Administering Group Policy Chapter Eleven

Exam Objectives in this Chapter  Plan a Group Policy strategy using Resultant Set of Policy Planning mode  Troubleshoot Group Policy application deployment issues  Troubleshoot the application of Group Policy security settings  Redirect folders using Group Policy

In this Chapter:  Managing Group Policy with RSoP  Managing Special Folders with Group Policy  Troubleshooting Group Policy

To Complete this Chapter:  As outlined on pate 11-2

Understanding RSoP  Resultant Set of Policy (RSoP)  RSoP is the sum of the group policies applied to a user or computer.  RSoP is the sum of the policies applied to a user or computer, including the application of filters, such as through security groups and Windows Management Instrumentation (WMI), and exceptions, such as No Override and Block Policy Inheritance.

Generating RSoP Queries  The Resultant Set Of Policy Wizard uses existing GPO settings to report the effects of GPOs on users and computers.  Resultant Set Of Policy Wizard uses two modes : Logging mode Planning mode

Logging Mode  RSoP Logging mode enables you to review existing GPO settings, software installation applications, and security for a computer account or a user account Use Logging mode to  Find failed or overwritten policy settings  See how security groups affect policy settings  Find out how local policy is affecting group policies

Planning Mode  Using RSoP Planning mode, you can poll existing GPOs for policy settings, software installation applications, and security, and you can use WMI filter queries to read hardware and software properties.

Planning mode  Use Planning mode in the following situations: You want to test policy precedence in cases where…  The user and the computer are in different security groups  The user and the computer are in different OUs  The user or the computer is moving to a new location. You want to simulate a slow link You want to simulate loopback.

RSoP Planning Mode Options  Slow-network connection This option simulates a slow connection.  Loopback processing This option simulates enabling of the GPO setting User Group Policy Loopback Processing Mode, located in Computer Configuration, Administrative Templates, System, Group Policy.  can be set to Merge or Replace

RSoP Planning Mode Options  Site name This option simulates the application of alternate subnets for startup or logging on, enabling you to predict the RSoP if the subnet is changed.  Alternate user and computer locations This option simulates the application of alternate locations for both users and computers, enabling you to predict the RSoP if the user and/or computer is moved.

RSoP Planning Mode Options  Alternate user and computer security groups This option simulates the application of alternate security groups to both computer and user configurations, enabling you to predict the RSoP using security groups to filter GPO scope.

RSoP Planning Mode Options  WMI filters for users and computers This option simulates the use of WMI filters to help define the policy settings that are applied, enabling you to predict the RSoP using WMI queries to filter GPO scope.

Exam Tip  Make sure you understand the differences between using RSoP in Logging mode and in Planning mode.

Creating RSoP Queries  Mode Selection: Logging mode Planning mode

Creating RSoP Queries  Computer Selection: This computer Another computer

Creating RSoP Queries  User Selection: Current user Select a specific user

Creating RSoP Queries  Summary of Selections

RSoP Wizard  User and Computer Selection:

RSoP Wizard  Advanced Simulations Options:

RSoP Wizard  Alternate Active Directory Paths:

RSoP Wizard  User Security Groups:  Computer Security:

RSoP Wizard  WMI Filters for Users: All linked filters Only these filters

RSoP Wizard  Summary of Selections

Saving and Viewing RSoP Queries  Steps on pages 14 – 15.

Administrative Templates Results  Computer Configuration Properties filtering status  Displaying filtering status

Administrative Templates Results  Computer Configuration Properties Scope management  Displaying Scope management

Administrative Templates Results  Computer Configuration Properties Revision information  Displaying Revision information

Gpresult Command-Line Tool  Gpresult provides general information about the operating system, user, and computer.

Gpresult Command-Line Tool  Gpresult provides the following information about Group Policy: The last time Group Policy was applied and the domain controller that applied policy—for the user and for the computer The complete list of applied GPOs and their details, including a summary of the extensions that each GPO contains Registry settings that are applied and their details Folders that are redirected and their details Software management information, including details about assigned and published applications Disk quota information Internet Protocol (IP) security settings Scripts

Gpresult Command Parameters  Gpresult has the following syntax: gpresult [/s computer [/u domain\user /p password]] [/user username] [/scope {user|computer}] [/v] [/z]  Note table 11-4  Examples on page 11-21

Advanced System Information–Policy Tool  The Advanced System Information–Policy tool enables you to create an RSoP query and view the results in an HTML report that appears in the Help And Support Center window.  This report can be printed, and it can be saved to an.htm file.

Advanced System Information–Policy Tool  The report generated displays policy-related information for the following categories: Computer name, associated domain, and current site User name and associated domain Applied GPOs for the computer and user Security group memberships for the computer and user Microsoft Internet Explorer settings Scripts: logon, logoff, startup, shutdown Security settings Programs installed Folder redirection Registry settings

Advance System Information

Delegating Control of RSoP  Permission for generating an RSoP query is set for the domain or OU by selecting one of the Generate Resultant Set Of Policy Planning options in the Delegation Of Authority Wizard.  You must be a member of the Enterprise Administrators group to delegate RSoP control at the domain and site level

Practice:  Generating RSoP Queries Exercise 1: Creating an RSoP Query with the Resultant Set Of Policy Wizard Logging Mode  Page Exercise 2: Creating an RSoP Query with the Gpresult Command-Line Tool Exercise 3: Creating an RSoP Query with the Advanced System Information– Policy Tool  Page 11-25

Managing Special Folders with Group Policy  Two ways to set up folder redirection: 1. One location for everyone in the site, domain, or OU 2. A location according to security group membership  Folder Redirection  Offline Folder

Folder Redirection  You redirect users’ folders to provide a centralized location for key Microsoft Windows XP Professional folders on a server or servers.

Special Folders To Be Redirected:  Application Data  Desktop  My Documents  My Pictures  Start Menu

Advantages of Redirecting Folders  Documents are always available  When roaming user profiles are used, only the network path to the My Documents folder is part of the roaming user profile, not the My Documents folder itself.  Offline File technology provides users with access to My Documents even when they are not connected to the network

Advantages of Redirecting Folders  Data stored on a shared network server can be backed up as part of routine system administration  The system administrator can use Group Policy to set disk quotas, limiting the amount of space taken up by users’ special folders  Data specific to a user can be redirected to a different hard disk on the user’s local computer from the hard disk holding the operating system files.

Redirecting My Documents to Home Folders  When you redirect My Documents to a user’s home folder, the system assumes that the administrator has set the following items correctly: Security Ownership Home directory property on the user object

Default Special Folder Locations  Note table 11-5

Setting Up Folder Redirection  Two ways to set up folder redirection: Redirect special folders to one location for everyone in the site, domain, or OU. Redirect special folders to a location according to security group membership. Follow the steps on pages 30 – 37

Exam Tip  Be sure you know the two ways to set up folder redirection.

Policy Removal Considerations  Note table 11-6 page 11-38

Folder Redirection and Offline Files  The Offline Files feature provides users with access to redirected folders even when they are not connected to the network.  Offline Files caches files accessed through folder redirection onto the hard drive of the local computer.  When a user accesses a file in a redirected folder, the file is accessed and modified locally.  When a user has finished working with the file and has logged off, only then does the file traverse the network for storage on the server.

Folder Redirection Best Practices Allow the system to create the folders Use fully qualified UNC paths, for example: \\servername\sharename Accept defaults Place the My Pictures folder in the My Documents folder Consider what will happen if the policy is removed Do not redirect My Documents to the home folder unless you have already deployed home directories in your organization Enable Offline Files

Practice:  Managing Special Folders Exercise 1: Setting Up Folder Redirection Exercise 2: Setting Up Offline Files  Page 11-47

Troubleshooting Group Policy  Troubleshooting Group Policy involves using the Resultant Set Of Policy Wizard, the Gpresult and Gpupdate command-line tools, the Event Viewer, and log files to solve policy-related problems.

Tools include:  Resultant Set Of Policy Wizard and Gpresult  Gpupdate  Event Viewer To enable verbose logging for the event log, complete the steps on page  Log Files

Group Policy Troubleshooting Scenarios  Pages

Summary  Case Scenario Exercise Pages 59 – 60.  Troubleshooting Lab Pages  Exam Highlights Key points Key terms  Page 65