MCITP 70-640: Group Policy Software Install Demonstration

Описание

This video looks at how to install, upgrade and remove software using Group Policy. The video also looks at how to set up a software share to store the install files and how software can be assigned and published.

Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gpsoftwaredeployment.pdf

GP Software Deployment
Before software is installed using Group Policy a test is done to see how fast the connection is. By default, if the connection is less than 500Kbps per second it will be considered slow. Group Policy will not install software over a slow link due to the time it would take to transfer the install files over the network. If you want to change the speed in which Group Policy tests for a slow link, this can be done at the following location.
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Group Policy Slow Link Detection

Demonstration
In order to install software using Group Policy, the install files must be able to be read by the computer applying the Group Policy. The install files can be on the local computer but it is generally easier to put them on a file share. To share a folder, open the properties for that folder and select the sharing tab. For installing software, you only need to ensure that the read access is configured.

The settings for software installation in Group Policy are found in both user and computer configuration. They are found under Polices\Software Settings\Software Installation
To set up a new software deployment. Right click Software Installation and select, "new package".

A dialog will appear giving you the following options: published, assigned or advanced. Published will be greyed out for computer configuration. If you choose published, some options may not be changeable later on so it is recommenced to choose Advanced so all options can be changed later.

There are many options that can be configured in the properties for the software install some are listed below.

Uninstall the application when it falls out of the scope of management: If this option is ticked, the software will be uninstalled automatically when the Group Policy is no longer being applied to that user or computer.
Modifications tab: This tab allows you to assign an MST file to the package. An MST file can be created
to configure options in the MSI package. The manufacture of the software may have released an application that will create an MST file. An example can be found for Acrobat Reader at the following address. http://www.adobe.com/support/downloads/detail.jsp?ftpID=4950
Upgrades tab: On this tab you can upgrade existing packages.

If software has been published, it can be installed by opening Programs and Features in the control panel and then selecting the option, "install a program from the network".

If you want to redeploy an application, this can be done by right clicking the application, selecting all tasks and then selecting the option, "Redeploy application". You can also remove the application from all tasks if you want to. If you remove the application, you will get the option to allow the users to continue using the package or to remove the package straight away.

See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.

References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 353 -- 361
"Upgrade an application" http://technet.microsoft.com/en-us/library/cc783421(v=ws.10).aspx
"Specifying Group Policy for Slow Link Detection" http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx

MCITP 70-640: Group Policy Software Install Demonstration скачать видео - Download

Похожие видео

MCITP 70-640: AppLocker

MCITP 70-640: AppLocker

AppLocker allows the administrator to control which applications are run on the computers in your domain. Check out http://itfreetraining.com for more of our always free training videos. The rules Applocker uses allow the scope of an application to be defined, like particular versions or newer version or can be narrowed down to a single application. AppLocker AppLocker was first added in Windows 7 and Windows Server 2008 R2 as a replacement for software restriction policies. Software restriction did not have any wizards and thus is hard to configure. AppLocker adds a wizard and is much easier to configure than Software restriction policies. Since it is aimed towards business, it only works on Windows operating systems that were targeted for business. For the client operating systems these are Windows 7 Enterprise/Ultimate and Windows 8 Enterprise. For server operating system these are Windows Server 2008 R2 Standard/Enterprise/Datacenter and Windows Server 2012 Standard/Datacenter. AppLocker Features Applocker can be used to monitor and control software. When AppLocker is in audit mode it will only report which software is run. If you put AppLocker in enforce mode this will allow the administrator to control which software is run. This allows a company to standardize which software is run and can be a tool used for software conformance. AppLocker Rules In order for AppLocker to work out which software is allow to run and which software should be blocked, AppLocker supports 3 different types of rules. Publisher: This rule relies on the executable being digitally signed. This allows Windows to determine the Vendor, Software Title and version of the software. Publisher rules allow you to create a rule that can work with new software that was not released when the rule was created. Hash: A hash rule puts the file through a mathematical formula to determine a value. Each file should create a different hash value, kind of like a fingerprint. This rule type can only match that executable and thus does not account for new versions of the software. Path: This checks the location the file was run from. For example, if the executable is located in the Program Files directory. Demonstration AppLocker requires the Application Identity service to be running on the client. If this is not running or stopped, AppLokcer will stop working. This service can be configured in Group Policy at the following location to start automatically. Computer Configuration\Polices\Windows Settings\Security Setting\System Service\Application Identity AppLocker is configured in Group Policy at the following location. Computer Configuration\Polices\Windows Settings\Security Settings\Application Control Polices\AppLocker To configure the default properties for AppLocker, select the option "Configure rule enforcement". Rules can be applied to executable, Windows Installer files and scripts. Once you enable the ones you want you can select AppLocker to run in Audit mode or Enforce mode. AppLocker has the option to automatically create rules. This will examine the computer and create rules based on the executables found on it. This step can be run on any computer, this includes a computer that cannot run AppLocker. You are best to run this on a computer that has the software installed on it that you use in your company so AppLocker can create the correct rules. You can also create default rules which will be used if no other rule matches. Without any default rules, if no match is found with the existing rules the software will not be allow to run. This can prevent software in the operating system from running. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 361 - 362 "AppLocker" http://technet.microsoft.com/en-us/library/dd723678

6 лет назад
MCITP 70-640: Group Policy Software Installation Introduction

MCITP 70-640: Group Policy Software Installation Introduction

This video will provide an introduction and explain the concepts to what can be achieved using Group Policy for installation and managing software. The next video will go through how to configure Group Policy to install and manage software in your organization. Deployment Solutions A deployment solution should manage software throughout the software cycle. The software cycle includes the install, maintenance and retirement of the software. Group Policy is a free software solution. Other solutions like Microsoft Center Configuration Manager offer more features; however, they also cost money. GPSI Group Policy Software Installation (GPSI) is the system that Group Policy uses to install software. Software can be deployed per user or per computer. No additional software is required other than a Domain Infrastructure. Assigning and Publishing Software can be deployed by assigning or publishing. Publishing is available only to user configuration. Assigning and publishing is available for both user and computer configuration. Publishing user: Software that is published needs to be installed by the user using the control panel. If the software supports it, the software can also be installed automatically if the user opens a file that is supported by that application. Publishing to the user also supports the ZAP file discussed later on. Assigning computer: Software assigned to the computer is automatically installed on the computer before the user logs in. Assigning User: Software that is assigned to the user is installed when the user launches the shortcut for that application. MSI Microsoft Software Installer (MSI) is a package format used by Windows Installer. It is essentially a database that defines how to install the software. It also includes information like what features and options are available when the software is installed. It is the primary format used to install software using Group Policy. MST Windows Installer transform (MST) is essentially a modification and answer file for an MSI package. Using an MST file, any changes to the MSI package can be applied. The advantage of this is that MST files are very small. By using an MST file, it is possible to make a completely automated software install and perform actions like adding additional shortcuts and deciding which features should be installed. The manufacturer of your software may provide an application to create these MST files. MSP This is a patch file that only contains updates. It requires the original MSI package to be installed on the computer in order for it to be used. For this reason, the MSP file is usually smaller than the original MSI file. ZAP A ZAP file is a text file that contains instructions on how to install the software. An example of a ZAP file is shown below. ZAP files do not support elevation and Windows will only attempt to run the install script once. Software can only be installed by a ZAP file by publishing it to the user. Lastly ZAP files do not support removing of the software via Group Policy. Zap file example [Application] FriendlyName = "Program" SetupCommand = "\\FileServer\Share\setup.exe" /q See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 353 -- 360 "Windows Installer" http://en.wikipedia.org/wiki/Windows_Installer "ZAP File" http://en.wikipedia.org/wiki/ZAP_File

6 лет назад
20 Self-Made Teenage Millionaires

20 Self-Made Teenage Millionaires

From a 14 year old boy selling homemade jam to a university student that came up with a popular computer game you may have heard of called RuneScape, We count 20 Self-Made Teenage Millionaires. Click Here To Subscribe! http://bit.ly/xWackyWednesday ------------------------------------------------------------------------------------------------ Legal stuff Background music copyright Jason Shaw (audionautix.com) This work is licensed under a Creative Commons Attribution 3.0 Unported License. http://creativecommons.org/licenses/b... ------------------------------------------------------------------------------------------------ If you enjoyed watching subscribe for a new video every 2 days. Subscribe HERE: http://bit.ly/xWackyWednesday Thanks for watching! Wacky Wednesday

5 лет назад
RAID and Storage Solutions

RAID and Storage Solutions

This video will look at a number of different storage solutions. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. These include software and hardware based systems. A storage solution is a system that allows more drives to be combined together for performance or redundancy reasons. Download the PDF handout http://ITFreeTraining.com/handouts/se... What's in this video The following storage solutions will be looked at in this video. Software vs Hardware: The advantages to using hardware over a software solution. JBOD: Just a bunch of disks. Allows different sized drives to be combined together to form the one drive. Spanning: Allows multiple drives to be combined of different sizes. RAID: Redundant Array of Inexpensive Disks is a system that allows multiple drives to be combined to form the one drive. Windows Storage Spaces: This is a new system implemented in Windows Server 2012 that allows multiple drives to be combined together. Logical Volume Manager: Is an alternative storage system used by operating systems like Linux. Software vs Hardware Hardware based systems typically cost more than a software solution as software solutions usually come with the operating system free of charge. A lot of motherboards now come with free hardware based solutions. You will find that if you purchase a server this may come with some hardware based solutions. Some servers may require additional hardware in the server or a higher model may need to be purchased to gain access to some hardware based solutions. The biggest advantage of a hardware solutions is that the operating system sees the drive as a single physical drive. This means the operating system can be booted from this drive. Some software based solutions do not support booting of the operating system. Software solutions may also support some additional features not supported by hardware. For example a software based solutions may allow for multiple files containing the same data to use the same physical space on the drive. Enterprise hardware solutions will often offer additional features as well but do cost more. For example, enterprise hardware solutions will have a web interface allowing access to additional features. JBOD Just a Bunch of Disks allows multiple drives to be combined together. This includes different sized drives and different types. For example you could combine solid state drives and mechanical drives together. JBOD does not offer any performance increase and if one of the drives was to fail you would lose all the data on all the drives. Spanning Spanning is similar to JBOD however it combines free space on multiple drives together into the one drive. The advantage of spanning is that it allows space that may have otherwise been lost to be used. Spanning does not provide any speed advantages and also does not offer any redundancy. If a drive that is used in spanning was lost, then all the data in the spanned set would be lost. RAID Redundant Array of Inexpensive Disks is a system which allows multiple drives to be combined together to form the one drive. The drives need to be the same size in order to be used. If one drive is larger than the others, typically it still can be used, however the extra space will be left unused. Depending on which RAID solution is used will determine if there are any redundancy or speed advantages. The more expensive RAID solutions may allow drives to be added to the RAID, increasing the amount of space in the RAID. A lot of RAID solutions do not offer this feature and thus if you want to change the size of the RAID you need to destroy the RAID and recreate it. Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/server#stor... See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Installing and Configuring Windows Server 2012 Exam Ref 70-410" pg 49-55 "RAID" http://en.wikipedia.org/wiki/RAID "Nested RAID levels" http://en.wikipedia.org/wiki/Nested_R... "Step-by-step for Storage Spaces Tiering in Windows Server 2012 R2" http://blogs.technet.com/b/josebda/ar... "Logical Volume Manager (Linux)" http://en.wikipedia.org/wiki/Logical_...)

5 лет назад
Server 2008: Block hardware via group policy objects

Server 2008: Block hardware via group policy objects

How to block USB with a GPO in a Windows Server 2008 Active Directory domain controller. http://www.technoblogical.com/windows-server-2008/ Providing training videos since last Tuesday http://www.technoblogical.com Thanks for watching!

7 лет назад
MCITP 70-640: Troubleshooting Group Policy

MCITP 70-640: Troubleshooting Group Policy

Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. This video will look at how to troubleshoot which setting in Group Policy are applied by using the internal modeling tools and Resultant Set of Policy (RSOP). RSOP is the actual settings that are applied to the computer taking into account factors like WMI filters and groups. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gptroubleshooting.pdf Group Policy Results The actual settings that are applied to a computer using Group Policy can be affected by many different things. For example, security, groups and WMI filters. The actual settings that are applied to a computer are known as the Resultant Set of Policy (RSOP). Windows has a number of tools that can read the RSOP data stored on a computer to help you troubleshoot Group Policy. Requirements In order to use the tools in this video you need to be logged in as an administrator and running Windows XP or above. If you plan on using the RSOP tools from remote, the remote computer will need ports 135, 445 open. Also the computer will need the WMI service to be running. To get results for a particular user, the user will have needed to logon to that computer once. They do not need to be logged on the computer when the tools are being run. Demonstration Group Policy results When you open Group Policy Management there is a section called Group Policy Results. To start the wizard, right click on Group Policy Results and select the option Group Policy Results Wizard. The wizard can be run on the local computer or a remote computer. If the user that you want to run the wizard on does not appear in the wizard you will need to login into that computer using that user. The user must have logged into that computer at least once. Once the wizard is complete, it will show you all the Group Policy settings that have been applied to that computer for that user and also any Group Policy related events from the event logs. To connect to a remote computer, make sure the service WMI Performance Adapter is running and the firewall is configured. To configure the firewall, open Windows Firewall with Advanced Configuration and make sure the following settings are enabled in in-bound rules. Firewall Settings that need to be enabled Remote Event Log Management (NP-in) Remote Event Log Management (RPC) Remote Event Log Management (RPC-EPMAP) Windows Management Instrumentation (WMI-in) Group Policy Modeling The modeling wizard allows you to simulate changes in Group Policy and Active Directory without making any changes. For example, if you want to test the effects of moving a user to a different part of Active Directory will have on their Group Policy settings, you can do this without having to move the user account. Other options you can choose include slow network connection, loopback processing, Security Groups and which site to use. Group Policy modeling is available in the GPMC. All you need to do to use it is right click on Group Policy Modeling and select Group Policy Modeling Wizard. GPResult When run, this gives you information about which settings were applied to the computer. The command supports the following parameters. /r use the RSOP data on the computer to generate results. /v verbose mode which provides more information. /Scope User | Computer To limit the results to user or computer settings. /x Output the results to XML /h Output the results to HTML See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 303 - 307 "Configure Firewall Port Requirements for Group Policy" http://technet.microsoft.com/en-us/library/jj572986.aspx "Use Resultant Set of Policy to Manage Group Policy" http://technet.microsoft.com/en-us/library/cc754269.aspx Keywords: Group Policy, RSOP, Active Directory,70-640,MCITP,MCTS,ITFreeTraining

6 лет назад
MCITP 70-640: Active Directory Under The Hood

MCITP 70-640: Active Directory Under The Hood

Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Active Directory utilizes two main standards. These are the X.500 standard and LDAP. This video looks at how the X.500 standard is used to store the Active Directory objects in the database. It also looks at how LDAP is used to access this data and the formatting LDAP uses. NTDS.DIT The Active Directory Database by default is stored in c:\windows\NTDS\ntds.dit. This file is based on the X.500 standard. Originally Active Directory was called NT Directory Services and this is where the file got its name. Each domain in Active Directory will have a separate database. Domain Controllers hold the copy of the database in the ntds.dit file and replicate changes to each other. If you have more than one domain, then each separate domain will have its own copy of the ntds.dit file. Organization Units In order to organize objects in Active Directory more easily, objects in Active Directory can be organized into Organization Units, also known as OUs. These OUs are like folders on your hard disk. LDAP Syntax LDAP uses a syntax that refers to the most significant part first followed by less significant or precise parts afterwards. This is the opposite of other systems, like filenames or paths. The main syntax of any LDAP command is like this example: CN=Joe, OU=Users, DC=ITFreeTraining, DC=Com. When an object can be defined uniquely, like in this example, it is called the distinguished name. Canonical Name (CN) This is the name of the object in Active Directory that you want to access. For example, if you wanted to access a user called Joe, you would use CN=Joe. Organization Unit (OU) Organization units in Active Directory are used to sort objects into different areas or folders. If you have multiple OUs, then start with the lowest in the tree and expand downwards. For example if a user was in Users\Acounts\Payable you would use OU=Users, OU=Accounts, OU=Payable. Domain Component (DC) This is the domain in which the object is located. For example DC=ITFreeTraining, DC=com.

8 лет назад
Deploying Microsoft LAPS (Local Administrator Password Solution)

Deploying Microsoft LAPS (Local Administrator Password Solution)

http://www.petenetlive.com/KB/Article/0001059.htm Deploying Microsoft LAPS (Local Administrator Password Solution)

4 лет назад
What is Active Directory?

What is Active Directory?

Learn how to build your own IT lab: https://www.instructorpaul.com/webinar/ Please like, comment and subscribe =) In this video you are going to learn what Active Directory is...

1 лет назад
How To: deploy MSI Packages Using Group Policy

How To: deploy MSI Packages Using Group Policy

In this tutorial we are going to learn how to deploy MSI packages to be installed accross a network using group policy. If you liked this video, be sure to give it a thumbs up, and maybe even favorite it! And while your at it, why not Subscribe to our channel for more videos just like this one! Music Used: Remember The Dreams by Machinimasound.com

5 лет назад
MCITP 70-640: Active Directory Replication

MCITP 70-640: Active Directory Replication

This video looks at how Domain Controllers in Active Directory replicate data between each other. Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Domain Controllers can either replicate at the site level or between sites. A different approach is used for each because at the site level you want changes to happen quickly. Between sites replication may be reduced and may even be configured to happen only outside business hours. Demonstration 12:35 Intrasite replication This is replication that happens inside one site between the Domain Controllers in that site. Active Directory will automatically connect all the Domain Controllers together to form a ring. Each Domain Controller will have two incoming connections and two outgoing connections. This ensures some redundancy in the site if a Domain Controller were to become unavailable. Intrasite replication happens 15 seconds after a change is made to the Active Directory database. If there are more than 3 hops between Domain Controllers in the one site, then more connections will be made between the Doman Controllers until the hop count is less than 3 between all Domain Controllers. This ensures that a change will reach all Domain Controllers in the one site in less than a minute. Intersite replication Intersite replication is replication that happens between different sites in Active Directory. These connections are not made automatically and need to be made by an Administrator. Bridge Head Server In each site, a Domain Controller is selected to replicate changes from that site to another site. This Domain Controller is called a Bridge Head Server. The Bridge Head Server is selected automatically but you can also manually select a Domain Controller or Domain Controllers to be a Bridge Head Server in a site. If you do manually select the Bridge Head Server/s and all the Bridge Head Servers are down, replication will not occur form that site. Site Links A site link is created by an Administrator to link sites together. Site links can have a replication schedule applied to them to determine when replication occurs. Site Link Cost Each site link can have a cost associated with it. This is a numeric value that weights the site link. The site links with the lowest cost between two sites will be used. This allows you to configure Active Directory to use backup site links when the primary site link goes down. Site Transports Site links support two different transport protocols. These are RPC over IP and SMTP. SMTP does not support file replication and thus on most networks only RPC over IP will be used. SMTP could be used between domains in the forest as this kind of replication does not require file replication. RPC over IP is often referred to as just IP. Knowledge Consistency Checker (KCC) The KCC is responsible for creating connections between different Domain Controllers inside a site and between sites. It does this with information from the Active Directory database so, given the same data, it should always make the same decisions about which connection to create. The KCC runs every 15 minutes. Demonstration To create site links in Active Directory, open Active Directory Sites and Services from administrative tools under the start menu. Site links are under Inter-Site Transports. Under here are the two folders for IP and SMTP transports. Under IP there may be a site link called DEFAULTSITELINK. This is created automatically when Active Directory is installed. You can use this site link or create a new site link. If you do use this site link, it is recommended that you rename the site link to a more meaningful name. To create a new site link, right click IP or SMTP and select New Site Link. From the wizard you need to select which sites will use that site link. Microsoft recommends that you should not put more than 3 sites in the one site link. In the properties of the site link you can configure the schedule for the site link, how often replication will occur and also the cost that will be used with the site link. If you want to see the connections that have been created automatically or manually between different Domain Controllers, expand down until you reach NTDS. In here you will see all the incoming connections for that Domain Controller. To see the outgoing connections, you can open the properties for NTDS and select the connection tab. If you want to force the KCC to run, right click NTDS settings, select all tasks and then check replication Topology. To force a replication, right click a connection and select replicate now. Even through the connection is incoming only, this will replicate data in both directions. Command line To force the knowledge consistency checker to run, enter the following (without the site parameter this will only run on that Domain Controller): RepAdmin /KCC site:(Site name) To force a replication run the following: RepAdmin /SyncAll

7 лет назад
Microsoft MCSA 2012 (70-410) - Overview of Group Policy

Microsoft MCSA 2012 (70-410) - Overview of Group Policy

http://www.howtonetwork.com/courses/microsoft/microsoft-mcsa-windows-server-2012/ - taster lesson from our MCSA course.

5 лет назад
Windows Server 2008 : Software über GPO zuweisen und verteilen

Windows Server 2008 : Software über GPO zuweisen und verteilen

In diesem Tutorial weisen wir unseren Benutzern Software über eine GPO zu und verteilen außerdem ein Paket zur eigenständigen Installation.

7 лет назад
MCITP 70-640: Active Directory Windows Auditing

MCITP 70-640: Active Directory Windows Auditing

This video will look at the concepts you need to understand in order to use Auditing in Windows. Once you understand the concepts of Auditing, the next two videos will look at Auditing for the file system and objects in Active Directory. Where to audit? Before you start setting up your network for auditing, it is important to locate the best place to audit. For example, if a user accesses the network via a VPN and the VPN server is a read only Domain Controller, the logon event will be stored in the read only Domain Controllers event log. Likewise, if the user accesses a file server, a logon event will not be stored on the file server, however an event will be stored on the file server indicating that a connection was made to that file server. So when auditing the network it is important to understand that you are auditing the correct locations to get the right information. You may also need to audit multiple servers in order to obtain the information that you are after. Demonstration There are 7 auditing settings in Group Policy found under the following location. Computer Configuration\Polices\Windows Settings/Local Polices\Audit Policy To configure a setting, it is just a matter of opening the setting, ticking "Define these policy settings" enabling it and then selecting which settings you want to audit, that is success and failure. Audit Policy Settings By default, some auditing settings are configured to audit success events and thus you will have some audit events in the event log even if you do not configure auditing. Audit account logon events: Audits an event when authentication occurs. For a domain account, this will happen on a Domain Controller. For a local account, this will happen on the computer that the local account is stored on. Audit Account Management: Auditing when a user performs account management using tools like Active Directory Users and Computers to perform actions like resetting passwords. Audit Directory Service Audit: Audit any changes to Active Directory Accounts. Includes changes not made with management tools. Audit Logon Events: This records when a user connects or disconnects from a server. For example, when connecting a map drive to a file server the user needs to logon to the server before the file share can be accessed. This event also records access being denied due to the account being locked. In contrast to Audit Account Logon Event, an event is only recorded when the user is authenticated. Audit Object Access: This will audit non Active Directory objects, this includes file and folders. Audit Policy Change: Audits changes to settings like user rights assignment, auditing and trust polices. For example, if you changed a setting and gave a user the" take ownership" right, this setting would record the user rights assignment change in the event log. Audit Privilege Use: This setting records when privileges are used. An example of a privileges is changing the system time. Audit Process Tracking: This setting tracks the start and termination of processes in Windows. This setting generates a lot of events so should only be enabled in special circumstances. Audit System Events: This records events like system start up, shutdown and changes to the system time. Windows Server 2008 Auditing Change Before Windows Server 2008, auditing could only track that a value has changed. It would not tell you what the value was before the change. Windows Server 2008 allows the value of an object before the change to be recorded in the event viewer. This means you can effectively know the value was changed and what the value was before the change. Due to compatibility reasons the option is not enabled by default, in order to enable it run the following command. auditpol /set /subcategory:"Directory service changes" /success:enable Demonstration Before auditing can occur in Windows Server 2008 to record changes to Active Directory objects, the following command needs to run. This only needs to be run once for all Windows Server 2008 installs as it makes a change in Active Directory. auditpol /set /subcategory:"Directory service changes" /success:enable When an object is changed, different events are recorded so it is important to find all the events that are related to changes. For example, when changing an object, this will often log an event for deleting the previous value and then adding a new value. When trying to understand what has been changed, look at a few events around the event that you are interested in case there are multiple events generated for that value change. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 367-375 "Access Control Lists (Windows)" http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx "AD DS Auditing Step-by-Step Guide" http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx

6 лет назад
How To Map Network Drives With Group Policy Preferences

How To Map Network Drives With Group Policy Preferences

WEBSITE: http://ITSA.Cloud

7 лет назад
MCITP 70-640: Group Policy New Features

MCITP 70-640: Group Policy New Features

This video looks at the new features in Group Policy that are available in Windows Server 2008 and Windows Server 2008 R2. Download the pdf handout for this video from http://ITFreeTraining.com/Handouts/70-640/Part3/GPNewFeatures.pdf Download subtitles. Can be enabled in the video. http://ITFreeTraining.com/Handouts/70-640/GPNewFeatures.srt New Features Windows Server 2008 adds the following features: comments, Starter Group Policy Objects, integration with Network Location Awareness, Preferences, and the new ADMX format. Windows Server 2008 R2 adds the ability for Group Policy to be administered from PowerShell. Group Policy Comments All Group Policy settings allow comments to be added. Comments allow an administrator to leave a comment for all Group Policy settings which help other administrators understand why the Group Policy was configured the way it was. Starter Group Policy Objects Starter Group Policy Objects is essentially a template. Once you create a Starter Group Policy Object you can copy this to a new Group Policy. Since part of Group Policy is called Administrative Templates this is probably why Microsoft uses the name Starter Group Policy Objects rather than calling it a template. The limitation with Starter Group Policy Objects is that they can only be used to configure Administrative Templates. Network Location Awareness Group Policy now integrates with the Network Awareness Services. This means that when a network becomes available, for example a VPN connection is established, a wireless network becoming available, or simply a network cable being plugged in, Group Policy will check for updates on the network. Previously Group Policy would only check at certain intervals and if the network was not available when it checked, then Group Policy may never be updated. Preferences Preferences was a 3rd party product that was integrated in Windows Server 2008 just before release. It adds a lot of flexibility to Group Policy allowing an administrator to configure settings like printers and drive mapping. Unlike Group Policy, the user is free to overwrite or delete what has been configured, however Preferences will attempt to reapply the settings at the next Group Policy Refresh. This means the user can remove settings like a mapped drive and replace it with another mapped drive if they wish. The major feature with Group Policy is that it allows targeting to particular groups, computer types, software, and hardware, just to name a few. PowerShell If you are running Windows Server 2008 R2 or Windows 7, you can perform Group Policy administration from PowerShell. Many functions are included like managing Group Policy settings and creating starter GPO's. ADM File The ADM file was used with Group Policy before Windows Server 2008 was released. The ADM file contains all the settings that are found under Administrative Templates. Each time a new Group Policy is created, the settings for the Group Policy is stored in the SysVol share. The ADM file is also stored with the Group Policy setting. This means that Group Policy using the ADM does not scale well as it makes the SysVol share very large. Also once a Group Policy is created it is linked to the one ADM file. The ADM file only supports one language so if multiple administrators were working on the same Group Policy one language would need to be agreed between all administrators. ADMX File The ADMX file replaces the old ADM file. It was first introduced in Windows Server 2008, however if you download the latest Group Policy Management software you can use the ADMX files in early Windows Servers. ADMX is an XML based format making it easy to edit. ADM is an in-house format so it is not as easy to work with as XML files are. The format is made up of two parts. The ADMX file defines the Group Policy settings. The ADML file contains the language to be used with the file. This means the ADMX file can easily be used with any language assuming an ADML file for the language exists. Both ADM and ADMX output the same files so regardless which format is used, they will be compatible with old and new clients. Please see http://itfreetraining.com/70-640/group-policy-new-features for the rest of the description References "Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7" http://www.microsoft.com/en-au/download/details.aspx?id=6243 "What is an ADMX File?" http://pcsupport.about.com/od/fileextensions/f/admxfile.htm "How to Write a Simple .Adm File for Registry-based Group Policy" http://en.wikipedia.org/wiki/Administrative_Template "Group Policy" http://technet.microsoft.com/en-us/library/cc725828(v=ws.10).aspx "What's New in Group Policy" http://technet.microsoft.com/en-us/library/dd367853(v=ws.10).aspx

6 лет назад
How to Create a Group Policy Object to Restrict Access? - Beginner

How to Create a Group Policy Object to Restrict Access? - Beginner

Using Windows Server 2008, I create a simple group policy object (GPO) to restrict access to removable media. http://www.danscourses.com/Windows-Server-2008/create-a-group-policy-475.html

8 лет назад
MCITP 70-640: Installing Group Policy Tools

MCITP 70-640: Installing Group Policy Tools

This video looks at installing Remote Server Administration Tools in order to administer Group Policy from a Windows 7 Client. The video also looks at how to centralize the ADMX file. ADMX files define Group Policy and having them in a centralized store makes it easy to support when changes are made. Download the PDF handout for this video from http://ITFreeTraining.com/Handouts/70-640/Part3/GPInstalling.pdf Download subtitles, can also be enabled in the video. http://ITFreeTraining.com/Handouts/70-640/Part3/GPInstalling.srt Group Policy Management Console (GPMC) Group Policy is performed using the Group Policy Management Console or GPMC. This is included in Windows Server 2008 however you do not need to have a single Windows Server 2008 server on the network to utilize the new features. If you are using an older client operating system, the GPMC can be downloaded from the Microsoft website. As long as you have an up to date version of the GPMC, you will have access to the features. If you are running Windows Server 2008, GPMC can be added as a feature in Server Manager. ADMX In order to define a Group Policy setting (what is does, what the interface looks like, etc.) a configuration file is required. Previously an ADM file was used to define Group Policy setting. The ADM file was limited to one language and was in Microsoft proprietary format making it difficult for a user to create their own. The new ADMX format is based on the XML format making it easy to change. It is paired with an AMDL file. The ADML provides the language meaning and a single ADMX file can support multiple languages. ADMX Locations Each Group Policy created with ADM had to have the ADM files stored with the Group Policy which is stored in the SysVol folder. This caused the SysVol folder to get quite large. ADMX files are stored on the local computer under C:\Windows\PolicyDefinitions. They do not need to be stored in the SysVol. If you want to centralize them all you need to do is copy the file to SysVol\Domain\Policies\PolicyDefinitions The GPMC will check this location automatically and use whatever ADMX files are located there. Unlike ADM files, the ADMX file only needs to be stored once as it is shared between all Group Policies. To find out where the ADMX files are currently being read from, open GPMC and hover the mouse pointer over Administrative Templates. This will tell you if the ADMX files are being read from the local computer or the central store. Demonstration The GPMC console can be download as a standalone install or part of the Remote Server Administration Tools (RSAT). The links for the downloads are below. If you install RSAT, the GPMC will not appear in the start menu after the install. To have it added, open control panel, select "Programs" and then then select "Turn Windows Features On or Off" from under Programs and Features. The GPMC is found under Remote Server Administration Tools, Feature Administration Tools, Group Policy Management Tools. The latest version of the ADMX templates are available from the Microsoft web site. The link for this is below. Once installed, copy the directory PolicyDefinitions local in C:\Program files (x86)\Microsoft Group Policy\win72008r2 to SysVol\Domain\Polices. The directory will include all the available languages as well so if you do not need additional languages, it is worth going through the PolicyDefinitions folder and deleting any extra languages. GPMC Downloads http://www.microsoft.com/en-us/download/details.aspx?id=21895 RSAT Downloads "Windows 8" http://www.microsoft.com/en-au/download/details.aspx?id=28972 "Windows 7" http://www.microsoft.com/en-us/download/details.aspx?id=7887 "Vista" http://www.microsoft.com/en-us/download/details.aspx?id=21090 ADMX Downloads "Windows Server 2008 r2 and Windows 7" http://www.microsoft.com/en-au/download/details.aspx?id=6243 See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 268-270 "Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)" http://www.microsoft.com/en-us/download/details.aspx?id=7887 "Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7" http://www.microsoft.com/en-au/download/details.aspx?id=6243 "How to create a Central Store for Group Policy Administrative Templates in Window Vista" http://support.microsoft.com/kb/929841

6 лет назад
Windows Server 2008: install software through Active Directory's group policy

Windows Server 2008: install software through Active Directory's group policy

This is a video about how to install software through group policy. I install Firefox 3.0 through a MSI (Microsoft Installer Package) that is accessible through a local share. To do this it requires a GPO (group policy object) be applied on the domain (Server with active directory). You may assign the program to specific users or computers so that it will be installed. You can also publish the software so that the user may decide to install the software. You can do this on Server 2008 domain controller and Windows 7, but it also available for 2003, 2000, XP, or Vista. Providing training videos since last Tuesday. http://www.technoblogical.com Thanks for watching.

9 лет назад
MCITP 70-640: Global Catalog Server

MCITP 70-640: Global Catalog Server

Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Global Catalog Servers contain a partial replica for every object in Active Directory. A Global Catalog Server is used to find objects in any domain in the forest. Any Domain Controller can be made into a Global Catalog Server. This video looks at how to remove or make a Domain Controller into a Global Catalog Server and also the reasons why and where you should put Global Catalog Servers. Global Catalog Servers are used to find objects in any domain in the forest but it should be remembered that this does not give the user access to that object. Unless the user has the correct permissions they will not be able to access resources in other domains. Global Catalog Servers also contain information about groups that span across domains and services that work at the forest level. How to change a Domain Controller to a Global Catalog Server 04:18 Using the admin tool Active Directory Users and Computers to navigate to the computer account for your Domain Controller. By default this will be located in the Domain Controllers OU. Open the properties for the Domain Controller and select the button NTDS settings. Deselect or select the tickbox Global Catalog. Windows will do the rest. Reasons to deploy Global Catalog Servers Reason 1 Domain Controllers generate a security token for a user when they first login. If the user is in a group that spans multi--domains, that Domain Controller will need to contact a Global Catalog to get information about that group. Reason 2 If a user logs in using a Universal Principal Name (UPN), that is, they log in using a user name in the form of username@domainname, a Domain Controller will need to access a Global Catalog Server before the log in is completed. Reason 3 Global Catalog Servers work as an index to the forest. If you perform any searches on the forest you will need to contact a Global Catalog Server. Reason 4 Microsoft recommends that any network that is separated by a Wide Area Network have a Global Catalog Server deployed at that location. This will ensure that users can log on if the Wide Area Network is down. In order for a computer to contact a Global Catalog Server, ports 389 (LDAP) and 3267 (Global Catalog) need to be opened. If these ports are not open then the user will not be able to use the remote Global Catalog Server. Reason 5 Some software requires a Global Catalog Server in order to run. Exchange is a big user of the Global Catalog Server. If you have a decent amount of Exchange users on your network, you should consider deploying a Global Catalog Server close to these users. Reasons not to deploy a Global Catalog Server Global Catalog Servers put more load on the server in the form of searches and lookups from the client. Global Catalogs need to keep their index up to date. This requires more network bandwidth. In order to store the Global Catalog Server, you are required to have additional hard disk space on your server.

8 лет назад
MCITP 70-640: Group Policy Processing Order

MCITP 70-640: Group Policy Processing Order

In your domain you are more than likely going to have multiple Group Policies applied at different levels throughout your domain. This videos looks at which order the Group Polices will be applied in when multiple Group Policies are in use. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gpprocessingorder.pdf Processing Order The order that Group Policy is applied in is: Local, Site, Domain, and OU. A Group Policy has the ability to overwrite any settings that were applied before. For this reason, the local Group Policy is the weakest of the Group Policies since all Group Policies at the site, domain and OU are free to overwrite any settings configured by the local Group Policy. You could also say that the OU's Group Policy is the highest priority or strongest Group Policy as it can over write local, site and domain Group Policy settings. Sub OU's are applied after the parent OU so the child OU has priority over the parent OU. Demonstration To edit the local Group Policy on a computer, run "Edit Group Policy" from the start menu. To edit Group Policy at the domain level run "Group Policy Management". If you are using a client operating system the GPMC will need to be download and installed. It is available from the Microsoft web site. Using the GPMC you can configured a Group Policy by right clicking on an OU and selecting "Create a GPO in this domain, and link it here". A Group Policy Object can also be created in Group Policy Objects, however it will be essentially inactive until it is linked to an OU. If want to link a Group Policy Object at the site level, the Group Policy first needs to be created under Group Policy Objects. Once it is created you next need to right click "sites" and select the option "show sites". This will allow you to choose which sites will be visible in the GPMC. Once the site is visible, right click it and select the option "Link an Existing GPO". Settings used in this video User Configuration\Polices\Administrative Templates\Desktop\Desktop\Desktop Wallpaper User Configuration\ Polices\Administrative Templates\Desktop\Remove Recycle Bin icon from desktop Computer Configuration\Polices\Windows Settings\Internet Explorer Maintenance\connection\Proxy Settings User Configuration\ Polices\Administrative Templates\Control Panel\Prohibit access to the Control Panel See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 280-282 "Group Policy Management Console with Service Pack 1" http://www.microsoft.com/en-us/download/details.aspx?id=21895

6 лет назад
MCITP 70-640: Enforcing and Blocking Group Policy

MCITP 70-640: Enforcing and Blocking Group Policy

This video will look at using the Group Policy options block and enforce. These options allow you to change the way Group Policy is processed in your domain; however this does make things more complex. This video also looks at ways that Group Policy can be deployed to minimize the need for enforce and blocking Group Policy. Download the pdf handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gp-enforce-block.pdf Group Policy Processing Group Policy is processed in the following order: local, site, domain, OU. If there are multiple Group Policies applied to the same OU, a link order is used to determine which Group Policy will have preference over the other. A Group Policy with a lower link order number takes priority over a Group Policy with a higher link order. For this reason, the Group Polices will be applied from highest link order or lowest link order. Blocking Group Policy is useful when you have multiple Group Polices and you do not want settings to be inherited. Without the blocking option, you need to reverse any Group Policy settings applied previously. The problem when blocking is not used is that settings can be added later on. The administrator would need to reverse the new Group Policy settings later on if they did not want them. Block Inheritance Block inheritance is configured at the OU level. Once configured it blocks all the settings configured by Group Policy above it. This allows the administrator to start again without having to worry about what settings have already been configured. Enforced Individual Group Polices can be configured with the enforce option. This will ensure that the settings in the Group Policy are applied even if an OU is configured to block inheritance. To achieve this, the Group Policy with the enforce option is moved to the end of the processing order. In other words the processing order goes like this: local, site, domain, OU's and then enforced Group Polices in the order of OU's, domain and then site. In other words, the enforced Group Polices are moved to the end and applied in the reverse order that they would normally be applied in. Group Policy Processing The computer side of Group Policy is applied when the computer starts up. The user side of Group Policy is applied when the user logs in. This means that the user side of Group Policy will overwrite the computer side of Group Policy if there is a conflict. There are very few Group Policy settings that have the same name in the computer and user side of group policy. For this reason it is rare to have conflicts. Demonstration To block inheritance on an OU, right click the OU in Group Policy Management and select the option Block Inheritance. To enforce a Group Policy, right click on the Group Policy and select the option Enforced. It is recommended that you use the block and enforce options only when required. In a lot of cases you can avoid using these options by careful planning of your Group Policies. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 292-294

6 лет назад
MCITP 70-640: Group Policy Preferences

MCITP 70-640: Group Policy Preferences

Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. Group Policy Preferences is a technology that was added with Windows Server 2008 which greatly expands what can be achieved with Group Policy. Group Policy Preferences allows the administrator to configure options that would normally be configured using login scripts. This video looks at how to configure and use Group Policy Preferences. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/grouppolicypreferences.pdf Group Policy Preferences Group Policy Preferences was originally a 3rd party party product called PolicyMaker. Microsoft purchased this technology and added it to Windows Server 2008. Preferences can be used to configure settings like map network drives, install printers and update files. A lot of this functionality was previously done with login scripts. Unlike Group Policy, the user can change the preferences after they have been applied. For example, if a network share is connected they can disconnect it and connect to a different share. Preferences are included in the operating system in Windows Server 2008, Windows 7 and newer operating systems. In older operating systems like Windows Vista and Windows XP the Client Side Extension (CSE) needs to be added to the operating system in order to user Group Policy Preferences. This can be added to the operating system using Windows Update. Demonstration Group Policy Preferences are part of any Group Policy Object. Thus to configure Group Policy Preferences in the Domain, Open Group Policy Management Editor and edit a Group Policy Object. Preferences are found in their own folder under Computer Configuration and User Configuration. Even through Group Policy Preferences was introduced in Windows Server 2008, you do not require a Windows Server 2008 Domain Controller on your network in order to use group Policy Preferences. In order to configure Group Policy Preferences you only require an up to date copy of Group Policy Management Editor. There are a large number of settings that can be configured in preferences. All the settings have a common tab with a number of options. If you only want setting to be applied once you can tick the option "Apply once and do not reapply." For example, if you configure a map drive to a server and the user removed the map drive, the mapped drive would be reestablished when the next Group Policy refresh is performed. Using this option means that use can delete the mapped drive and not have it connected again. There is also an option called "Item-level targeting". This option gives the administrator a lot of control over how the settings are applied. Options like which OS, hardware, IP address can be selected just to mention a small amount of the available settings. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 253

6 лет назад
Windows Server 2008 R2 Group Policy Management Push out a Task

Windows Server 2008 R2 Group Policy Management Push out a Task

There are a lot of time we want our computers on our network to run a certain task or maybe even a program at a given time. Instead of walking to each computer it is better to use your GPM and a GPO to push the task to each machine. TO sign up for my online Windows Server 2008 R2 class visit: http://www.jackstechcorner.com and click on Online Classes. See you there!

6 лет назад
MCITP 70-640: Active Directory Domain Functional Levels

MCITP 70-640: Active Directory Domain Functional Levels

Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available. This video looks at which domain functional levels are available and how to raise the domain functional level to get access to these features. The next video in this free series looks at the forest functional levels. Raising the domain function level demo 17:46 The different domain functional levels and the features you get from the functional level are listed below. Windows 2000 native * Gives basic Active Directory functionality Windows Server 2003 * Allows the computer name of a domain controller to be changed. * Adds last login time stamp to each user account * Adds UserPassword to iNetOrgPerson object. This is used when migrating from a 3rd party directory service. It allows the 3rd party password to be stored in Active Directory. * Constrained delegation. Delegation is when credentials are passed from one system to another; e.g., an administrator connects to a computer and then attempts to have that computer connect to a file share on another computer using the administrator's credentials. Delegation is disabled by default in Active Directory. Windows Server 2003 domain functional level allows you to determine which services are delegated and which are not and to which computers. You could, for example, trust delegation only for file sharing to only a particular server. Before this domain functional level delegation was to everything or nothing. * Selected authentication for forests. When using multiple forests this feature allows the administrator to configure which users from the trusted forest can have access to which services in the forest that they would normally have access to by default. A user from another forest needs to have access to resources in the either forest like any other user through permissions like NTFS so selected authentication does not change that. The difference with selected authentication is that you can configure which services they can use which would normally be available to everyone. For example, a domain controller will by default authenticate any user from either forest. With selected authentication you can configure which domain controllers will be allowed to authenticate users from the other forest. * Adds support to store authorization policies in Active Directory. Windows Server 2008 * DFS for replication of SysVol share. * Advanced Encryption System (AES) for Kerberos * Additional last login details. Adds attributes like number of failed login attempts. * Fine-grained password. Allows multiple password policies to be defined in the same domain. Windows Server 2008 R2 * Authentication Mechanism Assurance. Adds details to the Kerberos ticket about how it was authenticated, e.g., if a SmartCard was used to authenticate the user. * Automatic SPN (Service Principal Names) management. Allows services account password to be managed by Active Directory. Mixed or Interim domain functional levels that are mixed or interim have been upgraded from an NT4 domain and may have some domain controllers that are still NT4. Once you have removed all of the NT4 domain controllers, raise the domain functional level to one of the domain functional levels listed above. Rasing the Domain Function Level In order to raise the domain functional level, you need to ensure that all of the domain controllers in your domain are at that domain functional level or higher. For example, if you had 3 Windows Server 2008 DC's, 4 Windows Server 2003 DC's and 1 Windows 2000 DC the highest domain functional level that you could go to would be Windows 2000 native. If you upgrade the Windows Server 2000 domain controller to Windows Server 2003, you could raise the domain functional level to Windows Server 2003. Remember also that once you raise your domain functional level you will not be able to add any down level domain controllers to the domain. For example, if you raise the domain functional level to Windows Server 2008, you would not be able to add any domain controllers for Windows 2000 and Windows 2003. Regardless of the domain functional level you can add any Windows client operating system or server to the domain of any operating system level. Raising the domain functional level is a one way process and can't be reversed once complete. Raising the domain functional level To raise the functional level, open Active Directory User and Computer and right click on your domain and select raise domain functional level. Select the domain functional level that you want and select raise. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. Keywords: "Domain Functional Levels" "Active Directory" 70-640 MCITP MCTS ITFreeTraining

7 лет назад
Microsoft Windows Server 2008 R2 Sp1 Disk Quota Management

Microsoft Windows Server 2008 R2 Sp1 Disk Quota Management

RE-UPLOADED: Windows Server 2008 R2 Sp1 Disk Quota Management; This Video demonstrates basic walkthrough with three types of disk quota management. NTFS Disk Quota, FSRM Disk Quota and by Group Policy Management.

8 лет назад
MCITP 70-640: Group Policy Filtering

MCITP 70-640: Group Policy Filtering

Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. There are a number of different options in Group Policy that allows you to target Group Policy to particular users and computers. This video looks at WMI filters and security that can be applied to target Group Policy settings that you configure. The video also looks at how you can disable parts of Group Policy to speed up the processing on your clients. Sorting by OU's One way of applying Group Policy is to sort the users and computers into different OU's. A typical way of doing this is to separate the users and computers into physical locations, departments and operating systems. The problem with this approach is that an administrator needs to sort these objects initially and when change occur. For example, if users change job titles and operating systems are upgraded. By using filters in Group Policy you can automate this process. Demonstration All the Group Policy filtering options are available from Group Policy Management Console. Once you select a Group Policy Object you can configure additional filtering options for it. User/Computer Configuring Enabling/Disabling If you select the details tab, the option GPO status allows you to enable or disable the GPO as well as only have the user or computer configuration enabled. If you are only using one part of the configuration for the GPO, it is worth while disabling the other configuration. Disabling configuration like this will speed up the processing of the GPO on the client. Security Filtering On the scope tab you can configure particular groups to be allowed the ability to apply the Group Policy object. Adding groups here effectively changes the permissions of the Group Policy Object giving that group access to apply the Group Policy. The same effect can be achieved by editing the security of the Group Policy Object directly, however Security Filtering does provide an easier interface if all you want to do is see who has the ability to apply the Group Policy or add or remove access. WMI Filter Windows Management Instrumentation (WMI) allows software to retrieve information about the client. For example, information about the operating system, hardware and software installed can be retrieved using WMI. Using WMI filters, you can target a Group Policy Object to particular characteristics of a computer. You can only assign one WMI filter per Group Policy Object, however you can make it as complex as you wish. Using WMI filters in your domain especially complex WMI filters this can slow down the time Group Policy takes to apply. To create a WMI query, Select WMI Filters in the left panel of Group Policy Management under your domain and paste in your WMI query. An example of a WMI query is listed below. Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3" Once you have a WMI query configured, you can assign one WMI filter to the Group Policy Object on the scope tab. A free WMI explorer. http://www.ks-soft.net/hostmon.eng/wmi/index.htm Delegation The delegation tab effectively shows some of permissions of the Group Policy Object. In order for the Group Policy to be applied to a client it requires read and apply group policy permissions. To gain access the security properties press the advanced button. If you want to prevent the group policy for being applied, select the deny option for apply group policy. Deny permissions should only be applied when necessary. In most cases there is another solution which does not require deny permissions. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 285 -- 291

6 лет назад
MCITP 70-640: Group Policy Restricted Groups

MCITP 70-640: Group Policy Restricted Groups

Restricted Groups allows the administrator to configure local groups on client computer. For example, you could add a helpdesk support group to all clients on your desktop. This video looks at how to configure local groups on your client computer using Group Policy rather than visiting each computer to make the changes. Download the PDF handout for this video from http://ITFreeTraining.com/handouts/70-640/part3/gprestrictedgroups.pdf A Common Problem Many companies want to give technicians administrator access to the clients they are supporting. The easiest way to do this is to add the technicians to the Domain Admins group, however this would give the technicians more access than they require. The best way to grant the technicians access to the client computers is to add the group to the local administrator group on the client computer. This way the technicians has only the access they required. This can be achieved manually or using scripts, however in a large environment you will want to use Group Policy to manage local groups as once setup, new computers are configured automatically. Demonstration To configure Restricted groups, go to the following settings, right click it an select add group. Computer Configuration\Polices\Windows Settings\Security Settings\Restricted Groups. There is two different procedures depending if you want to reset all the local group membership or if you want to add users or groups to what is already configured in the group. Resetting local group members Right click on Restricted groups and select the option add group. In this case enter in the local group that you want to reset. For example, administrators. In the next dialog, the top section says Members of this groups. Add whichever groups or users that you want to be a member of group. If you are resetting groups like the Administrators group, these groups may have members like Domain Admins, make sure you add these groups back in if you want to keep them. Note: The local administrator account will always be present, you cannot remove it. Adding to a local group Right click on Restricted groups and select the option add group. When asked to add a group when in the group that you want to add to local group. For example, ITFreeTraining\Helpdesk Administrators. In the next dialog, add the local group to the bottom part titled "This group is a member of". For example, to change the local administrators group add Administrators in the bottom part. See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 319-324

6 лет назад
MCITP 70-640: Managed Service Accounts

MCITP 70-640: Managed Service Accounts

This video looks at some of the new features in Windows Server 2008 R2 and Windows 7 that can automate the management of service accounts. If your application supports it, using managed service accounts means that the password of the service account is automatically changed periodically without any interaction from the administrator. What is a service account A service account is a user account that is created to run a particular service or software. In order to have good security, a service account should be created for each service/application that is on your network. On large networks this will mean a lot of service accounts and the management of these service accounts can become difficult, thus this is where Managed Service Accounts can help. Computer Accounts A computer account is like a user account in that it has a password. The difference is that the password for a computer account is automatically updated by Windows with no interaction from the user. Managed Service Accounts uses the same process to manage the password for a Managed Service Account. Refer here for information about computer accounts http://itfreetraining.com/70-640/computer-accounts Managed Service Accounts Passwords The password that is associated with a Managed Service Account (MSA) is automatically changed every 30 days. It is a random string of 120 characters so it offers better security than standard passwords even if the standard password uses upper and lower case letters combined with non alphanumeric characters. Unless of course the administrator wants to use their own 120 character password which is difficult for an administrator to work with. Like a computer account, the Managed Service Account is bound to one computer and thus cannot be used on a computer that it was not designed to work with. This provides additional security. Requirements In order to start using Managed Service Accounts you need to meet a few requirements. Domain Functional Level: This needs to be Windows Server 2008 R2 or above. Forest Functional Level: Does not require any particular forest level. Schema changes: The schema needs to be up to date. Run ADPrep /ForestPrep to update the schema to the latest version using a Windows Server 2008 R2 DVD or above. Client: The Managed Service Account can only be used on Windows Server 2008 R2 or Windows 7. Software components: .Net Frame work 3.5 and Active Directory module for Windows Powershell are required for Managed Service Accounts. Supported Software Not all software will work with a Managed Service Accounts. Managed Service Accounts do not allow the software to interact with the Desktop. Thus a Managed Service Account cannot be used to login and cannot be used to display GUI based Windows. Listed below are common software and if they can use a Managed Service Account. Exchange: Yes, but the Managed Service Account cannot be used for sending e-mail. IIS: Yes, can be used with application pools. SQL Server: Some people have got Managed Service Accounts to work with SQL but Microsoft does not support it. Task Scheduler: No AD LDS: Yes, Active Directory Light Weight Service works with a Managed Service Account, however a special procedure does need to be followed in order to get it to work. Description to long for YouTube. For the rest please see http://itfreetraining.com/70-640/managed-service-accounts See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "Service accounts step-by-step guide" http://technet.microsoft.com/en-us/library/dd548356.aspx "Managed Service Accounts Frequently Asked Questions (FAQ)" http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx Keywords: "Managed Service Accounts" "MSA" "Active Directory" 70-640 MCITP MCTS ITFreeTraining

7 лет назад
Creating a new Group Policy in Windows Server 2008 R2

Creating a new Group Policy in Windows Server 2008 R2

Creating a new Group Policy in Windows Server 2008 R2

8 лет назад