Module 5: Using Group Policy to Manage User Environments Contents Overview Introduction to Managing User Environments Using Administrative Templates Lab A: Using Administrative Templates to Assign Registry-Based Policies Using Scripts 14 23 Lab B: Assigning Script Policies to Users and Computers 28 Best Practices Review 34 35 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property ? ?1999 Microsoft Corporation All rights reserved Microsoft, Active Desktop, Active Directory, PowerPoint, Visual Basic, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead and Instructional Designer: Mark Johnson Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor) Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing: Data Dimensions, Inc Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 5: Using Group Policy to Manage User Environments Introduction Presentation: 60 Minutes Lab: 75 Minutes This module provides students with the knowledge and skills to manage user environments by using Group Policy Students will learn to manage user environments by configuring the administrative template settings in Group Policy Students will also learn how to use Group Policy to run scripts at designated times In the two hands-on labs in this module, students will have a chance to configure, apply, and test the settings in Group Policy In the first lab, students will configure settings in both of the Administrative Templates extensions in Group Policy, and then test the settings that they configured In the second lab, students will implement the running of logon and logoff scripts by using the Scripts extension in Group Policy Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: ?? Microsoft® PowerPoint® file 1558a_05.ppt Preparation To prepare for this module, you should: ?? Read all the materials for this module ?? Complete the labs ?? Study the review questions and prepare alternative answers to discuss ?? Anticipate questions that students may ask Write out the questions and provide the answers ?? Read the white papers, Introduction to IntelliMirror and Introduction to Windows 2000 Change and Configuration Management on the Student Materials compact disc ?? Look at the Web site on Windows Script Host at: http://msdn.microsoft.com/scripting/ iii iv Module 5: Using Group Policy to Manage User Environments Instructor Setup for a Lab This section provides setup instructions required to prepare the instructor computer or classroom configuration for a lab Lab A: Using Administrative Templates to Assign Registry-Based Policies No setup required for the instructor computer Lab B: Assigning Script Policies to Users and Computers ?? prepare for the lab To Ensure that students can access the \\london\scripts shared folder and that this folder contains the contents of the Student\Labfiles\Lab05\Scripts folder This folder should have been created during classroom setup Module 5: Using Group Policy to Manage User Environments v Module Strategy Use the following strategy to present this module: ?? Introduction to Managing User Environments In this topic, you will introduce managing user environments by configuring the Administrative Templates and Scripts Group Policy extensions Emphasize that configuring user environments by using Group Policy allows you to immediately apply the environments to users or computers by adding the user or computer to the organizational unit (OU) affected by the settings Briefly mention the task for managing user environments ?? Using Administrative Templates In this topic, you will explain how to use administrative template settings to manage user environments First, present administrative templates Emphasize that although they are registry-based settings, they not permanently change the registry Then present how computers apply Group Policy registry settings Use the animated slide Emphasize that settings and values are located in the Registry.pol file Next, present information on the loopback Group Policy settings Show students the loopback settings in Administrative Templates Next, present the different types of settings in Administrative Templates Then present the type of settings to use if an administrator wants to lockdown user environments Emphasize that this is only an example and not a recommendation Finally, present information on implementing administrative template settings while demonstrating the process ?? Lab A: Using Administrative Templates to Assign Registry-Based Policies Prepare students for the lab in which they will configure administrative template settings for users and computers and then test the configuration Make sure that students run the command file for the lab and tell them that they will have to initiate replications between their domain controllers and their partner’s domain controllers After students have completed the lab, ask them if they have any questions ?? Using Scripts In this topic, you will explain how to use Group Policy to run scripts First, present how Group Policy handles scripts Emphasize that script settings allow an administrator to automate the running of scripts at specific times (startup, shutdown, and when a user logs on or logs off) Then present the order in which Microsoft ® Windows® 2000 processes scripts Emphasize that startup scripts run synchronously, and define the term if needed Finally, present information on how to implement scripts Demonstrate the process ?? Lab B: Assigning Script Policies to Users and Computers Prepare students for the lab in which they will configure script settings for logon and logoff scripts and then test the configuration After students have completed the lab, ask them if they have any questions ?? Best Practices Present best practices for using Group Policy to manage user environments vi Module 5: Using Group Policy to Manage User Environments Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1558A, Advanced Administration for Microsoft Windows 2000 Lab Setup The following list describes the setup requirements for the labs in this module Setup Requirement The labs in this module require a regular user account for the student To prepare student computers to meet this requirement, create the user account manually Setup Requirement The labs in this module require the Log on locally right for domain controllers to be assigned to the Everyone group To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05.cmd ?? Assign the right manually Setup Requirement The labs in this module require that a shortcut for Active Directory Domains and Trusts, Active Directory Users and Computers, and Active Directory Sites and Services exists on the desktop of the regular user account To prepare student computers to meet this requirement, perform one of the following actions: ?? Log on to the domain by using the regular user account and run C:\MOC\Win1558a\Labfiles\Lab05\Setup\Lab05.cmd ?? Create the shortcuts manually and place them in C:\Winnt\Profiles\All Users\Desktop Module 5: Using Group Policy to Manage User Environments vii Setup Requirement The labs in this module require the following OUs and users in the student’s domain A number (1 or 2) assigned by you is to be substituted for the variable x in the labs One student in each pair uses number 1, the other student uses number This OU In this organizational unit East Domain Controllers West Domain Controllers Sales x Top Level OU in the domain Telemarketing Sales x Retail Sales x This user account In this organizational unit Sales User x Sales x Telemarketing User x Telemarketing Retail User x Retail To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05.cmd ?? Create the OUs and user accounts manually Lab Results Performing the labs in this module introduces the following configuration changes: ?? Students move their domain controllers to the East OU or West OU if they have not been moved already ?? Students create a Group Policy object (GPO) linked to the East OU or West OU in their domains that contains security template and Audit policy settings ?? Students remove GPOs linked to the East OU or West OU in their domains Important You can run C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05rm.cmd to remove most configuration changes introduced during the labs in the module Remove the Log on locally right from the Everyone group manually Manually delete the GPOs created by students Module 5: Using Group Policy to Manage User Environments Overview Slide Objective To provide an overview of the module topics and objectives ? Introduction to Managing User Environments Lead-in ? Using Administrative Templates ? Using Scripts ? Best Practices In this module, you will learn about using Group Policy to manage user environments The Group Policy settings that you use most frequently to manage user environments are administrative templates and scripts Briefly present the course objectives Do not go into detail on this topic To manage user environments effectively, you need to ensure that users have access to the resources that they require to their jobs—and only those resources Microsoft® Windows ® 2000 allows you to reduce the complexity of user environments and remove the possibility of users corrupting their environments or spending time on unnecessary applications, software, or files This can lower your total cost of ownership (TCO) by ensuring that users are always able to perform their job responsibilities and are not distracted by unnecessary software or configuration options By using the Administrative Templates and Script extensions in Group Policy, you can set up the environments for multip le users once, and then rely on Windows 2000 to continually implement and apply the settings that you specify to computers and users At the end of this module, you will be able to: ?? Identify the benefits of controlling user environment settings by using Group Policy ?? Use the administrative template settings in Group Policy to control and configure user environments ?? Use script settings in Group Policy to run scripts that help control user environments ?? Apply best practices for managing user environments Module 5: Using Group Policy to Manage User Environments Introduction to Managing User Environments Slide Objective ? Control What Users Can Do in Their User Environments ? Provide Users with Only the Resources That They Need to Do Their Jobs ? Use Group Policy Settings to Manage User Environments To explain how managing user environments by using Group Policy settings simplifies network administration Lead-in Managing user environments means controlling what users can when logged on to the network, as well as what appears on their desktops Administrative Templates Administrative Templates (Registry-Based) Settings (Registry-Based) Settings Scripts Settings Scripts Control User Environments Control User Environments ? Use Group Policy to Immediately Define a User Environment for a New User or Computer ? Perform the Tasks to Manage User Environments Describe the tasks involved in managing user environments with Group Policy Do not go into too much detail, because this is an introductory topic Managing user environments means controlling what users can when logged on to the network You this by controlling their desktops, network connections, and user interfaces You want to ensure that users have what they need to perform their jobs, but you not want to give them the ability to accidentally corrupt their environments by incorrectly configuring the environments Remind students that they can set up Group Policy once, and then Windows 2000 will continually enforce it The types of Group Policy settings that you typically use to manage user environments are administrative template settings (registry-based settings) and script settings You configure these settings in Group Policy in the Administrative Templates and Script extensions Key Points If you have used Group Policy to set up user environments for an Active Directory™ directory service container, such as an organizational unit (OU), any computer or user that you add to that OU has the Group Policy applied to him or her automatically If Group Policy settings that control user environments are set up for an OU, when an administrator adds a new user or computer to that OU, the Group Policy settings immediately apply This means that the user environment is immediately set up for that user or computer Administrators can use Group Policy to provide users with what they need to their jobs while curtailing user actions that could accidentally corrupt the user environments To manage user environments, perform the following tasks: ?? Enforce standard desktops Group Policy settings provide a quick and easy way to enforce standards, ranging from logon and password settings to mandating the use of a particular wallpaper or screen saver In this way, you prevent users from making changes to their desktops that could make them more complex than necessary ?? Limit user access to selected portions of the operating system You can remove users’ ability to open Control Panel and prevent users from shutting down their computers By preventing users from gaining access to critical operating system components and configuration options, you reduce the possibility of users corrupting their systems and the number of technical support calls required For example, you can remove users’ ability to open Control Panel or prevent users from shutting down their computers 22 Module 5: Using Group Policy to Manage User Environments Task Detail No Does the My Network Places icon appear on the desktop? No Can users map network drives by right-clicking My Computer or using the Tools menu in Windows Explorer? No Does the Control Panel icon appear on the Settings menu? No Does the Printer icon appear on the Settings menu? No Do the Taskbar and Start menu icons appear on the Settings menu? No Does the Control Panel icon appear in the My Computer window? No Does the Windows Update icon appear on the Start menu? No Can users create new scheduled tasks by clicking the Start button, pointing to Programs , pointing to Accessories , pointing to System Tools, and then clicking Scheduled Tasks? Are all of the restrictions and capabilities enforced for the user? Why? No Because the user in the Telemarketing OU is logging on to a domain controller in the East or West OU The GPO linked to that OU contains a computer policy setting that disables the Add Scheduled Task wizard Because computer policy settings override user settings, the user in the Telemarketing OU cannot create a new task _ _ Log off Windows 2000 a) Log off Windows 2000 Module 5: Using Group Policy to Manage User Environments 23 ? Using Scripts Slide Objective To introduce running scripts by using Group Policy Lead-in Group Policy allows you to automate the running of scripts ? What Are Group Policy Script Settings? ? Processing Order of Group Policy Scripts ? Using Group Policy to Implement Scripts Group Policy script settings allow you to automate the running of scripts There are script settings under both Computer Configuration and User Configuration in Group Policy You can use Group Policy to run scripts when a computer starts and shuts down, and when a user logs on and logs off As with all Group Policy settings, you configure a setting once, and Windows 2000 continually implements and enforces it throughout your network 24 Module 5: Using Group Policy to Manage User Environments What Are Group Policy Script Settings? Slide Objective Startup Startup Group Policy Group Policy To explain Group Policy script settings Lead-in Run At Using Group Policy script settings, you can set up scripts to run automatically at specific times Script Settings: ? Automate When Scripts Run ? Can Include Batch Files, Executable Programs, and Windows Script Host Scripts User Logs User Logs On On User Logs User Logs Off Off Shutdown Shutdown ? Can Be Used to: ? Perform tasks not possible through other Group Policy settings ? Run pre-existing scripts Point students to the Web site for Windows Script Host at: http://msdn.microsoft.com/ scripting/ Group Policy script settings allow you to centrally configure scripts to run automatically at startup and shutdown, and when users log on and log off You can specify any script that runs in Windows 2000, including batch files, executable programs, and Windows Script Host supported scripts For more information about Windows Script Host, see the Web site at: http://msdn.microsoft.com/scripting/ Key Points To help you manage and configure user environments, you can: Administrators can use the Scripts extension in Group Policy to run batch files, executable programs, and Windows Script Host supported scripts If an administrator needs a Group Policy that cannot be implemented by any existing Group Policy setting, that administrator can set up a script to accomplish the wanted result and then run the script through Group Policy ?? Run scripts that perform tasks that you cannot configure through other Group Policy settings For example, you can populate user environments with network connections, printer connections, shortcuts to applications, and corporate documents You can also use scripts to clean up desktops when users log off and shut down computers You can remove connections that you added with logon or startup scripts so that the computer is left in the same state as when the user started the computer ?? Run pre-existing scripts already set up to manage user environments until you have set up other Group Policy settings to replace the tasks that these scripts perform Note Windows 2000 enables you to assign logon scripts individually to user accounts in the Properties dialog box for each user account However, Group Policy is the preferred method of running scripts because you can manage these scripts centrally, along with startup, shutdown, and logon scripts Module 5: Using Group Policy to Manage User Environments 25 Processing Order of Group Policy Scripts Slide Objective Processing Order Processing Order To explain how Windows 2000 processes script settings in Group Policy When a user starts aacomputer and logs on: When a user starts computer and logs on: a Startup scripts run a Startup scripts run b Logon scripts run b Logon scripts run Lead-in Windows 2000 processes Group Policy scripts in a particular order When a user logs off and shuts down aacomputer: When a user logs off and shuts down computer: a Logoff scripts run a Logoff scripts run b Shutdown scripts run b Shutdown scripts run ? Delivery Tip On the Script tab of the Startup Properties dialog box, demonstrate the order in which startup scripts run To open the dialog box, double-click Startup in Computer Configuration\Windows Settings\Scripts Key Points By default, startup scripts run hidden and synchronously Running synchronously means that each script must complete or timeout before the next script starts to run By default, logon scripts run hidden and asynchronously Running asynchronously means that the scripts can run simultaneously Windows 2000 Processes Startup Scripts in a Specific Order How Windows 2000 processes and applies Group Policy script settings affects when scripts run If there is a conflict between different scripts, the script processed last prevails Windows 2000 processes and runs Group Policy scripts in the following order: When a user starts a computer and logs on, the following occurs: a Startup scripts are hidden (not visible to the user) and run synchronously by default When scripts run synchronously, each script must complete or timeout before the next one starts b Logon scripts are hidden and run asynchronously by default When scripts run asynchronously, a script does not have to complete before another script runs Multiple scripts can run at the same time If there are non-Group Policy logon scripts associated with a specific user account, these scripts run after the Group Policy logon scripts run for the user account When a user logs off and shuts down a computer, the following occurs: a Logoff scripts run b Shutdown scripts run When you assign multiple startup scripts to run, Windows 2000 executes the scripts in a specific sequence This sequence is from top to bottom as listed on the Script tab of the Startup Properties dialog box Note The default timeout value for processing scripts is 10 minutes If a script requires more than 10 minutes to process, you must adjust the timeout value by configuring the wait time in Computer Configuration\Administrative Templates\System\Logon\Maximum wait time for Group Policy scripts This setting affects all scripts that run, not just logon scripts 26 Module 5: Using Group Policy to Manage User Environments Using Group Policy to Implement Scripts Slide Objective Logon Properties To explain how to set up Group Policy scripts Scripts Logon Scripts for Log On Script [AUCKLAND.nwtraders.msft] Lead-in To implement scripts by using Group Policy, you add the script to the appropriate script setting Name Parameters Up Up Development.vbs Information Services.vbs Down Add the script to Add the script to the appropriate GPO the appropriate GPO Add Edit Remove Copy the script to Copy the script to the appropriate GPT the appropriate GPT To view the script files stores in this Group Policy Object, press the button below Show Files OK Cancel Apply Apply Mention the secondary logon Note in the student text for this topic Implementing a script means adding that script to the GPT You use Group Policy to add the script This also designates when the script runs, because you add it to the appropriate setting (startup, shutdown, logon, or logoff) Delivery Tip To add a script to a GPT, perform the following tasks: Demonstrate adding a startup script by using Group Policy Then show students where the script resides in the GPT The path to the location in the GPT is systemroot \SYSVOL\sysvol\ domain_name\policies \GPO_GUID_identifier\ machine\scripts\Startup Key Point A script must reside in the GPT to run as a Group Policy script By adding a script to one of the Group Policy script settings, you can determine when it runs Copy an existing script to the appropriate folder in the GPT in the Sysvol folder (startup, shutdown, logon, and logoff) The script must reside in the GPT so that the computers that run the script can locate it Add the script to a GPO that is linked to an Active Directory container If necessary, provide any command-line parameters required for the script Parameters are arguments used by command-line scripts that modify the way that the command performs tasks Note You cannot add a script to a GPT if you used a secondary logon to open Group Policy When you attempt to copy the script, Group Policy starts Windows Explorer as a second application under your primary logon credentials Unless your primary logon has administrative privileges, you will not have permission to copy files into the GPT To copy an existing script into the appropriate GPT, perform the following steps: Locate the script on your hard disk by using Windows Explorer Open the appropriate GPO in Group Policy, and under either Computer Configuration (for startup and shutdown scripts) or User Configuration (for logon and logoff scripts), expand Windows Settings, and then expand Scripts Double-click the appropriate script type (Startup, Shutdown, Logon, or Logoff), and then click Show Files Copy the script file from Windows Explorer to the window that appears, and then close the window Module 5: Using Group Policy to Manage User Environments 27 To add a script to a GPO, perform the following steps: In the Properties dialog box for the script type, click Add, click Browse, select a script, and then click Open Add any necessary script parameters, and then click OK Note For information about creating a script in the Microsoft Visual Basic ®, Scripting Edition (VBScript) languageVBScripts, see course 1080, Essentials of Microsoft® Visual Basic® Scripting Edition 3.0 To view the course, open the Student Materials Web page on the Student Materials compact disc 28 Module 5: Using Group Policy to Manage User Environments Lab B: Assigning Script Policies to Users and Computers Slide Objective To introduce the lab Lead-in In this lab, you will set up scripts to run automatically at designated times Explain the lab objectives Objectives Ensure that students run the cmd file before they start the lab After completing this lab, you will be able to configure, apply, and test script policies Prerequisites Before working on this lab, you should have a working knowledge of: ?? Active Directory Users and Computers ?? Using Run as to run applications as another user Lab Setup To complete this lab, you need the following: ?? A computer running Microsoft® Windows® 2000 Server configured as a domain controller in a child domain of nwtraders.msft ?? A folder on the London computer shared as Scripts that contains the contents of the Student\Labfiles\Lab05 folder on the Trainer Materials compact disc ?? A number (1 or 2) assigned by your instructor to be substituted for the x variable in this lab One student in each pair uses number 1, the other student uses number Write your assigned number here _ ?? To log on as Administrator@domain.nwtraders.msft (where domain is your domain name) with a password of password and run C:\MOC\Win1558a\Labfiles\Lab05\Setup\Lab05.cmd ?? To create a regular user account for yourself while logged on as Administrator, if you have not created such an account in a previous lab Make a note of the logon name and the password of the user account here _ Estimated time to complete this lab: 30 minutes Module 5: Using Group Policy to Manage User Environments 29 Exercise 1: Implementing Script Policies Scenario: All Sales users in your organization need to run scripts to configure their desktop environments at logon and perform cleanup tasks at logoff Retail users must run additional scripts to configure their computers to use proprietary software You need to assign the following script policy for users in the Sales organizational unit (OU) and its child OUs: ?? All users in the Sales OU and the child OUs must run the Sales Logon.vbs script at logon ?? All users in the Sales OU and the child OUs must run the Sales Logoff.vbs script at logoff ?? All users in the Retail OU must run the Retail Logon.vbs script and the Retail Config.vbs script at logon Your Tasks: Create a GPO called Sales x Script Policy linked to the Sales x OU After the GPO is configured, replicate the changes that you made to the other domain controller in your domain, then restart your computer to ensure that the policy settings have been applied Task Detail Create a GPO called Sales x Script a) Log on as Administrator@domain.nwtraders.msft with a password Policy linked to the Sales x OU of password Note: You are logging on as Administrator because later in this exercise, you will be adding new logon scripts to Group Policy objects (GPOs) While you can use Run as to configure existing scripts in a GPO, in this prerelease version of Windows 2000 you must be logged on as Administrator to add them (continued) b) In the console tree, expand your domain, right-click Sales x (where x is your assigned number), and then click Properties c) On the Group Policy tab, click New, type Sales x Script Policy and then press ENTER Copy the Sales Logon.vbs script to the Logon folder in the Salesx Script Policy Group Policy template (GPT) a) With Sales x Script Policy selected, click Edit b) In the Group Policy console tree, expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff) c) In the details pane, double-click Logon, and in the Properties dialog box for Logon, click Show Files A window appears, showing the contents of the Logon folder in the GPT for this GPO, which is currently empty Before you can assign a logon script by using this GPO, you must copy the script file to the GPT d) Click Start, click Run, type \\london\scripts and then click OK e) Copy the Sales Logon script from the Scripts folder to the Logon folder f) Minimize the Scripts window, and close the Logon window Leave the Properties dialog box for Logon open 30 Module 5: Using Group Policy to Manage User Environments Task Detail Assign the Sales Logon script in the GPO a) In the Properties dialog box for Logon, click Add b) In the Add a Script dialog box, click Browse, select the Sales Logon script, click Open, and then click OK c) Click OK to close the Properties dialog box for Logon Leave Group Policy open Copy the Sales Logoff script to the Logoff folder in the Sales x Script Policy GPT a) In the details pane, double-click Logoff b) In the Properties dialog box for Logoff, click Show Files c) Restore the Scripts window and copy the Sales Logoff script to the Logoff folder d) Minimize the Scripts window, and close the Logoff window Leave the Properties dialog box for Logoff open Assign the Sales Logoff script in the GPO a) In the Properties dialog box for Logoff, click Add b) In the Add a Script dialog box, click Browse, select Sales Logoff, click Open, and then click OK c) Click OK to close the Properties dialog box for Logoff, and then close Group Policy d) Click Close to close the Properties dialog box for Sales x, and then return to Active Directory Users and Computers Create a GPO called Retailx Script Policy linked to the Retail OU a) In the console tree, expand your domain, expand Sales x, rightclick Retail, and then click Properties Copy the Retail Logon.vbs and Retail Config.vbs scripts to the Logon folder in the Retail x GPO a) With Retail x Script Policy selected, click Edit b) On the Group Policy tab, click New, type Retail x Script Policy and then press ENTER b) In the Group Policy console tree, expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff) c) In the details pane, double-click Logon, and in the Properties dialog box for Logon, click Show Files d) Restore the Scripts window and copy the Retail Logon and Retail Config scripts from the Scripts folder to the Logon folder e) Minimize the Scripts window and close the Logon window Leave the Properties dialog box for Logon open Module 5: Using Group Policy to Manage User Environments Task Detail Assign the Retail logon scripts in the GPO a) In the Properties dialog box for Logon, click Add b) In the Add a Script dialog box, click Browse, select Retail Logon script, click Open, and then click OK c) In the Properties dialog box for Logon, click Add d) In the Add a Script dialog box, click Browse, select Retail Config script, click Open, and then click OK e) Click OK to close the Properties dialog box for Logoff, and then close Group Policy f) Click Close to close the Properties dialog box for Retail, and then close Active Directory Users and Computers Replicate Active Directory™ directory service changes to other domain controllers a) Start Windows Explorer, expand the MOC\Win1558a\Labfiles folder on drive C, and then double-click Replicate b) Log off Windows 2000 31 32 Module 5: Using Group Policy to Manage User Environments Exercise 2: Testing Script Policies Scenario: You need to ensure that the correct logon and logoff scripts execute when users in the Sales x and Retail OUs log on and log off Windows 2000 Your Tasks: Verify that the correct logon and logoff scripts execute for users in the Sales and Retail OUs Task Detail Log on to your domain as SalesUserx and verify that the Sales Logon.vbs script executes a) Log on as SalesUserx@domain.nwtraders.msft with a password of password b) Answer the following question: Did the logon script execute? Why or why not? Yes The logon script setting assigned to the Sales x OU will execute for users in the Sales x OU and all three child OUs _ _ Log off Windows 2000 to verify that the Sales Logoff.vbs script executes a) Log off Windows 2000 b) Answer the following question: Did the logoff script execute? Why or why not? Yes The logoff script setting assigned to the Salesx OU will execute for users in the Salesx OU and all three child OUs _ _ Log on to your domain as RetailUserx to verify that the Sales Logon.vbs, the Retail Logon.vbs, and the Retail Config.vbs scripts execute a) Log on as RetailUserx@domain.nwtraders.msft with a password of password b) Answer the following question: What logon scripts executed? Why? The Sales Logon, Retail Logon, and Retail Config scripts executed The logon script setting assigned to the Sales x OU will execute for users in the Sales x OU and all three child OUs The logon script setting assigned to the Retail OU executes for users in the Retail OU _ _ Log off Windows 2000 to verify that the Sales Logoff.vbs script executes a) Log off Windows 2000 b) Answer the following question: Did the logoff script execute? Why or why not? Yes The logoff script setting assigned to the Salesx OU will execute for users in the Sales x OU and all three child OUs, including Retail _ _ Module 5: Using Group Policy to Manage User Environments Exercise 3: Removing Group Policies Scenario: To prevent the logon and logoff scripts from executing so that you can continue to use these OUs and accounts for test purposes, you need to remove the GPOs that you created in the lab Your Tasks: Delete the Salesx Script Policy and Retail x Script Policy GPOs After the GPOs are deleted, replicate the changes that you made to the other domain controller in your domain Task Detail Remove the Sales x Script Policy GPO a) Log on as user@domain.nwtraders.msft (where user is the account that you created for yourself) b) Right-click the shortcut on your desktop to Active Directory Users and Computers, and then click Run as c) In the Run As Other User dialog box, type administrator@domain.nwtraders.msft in the User name box, type password in the Password box, delete the contents of the Domain box, and then click OK d) In the console tree, expand your domain, right-click Sales x, and then click Properties e) On the Group Policy tab, click Sales x Script Policy if necessary, and then click Delete f) In the Delete dialog box, click Remove the link and delete the Group Policy Object permanently, and then click OK g) When prompted to confirm the action, click Yes Remove the Retail x Script Policy GPO a) In the console tree, expand your domain, expand Sales x, rightclick Retail, and then click Properties b) On the Group Policy tab, click Retailx Script Policy, and then click Delete c) In the Delete dialog box, click Remove the link and delete the Group Policy Object permanently, and then click OK d) When prompted to confirm the action, click Yes Replicate Active Directory changes to other domain controllers a) Start Windows Explorer, expand the C:\MOC\Win1558a\Labfiles folder, and then double-click Replicate b) Log off Windows 2000 33 34 Module 5: Using Group Policy to Manage User Environments Best Practices Slide Objective To present the best practices for managing user environments Create the Minimal Number of GPOs Required Create the Minimal Number of Lead-in Place All Computers Affected by Loopback in the Same OU Place All Computers Affected by Loopback in the Same OU Review this checklist before you use Group Policy to manage user environments Configure User Settings to Control Desktops Configure User Settings to Control Desktops Always Test the Effects of Administrative Template Settings Always Test the Effects of Administrative Template Settings Make Sure That Scripts Run in the Preferred Order Make Sure That Scripts Run in the Preferred Order Briefly, go over best practices with students The following list provides best practices for managing user environments: ?? Create a minimal number of GPOs containing administrative template settings Because there are so many of these settings, it can be difficult to manage user environments properly if you create too many GPOs containing these settings ?? You should place all computers to which you want to apply the loopback setting in their own OU There should not be any user accounts in that OU Then you can create and link a GPO with configured settings that specifically set up the user environment on these computers ?? Except for special situations (such as kiosk computers), configure user settings, rather than computer settings, to control user desktops In this way, you can control what users can regardless of the computer to which they log on ?? Always test the effects of administrative template settings Create a test environment that is parallel to your production environment Give selected users an additional user account that resides in a test OU and have them perform their normal tasks to ensure that there are no problems If you are going to lockdown user desktops, you want to ensure that you have the correct settings configured so that you not inadvertently disrupt users’ work ?? Make sure that scripts run in the preferred order so that you get the proper results Windows 2000 processes Group Policy settings in a particular order This process determines the order in which scripts run and the effects they have on computers and users Module 5: Using Group Policy to Manage User Environments 35 Review Slide Objective To reinforce module objectives by reviewing key points ? Introduction to Managing User Environments Lead-in ? Using Administrative Templates ? Using Scripts ? Best Practices The review questions cover some of the key concepts taught in the module Please take a few minutes to answer the questions, and then we will discuss them as a class Have the students go over the review questions on their own for to 10 minutes, and then go over the answers as a group Employees of the Production department not need access to the Internet to perform their jobs The department manager wants to deny access to the Internet so that she does not have to monitor employees What can you to accomplish this? By using Windows 2000 Group Policy administrative template settings, you can control what users can gain access to from their computers, including the Internet You not want users to be able to open Control Panel and gain access to Display or any of the other applications What you do? Configure an administrative template setting (Start Menu & Taskbar\Disable Changes to Control Panel) that prevents users from modifying the Start menu and taskbar Control Panel will not appear on the Start menu, and users will not be able to gain access to it Your network no longer needs a user administrative template setting that you configured What you to change the registry back to the way it was before you configured the settings? You select the not configured state for the setting Then the setting is not present in the Registry.pol file The next time that the user starts the computer and logs on, the Registry.pol file does not contain this setting or its value, and it is not applied 36 Module 5: Using Group Policy to Manage User Environments The Research department employees need a shortcut on their desktops to a special third-party application that resides on a network server There are no existing Group Policy settings that can provide this shortcut There is a Research Department OU What can you do? Write a script to create shortcuts on users’ desktops that connect to the applications and documents Use Group Policy script settings to automate the running of the script at logon and link the GPO containing the settings to the Research department OU ... 2000 Module 5: Using Group Policy to Manage User Environments 23 ? Using Scripts Slide Objective To introduce running scripts by using Group Policy Lead-in Group Policy allows you to automate... network 24 Module 5: Using Group Policy to Manage User Environments What Are Group Policy Script Settings? Slide Objective Startup Startup Group Policy Group Policy To explain Group Policy script... Best Practices Present best practices for using Group Policy to manage user environments vi Module 5: Using Group Policy to Manage User Environments Customization Information This section identifies