Overview
Introduction to Managing User Environments
Control What Users Can Do in Their Environments
Use Group Policy Settings to Control User Environments
Apply Group Policy to a Container to Immediately Define a User Environment for a New User or Computer
Configure and Centrally Manage User Environments
Enforce standard configurations
Limit user access to portions of the operating system
Ensure that users always have their data
Restrict the use of Windows 2012 tools and components
Populate user desktops
Secure the user environment
Introduction to Administrative Templates
What Are Administrative Templates?
How Computers Apply Administrative Template Settings
Administrative Template Settings Modify Registry Settings That Control User Environments
Settings Modify Registry Settings in the Registry Subtrees
HKEY_LOCAL_MACHINE for computer settings
HKEY_CURRENT_USER for user settings
If a GPO No Longer Applies, Policy Settings Are Removed
Windows 2012 Applies Both Group Policy and Local Default-Registry Settings Unless There Is a Conflict
Group Policy Objects and Active Directory Containers
Registry.pol Files Contain the Template Settings and Values
Client computer starts, retrieves a list of GPOs that apply, and user logs on
Client computer connects to SYSVOL and locates the Registry.pol files
Client computer writes to the registry subtrees (HKLM and HKCU)
Logon dialog box (for computer) or the desktop (for user) appears
Using Administrative Templates in Group Policy
Types of Administrative Template Settings
Setting types |
Controls |
Windows Component |
The parts of Windows 2012 and its tools and components to which users can gain access, including MMC |
System |
Logon and logoff, Group Policy, disk quotas, and loopback policy |
Network |
The properties of network connections and dial-in connections |
Printers |
Printer settings that can force printers to be published in Active Directory and disable Web-based printing |
Start Menu & Taskbar |
What users can gain access to from the Start menu and what makes the Start menu read-only |
Desktop |
The Active Desktop, including what appears on desktops, and what users can do with the My Documents folder |
Control Panel |
The use of Add/Remove Programs, Printers, and Display in Control Panel |
Settings for Locking Down the Desktop
Group Policy Settings to Lock Down the Desktop
Hide all icons on desktop
Don’t save settings at exit
Hide these specified drives in My Computer
Remove Run menu from Start menu
Prohibit user from running Display control panel
Disable and remove links to Windows Update
Disable changes to Taskbar and Start Menu settings
Disable/Remove the Shut Down command
Settings for Locking Down User Access to Network Resources
Group Policy Settings to Lock Down User Access to Network Resources
Hide My Network Places icon on desktop
Remove the “Map Network Drive” and “Disconnect Network Drive”
Tools menu: Disable Internet Options… menu option
Settings for Locking Down User Access to Administrative Tools and Applications
Group Policy Settings to Lock Down User Access to Administrative Tools and Applications
Remove Search menu from Start menu
Remove Run menu from Start menu
Disable Task Manager
Run only allowed Windows applications
Remove the Documents menu from the Start menu
Disable changes to Taskbar and Start Menu settings
Hide common program groups in Start menu
The Loopback Processing Mode Setting in Group Policy
The Loopback Processing Mode Setting:
Applies Configuration Settings to Computers
Is Used for Computers Dedicated to Specific Tasks
Can Either Be Set to Either Replace Mode or Merge Mode
Implementing Administrative Templates
Selecting One of the Three States Configures a Setting
Configuring the Same Setting Differently in Different GPOs Creates Conflicts
Assigning Scripts with Group Policy
What Are Group Policy Script Settings?
Group Policy Script Settings Allow You to:
Centrally Configure Scripts to Run Automatically at Startup and Shutdown, and When Users Log On and Log Off
Manage and Configure User Environments
The Process of Applying Script Settings with Group Policy
Processing Order
Windows 2012 Processes Multiple Scripts From Top to Bottom
When a user starts a computer and logs on:
a. Startup scripts run
b. Logon scripts run
When a user logs off and shuts down a computer:
a. Logoff scripts run
b. Shutdown scripts run
Assigning Group Policy Script Settings
Using Group Policy to Redirect Folders
What Is Folder Redirection?
Advantages of Folder Redirection
=> Data Is Always Available to Users Regardless of the Computer Logged on to
=> Data Is Centrally Stored for Ease of Management and Backup
=> Network Traffic Is Generated Only When Users Gain Access to Files
=> Files Are Not Saved on the Client Computer
Selecting the Folders to Redirect
Folder |
Contains |
Redirect to a server so that |
My Documents |
A user’s personal data |
Users can access their data from any computer, and this data can be backed up and managed centrally |
Start Menu |
Folders and shortcuts on the Start menu |
Users’ Start menus are standardized |
Desktop |
All files and folders that a user places on the desktop |
Users have the same desktop regardless of the computer to which they log on |
Application Data |
User-specific data stored by applications |
Applications use the same user-specific data for a user regardless of the computer to which the user logs on |
Redirecting Folders to a Server Location
Using Group Policy to Secure the User Environment
Enable a User to Manage Group Policy Links for a Site, Domain, or OU by:
Assigning the user read and write permissions to the gPLink and gPOptions attributes of the site, domain, or OU
Using the Delegation of Control wizard
Enable a User or Group to Create GPOs by:
Adding the user or group to the Group Policy Creator Owners group
Enable a User to Edit GPOs by:
Assigning the user read and write permissions to the GPO
Making the user a member of either Domain Admins, Enterprise Admins, or GPO Creator Owners groups
Granting the user access to the GPO by using the Security tab in the GPO Properties dialog box
Troubleshooting User Environment Management
Monitoring Group Policy
Enabling Diagnostic Logging to the Event Log
Causes Group Policy to generate detailed events in the Event Log
Enabling Verbose Logging
Tracks all changes and settings applied to the local computer and the users who log on to the computer
Involves the addition of the registry keys for verbose logging
Group Policy Troubleshooting Tools
Windows 2012 Support Tools for Group Policy Troubleshooting:
Netdiag.exe
Replmon.exe
Windows 2012 Resource Kit Tools for Group Policy Troubleshooting:
Gpotool.exe
Gpresult.exe
Troubleshooting Group Policy
Cannot Access or Open the Group Policy Object
Group Policy Settings Not Taking Effect as Expected
Best Practices
Limit the Use of Blocking, No Override, and Filtering of GPOs
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected
Group Policy Settings Not Taking Effect as Expected