are available.
ComputerUser
Administratively Assigned Offline Files
Using Universal Naming Convention (UNC) path, specifies files and folders that are always available offline.
ComputerUser
Event Logging Level
Ensures offline file events are logged in the application log.
ComputerUser
Prevent Use Of Offline Files Folder
Prevents users from accessing the Offline Files folder. Users copies of cached files, but they can work offline.
ComputerUser
Prohibit "Make Available Offline" For These Files And Folders
Prohibits users from making specific files and folders available offline. Enter UNC paths to resources.
ComputerUser
Prohibit User Configuration
Of Offline Files
Prevents users from enabling, disabling, and configuring Offline Files. This locks down the default settings for Offline Files.
ComputerUser
Remove "Make Available Offline"
Prevents users from making files available offline.
ComputerUser
Synchronize All Offline Files Before Logging Off
Forces full synchronization before users log off and prevents them from changing synchronization timing.
ComputerUser
Synchronize All Offline Files When Logging On
Forces full synchronization when users log on and prevents them from changing synchronization timing.
ComputerUser
Synchronize Offline Files Before Suspend
Forces synchronization before a computer goes into standby or hibernate mode. You can specify quick or full synchronization.
User
Do Not Automatically Make Redirected Folders Available Offline
By default, if Folder Redirection is configured, these folders are available offline automatically. Enabled: automatic redirection turned off. Users can, however, enable offline use of the redirected folders.
Setting Offline File Configuration Policies
Offline file configuration can be easily controlled through policy. You can allow users to specify which files and folders should be available offline, prevent them from configuring offline file features on their own, and allow them to work offline but not access other cached resources. Follow these steps to set offline file configuration policies:
Access Group Policy for the system, site, domain, or OU you want to work with. Most offline file policies can be configured in either computer or user policy (with user policies having precedence by default) by using the Offline Files node. You can access the policies for offline files either by expanding Computer ConfigurationAdministrative TemplatesNetworkOffline Files or User ConfigurationAdministrative TemplatesNetworkOffline Files unless specifically noted otherwise.