6. You have been asked by your supervisor to duplicate the group policy settings of the Sales department for the Marketing department. A coworker suggests that instead of creating a new GPO for the Marketing OU, you can just link the existing Sales GPO to the Marketing OU.What are the guidelines for linking GPOs to a container? A. Each GPO can be linked to only one container. B. Each GPO must be linked to a container within the same domain. C. Only one GPO can be linked to the root domain container. D. Each GPO should be linked to a single container only one time. 7. You are the administrator for the corporate Active Directory network.There are four business units that are separated into individual domains that are rather large. How should you approach managing group policy for the corporation? A. Limit each business unit to one Default Domain Policy object in the root of each domain, and apply all policy settings for the domain in that object. B. Identify one or more users in each domain and delegate control to them to create and manage group policy for the domain while retaining the ability to manage policy for each domain. C. Give all users rights to manage group policy for themselves. D. Only allow the administrator to manage group policy for the company. Implementing Group Policy 8. You just took over as network administrator for a company.Your network consists of a single domain.The previous administrator had set up a group policy for the domain that allowed six unsuccessful logon attempts before an account would be locked out. A series of new computers has been purchased and deployed in the environment, and the local policy on these systems is set to allow three unsuccessful logon attempts before locking an account.You decide that you want to enforce account lockout to occur after three unsuccessful logon attempts across the company. How would you achieve this? A. Set the local policy on each PC to lock out accounts after three attempts, and set No Override on the local policy. B. Set group policy in a domain GPO to lock out accounts after three unsuccessful logon attempts. C. Set the Block Policy Inheritance on the group policy. D. Remove the local policies from each PC. www.syngress.com Working with Group Policy in an Active Directory Environment • Chapter 9 635 256_70-294_09.qxd 9/4/03 4:43 PM Page 635 9. You need to create a new GPO to enable settings for a particular OU.You open Active Directory Users and Computers and select the OU in the tree.What is the next step in the process of creating a GPO for this OU? A. From the Actions menu, select Create New GPO. B. Right-click on the OU and select Create New GPO. C. Right-click on the OU and select Properties. D. From the Actions menu, select Group Policy Object Editor. Performing Group Policy Administrative Tasks 10. You want to enforce minimum password lengths for all users in a particular domain. What is the best approach to doing this? A. Set the minimum password length policy in Computer Configuration | Windows Settings | Security Settings | Account Policies in the Default Domain Policies GPO. B. Set the minimum password length policy in User Configuration | Windows Settings | Security Settings | Account Policies in the Default Domain Policies GPO. C. Set the minimum password length policy in User Configuration | Windows Settings | Security Settings | Account Policies in the local policy for each com- puter on the network. D. Set the minimum password length policy in User Configuration | Windows Settings | Security Settings | Account Policies for each OU in the network. 11. You have been asked to set up folder redirection for a particular set of users. Upper management wants these particular users to have a consistent interface on their com- puters, specifically the appearance of the Desktop and Start menu.These users will not be contained in a separate OU, and management does not want a separate policy cre- ated for this function. How will you accomplish this task? A. Set up Basic folder redirection settings in an existing GPO for the Desktop and Start Menu folders, and filter access to the redirection settings based on security group. B. Set up Basic folder redirection settings for the Start Menu, and Advanced folder redirection settings for the Desktop folder. C. Set up Advanced folder redirection settings for the Start Menu, and Basic folder redirection settings for the Desktop folder. D. Set up Advanced folder redirection settings for both the Desktop and Start Menu folders, specifying the specific security groups that should have the folder redirections. www.syngress.com 636 Chapter 9 • Working with Group Policy in an Active Directory Environment 256_70-294_09.qxd 9/4/03 4:43 PM Page 636 Applying Group Policy Best Practices 12. You have been asked by your project team to draft a policy document for managing group policy within your Active Directory environment.This policy document needs to include a summary of the best practices for implementing group policy.Which of the following statements would you include in your policy document? (Choose all that apply.) A. Keep the number of GPOs being processed to a minimum. B. Change Registry settings through Group Policy wherever possible. C. Assign security permissions on GPOs to individual users. D. Maintain standard processing order whenever possible. 13. One of the best practices for redirecting the My Documents folder is to let group policy create a folder for each user in a common path.Why should you avoid redi- recting the My Documents folder to the user’s home folder on the network? (Choose all that apply.) A. You cannot set exclusive rights on the user’s home folder through group policy. B. After you redirect the My Documents folder to the user’s home folder, you will not be able to change the folder redirection settings. C. You cannot redirect the user’s My Pictures folder to the home folder. D. Users must belong to the Redirected Folder Users security group, a setting that is often overlooked by system administrators. Troubleshooting Group Policy 14. You have been asked to create a special policy environment for testing.You have been given the following requirements: Create a GPO called Test Settings in the root domain container.The settings of the Test Settings GPO should not apply to any users in Active Directory.You should be able to apply and remove the settings to/from an OU with minimal effort.Which of the following options meets these requirements? (Choose all that apply.) A. Set No Override at the domain level. B. Rename the Test Settings GPO to break the link to other containers. C. Set Block Policy Inheritance at the domain level. D. Remove the link to the Test Settings GPO from the domain container. www.syngress.com Working with Group Policy in an Active Directory Environment • Chapter 9 637 256_70-294_09.qxd 9/4/03 4:43 PM Page 637 15. A user complains that when he tries to save files to his My Documents folder, he keeps getting an error that he does not have permissions to write to the folder. He also tells you that when he looks at the files in his My Documents folder, he doesn’t see any files that he recognizes.The domain policy you created redirects the My Documents folder to a secured share on the network.You suspect that someone has made a change to group policy elsewhere in the domain. How can you find the policy that is impacting folder redirection? (Choose all that apply.) A. Run an RSoP logging query for the user with his computer and look in the results for the policy objects applied to the computer. B. Run an RSoP logging query for the user’s OU and look in the results for the policy objects applied to the user. C. Run an RSoP logging query for the user and his computer and look in the results for the policies applied to the user. D. Run an RSoP planning query for the computer, ignoring the user settings, and look in the results for the policy objects applied. www.syngress.com 638 Chapter 9 • Working with Group Policy in an Active Directory Environment 256_70-294_09.qxd 9/4/03 4:43 PM Page 638 www.syngress.com Working with Group Policy in an Active Directory Environment • Chapter 9 639 Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 1. B 2. C 3. B 4. A 5. B, D 6. D 7. B 8. B 9. C 10. A 11. D 12. A, D 13. A 14. D 15. C 256_70-294_09.qxd 9/4/03 4:43 PM Page 639 256_70-294_09.qxd 9/4/03 4:43 PM Page 640 641 Deploying Software via Group Policy Exam Objectives in This Chapter: 4.2.1 Distribute software by using Group Policy. 4.3.1 Distribute software by using Group Policy. 5.2 Maintain installed software by using Group Policy. 5.2.1 Distribute updates to software distributed by Group Policy. 5.2.2 Configure automatic updates for network clients by using Group Policy. Chapter 10 MCSA/MCSE 70-294  Summary of Exam Objectives  Exam Objectives Fast Track  Exam Objectives Frequently Asked Questions  Self Test  Self Test Quick Answer Key EXAM 70-294 OBJECTIVE 4.2.1 4.3.1 256_70-294_10.qxd 9/4/03 4:45 PM Page 641 Introduction In the preceding chapter, you learned what Group Policy is and how to work with Group Policy Objects (GPOs). One of the most important functions of Group Policy in an enter- prise-level network is the ability to automate software deployment throughout the organi- zation, saving network administrators and users a great deal of time and trouble. In this chapter, you will learn about Group Policy’s software installation feature.We’ll provide an understanding of the terminology and concepts behind software installation, and we’ll show you how to use the components of software installation:Windows installer pack- ages, transforms, patches, and application assignment scripts.You’ll find out how to deploy software to users and to computers by assigning or publishing applications. After covering the concepts, we walk you through the steps of preparing for Group Policy software installation, working with the GPO Editor and setting installation options. You’ll find out how to upgrade applications, configure automatic updates, and remove man- aged applications.We’ll also cover how to troubleshoot problems that can occur with Group Policy software deployment. Understanding Group Policy Software Installation Terminology and Concepts When Active Directory was first introduced in Windows 2000, one of its heralded features was the ability to distribute software via Group Policy. Although this was a welcome fea- ture, there were many skeptics. However, experience has shown that IntelliMirror tech- nology (of which Group Policy software installation is a part) makes an administrator’s job much easier when it comes to managing a large pool of users and workstations. Maintaining the correct applications, service packs, and so forth on users’ workstations can be a daunting task, but with Group Policy, software can be distributed, configured, and maintained in a centralized fashion. From the applications users need to complete their work, to patches and updates that fix bugs or enhance security, software deployment is a very powerful feature. To take full advantage of the software deployment component of Group Policy, you need an understanding of how it works “under the hood.”The first step in understanding is to review some of the basic terminology. Some of the terms associated with Group Policy software deployment may be unfa- miliar if you haven’t used this feature before. For example, we’ll be talking about two types of deployed applications: published and assigned. A published application is made available to users through the Add/Remove Programs applet in Control Panel. Each user has the option to install the application, or not, when it is published.An assigned application is “pulled” down to the user’s computer or the computer itself. During startup or logon, Group Policy assignments are checked. If software is part of a group policy linked to the organizational unit (OU), domain, or site, then the software is “advertised” to the user or to the computer. Advertising refers to making the application ready for installation when a www.syngress.com 642 Chapter 10 • Deploying Software via Group Policy 256_70-294_10.qxd 9/4/03 4:45 PM Page 642 www.syngress.com triggering action occurs (the user clicks the application shortcut, the user attempts to open a document associated with the application, or the computer starts up). Another term with which you’ll need to be familiar is software package or Windows Installer package. A package is a file with the .msi extension that contains a database with all the instructions and information necessary to install the application.We’ll talk about trans- forms, which are files with the .mst extension that make modifications to the database con- tained in the .msi file. If you don’t know the basic concepts, you can easily misconfigure software installation policies, and that can create problems on your network. Before implementing a new feature such as software installation, you should first ensure that you understand both the concepts and the procedures involved.Then, you can start to develop a software deployment plan. When you have a viable plan in place, you can begin to put the software installation feature to work for you on your network. In the next section, we will provide more detailed infor- mation about Group Policy software installation concepts. Deploying Software via Group Policy • Chapter 10 643 Planning for Software Deployment You should plan your software deployment strategy carefully before configuring software installation in Group Policy. This will save time and allow you to target the specific users and computers that need the software you are deploying. Best prac- tices include the following: ■ You can deploy software at the site, domain, or OU level. Microsoft rec- ommends that you deploy the software as high in the Active Directory hierarchy as possible, because this will prevent you from having to create numerous GPOs deploying the same software, for individual domains or OUs. ■ Rather than use separate GPOs to deploy multiple applications, it is easier to administer multiple applications from the same GPO. This also speeds up logon, since fewer GPOs have to be processed. ■ If your organizational needs dictate that there are a number of dif- ferent groups of users or computers that need different software deployed, you can create OUs for software management and place the appropriate users or computers in them, and then apply a different GPO to each OU. If you have several GPOs that apply to the same user or computer, remember that Group Policy is applied in the following sequence: at the site level, then at the domain level, and then at the OU level. Head of the Class… 256_70-294_10.qxd 9/4/03 4:45 PM Page 643 Group Policy Software Installation Concepts You can use Group Policy to deploy software within a domain environment by editing an existing GPO or creating a new one.The GPO must be applied to a domain, OU, or site in Active Directory.When you open a GPO that is applied to one of these units, you’ll see two nodes labeled Software Installation in the left pane of the Group Policy Editor con- sole: one that is under the Computer Configuration node and one that is under the User Configuration node. NOTE If you open the Local Group Policy object on a Windows XP or Windows Server 2003 computer that is a stand-alone computer or member of a workgroup, you will see that there are no Software Installation nodes under the Software Settings folder in either Computer Configuration or User Configuration. That’s because Group Policy software installation is supported only in a Windows 2000 or Server 2003 domain environment. You can use Group Policy to deploy software to computers running the following operating systems only: Windows 2000 Professional or Server, Windows XP Professional, and Windows 2003 Server. The computers must be members of an Active Directory domain. As mentioned earlier, Group Policy software installation deals with two basic types of software deployment: assigning and publishing.Which of these you choose determines when the software will actually be installed on the user’s workstation. In the following sections, we will look at exactly how each of these options works, and help you determine which is most appropriate for a given situation. Assigning Applications The first option is to assign an application.You should assign applications if you want selected users to have the applications available regardless of which computer they are logged on to. An assigned application will “follow” the user from computer to computer within the domain environment. Applications can be assigned to a user or to a computer by using the appropriate Software Installation node in Group Policy, as shown in Figure 10.1. Using the Software Installation node under Computer Configuration | Software Settings in the left pane of the Group Policy Editor console will allow you to assign the application to a com- puter. Using the Software Installation node under User Configuration | Software Settings in the same console tree will allow you to assign the application to a user. www.syngress.com 644 Chapter 10 • Deploying Software via Group Policy 256_70-294_10.qxd 9/4/03 4:45 PM Page 644 [...]... packages.With natively authored packages, there can be a declared upgrade relationship between a package that is an upgrade and other packages.This is part of the database information that makes up a package.The package will know what previous versions it can upgrade and how to handle issues such as files that need to be deleted or kept The one catch is that a declared upgrade relationship only works with natively... executables, DLLs, and knowledge of the Registry entries and shortcuts used by the program Veritas WinINSTALL LE, InstallShield, and other repackaging tools are available from Microsoft and third parties to help you create Installer packages and repackage existing packages The database design of the Installer package makes it fast to query and provides for smaller file sizes.The information in the tables... 669 256 _70-294 _10.qxd 670 9/4/03 4:45 PM Page 670 Chapter 10 • Deploying Software via Group Policy TEST DAY TIP Make sure you understand how zap files differ in terms of features and available options from Windows Installer packages, and know which options are available with msi packages that are not available with zap files Managing Application Properties After packages are configured, you generally will... author of the original package Such changes are better made via a transform NOTE An important advantage of using msi packages to install software is that Windows Installer uses elevated privileges This means that a user can install an application that is published or assigned to him or her without having to have the user rights that are normally required to install applications Using zap Setup Files It... install the application However, the published application will be installed via document invocation if file associations were set up within the package, which can result in the same problem of a user not realizing an installation is taking place and thinking there is a problem with the computer EXAM WARNING Be sure to have a good understanding of packages, transforms, patches, and application assignment... there is no need for that application in other departments For example, the Financial department may need accounting software that is not used elsewhere In other cases, an application is required for all those in a particular job function For example, all project managers may need a particular project management application, regardless of department.There are also times when an application must be distributed... original package file that allows you to customize the installation by including or excluding particular features A transform is applicable to a specific Windows Installer package Transforms are especially important when you are doing silent or unattended installations.The ability to add or remove certain features or make Registry changes in applying your package makes configuration easier for the administrator... means that if a software program was installed with Group Policy and later the account was moved to a different OU, the software could be uninstalled automatically You can also choose to have Object Linking and Embedding (OLE) information stored in Active Directory OLE can be a key part of user interaction and collaboration The File Extensions Tab The File Extensions tab is where you can associate documents... WinINSTALL LE interface Before you begin to create your own packages, you should configure a freshly installed workstation to use for this purpose.This will ensure that you have a clean Registry and standard configuration of the operating system Using a workstation that has had software installed and removed and other changes made to it can cause problems with package deployment If you cannot dedicate a workstation... names with application upgrades to keep things easy to administer Generally, when software is deployed as an upgrade, the user is prompted to install the upgrade or the user can select to wait until later if he or she is busy and wants to delay the installation As we saw earlier, most software installation packages will come from the software manufacturer.These are known as natively authored packages.With . be familiar is software package or Windows Installer package. A package is a file with the .msi extension that contains a database with all the instructions and information necessary to install. install and configure the software. It is essentially a relational database containing a number of tables that holds information about the application. The package can be configured to handle upgrades. automatically.This is also called on-demand installation. What happens if more than one application is associated with the same file extension? Normally, the associated application that was most