Export (0) Print
Expand All
Expand Minimize
1 out of 1 rated this helpful - Rate this topic

Automating Administrative Tasks, Policies, and Procedures

from Chapter 4, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

Performing routine tasks day after day, running around policing systems, and walking users through the basics aren't efficient uses of your time. You'd be much more effective if you could automate these chores and focus on more important issues. Well, increasing productivity and allowing you to focus less on mundane matters and more on important ones is what automation is all about.

Microsoft Windows 2000 provides many resources that help you automate administrative tasks, policies, and procedures. This chapter concentrates on three areas:

  • Group policy management

  • User and computer script management

  • Scheduling Tasks

Group Policy Management

Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. Through group policies you can

  • Create centrally managed directories for special folders, such as Desktop. This is covered in this chapter in the section entitled "Centrally Managing Special Folders."

  • Control access to Windows components, system resources, network resources, control panel utilities, the desktop, and the Start menu. This is covered in this chapter in the section entitled "Using Administrative Templates to Set Policies."

  • Define user and computer scripts to run at specified times. This is covered in this chapter in the section entitled "User and Computer Script Management."

  • Configure policies for account lockout and passwords, auditing, user rights assignment, and security. This is covered in Part II of this book, "Microsoft Windows 2000 Directory Services Administration."

The sections that follow explain how you can work with group policies. The focus is on understanding and applying group policies.

Understanding Group Policies

You can think of a group policy as a set of rules that helps you manage users and computers. Group policies can be applied to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory service.

To understand group policies, you need to know a bit about the structure of Active Directory directory service. In Active Directory, logical groupings of domains are called sites and subgroups within a domain are called organizational units. Thus, your network could have sites called NewYorkMain, CaliforniaMain, and WashingtonMain. Within the WashingtonMain site, you could have domains called SeattleEast, SeattleWest, SeattleNorth, and SeattleSouth. Within the SeattleEast domain, you could have organizational units called Information Services (IS), Engineering, and Sales.

Group policies only apply to systems running Windows 2000. You set policies for Microsoft Windows NT 4.0 systems with the System Policy Editor (poledit.exe). For Microsoft Windows 95 and Microsoft Windows 98, you need to use the System Policy Editor provided with Windows 95 or Windows 98, respectively, and then copy the policy file to the SYSVOL share on a domain controller.

In What Order Are Multiple Policies Applied?

When multiple policies are in place, policies are applied in the following order:

  1. Windows NT 4.0 policies (NTConfig.pol)

  2. Local group policies

  3. Site group policies

  4. Domain group policies

  5. Organizational unit group policies

  6. Child organizational unit group policies

If there are conflicts among the policy settings, the policy settings applied later have precedence and overwrite previously set policy settings. For example, organizational unit policies have precedence over domain group policies. As you might expect, there are exceptions to the precedence rule. These exceptions are discussed later in the section of this chapter entitled "Blocking, Overriding, and Disabling Policies."

When Are Group Policies Applied?

As you'll discover when you start working with group policies, policy settings are divided into two broad categories:

  • Those that apply to computers

  • Those that apply to users

While computer policies are normally applied during system startup, user policies are normally applied during logon.

The exact sequence of events is often important in troubleshooting system behavior. The events that take place during startup and logon are as follows:

  1. The network starts and then Windows 2000 applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.

  2. Windows 2000 runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn't displayed to the user unless specified.

  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows 2000 loads the user profile.

  4. Windows 2000 applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.

  5. Windows 2000 runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn't displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window as in Windows NT 4.0.

  6. Windows 2000 displays the start shell interface configured in Group Policy.

Managing Local Group Policies

Each computer running Windows 2000 has one local group policy. You manage local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.

  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).

  3. In MMC, click Console, then click Add/Remove Snap-In. This opens the Add/Remove Snap-In dialog box.

  4. On the Standalone tab, click Add.

  5. In the Add Snap-In dialog box, click Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.

  6. Click Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.

  7. Click Finish, and then click Close.

  8. Click OK. You can now manage the local policy on the selected computer. For details, see the section of this chapter entitled "Working with Group Policies."

Local group policies are stored in the %SystemRoot%\system32\GroupPolicy folder on each Windows 2000 computer. In this folder you'll find the following subfolders:

  • Adm Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Caution: You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

Managing Site, Domain, and Unit Policies

Each site, domain, and organization unit can have one or more group policies. Group policies listed higher in the Group Policy list have a higher precedence than policies listed lower in the list. As stated earlier, group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and organizational units.

Creating and Editing Site, Domain, and Unit Policies

You create and edit site, domain, and unit policies by completing the following steps:

  1. For sites, you start the Group Policy snap-in from the Active Directory Sites And Services console. Open the Active Directory Sites And Services console.

  2. For domains and organizational units, you start the Group Policy snap-in from the Active Directory Users And Computers console. Open the Active Directory Users And Computers console.

  3. In the console root, right-click the site, domain, or unit on which you want to create or manage a group policy. Then select Properties on the shortcut menu. This opens a properties dialog box.

  4. In the properties dialog box, select the Group Policy tab. As Figure 4-1 shows, existing policies are listed in the Group Policy Object Links list.

    Figure 4-1: Use the Group Policy tab to create and edit policies.

    Figure 4-1: Use the Group Policy tab to create and edit policies.
  5. To create a new policy or edit an existing policy, click New. You can now configure the policy as explained in the section of this chapter entitled "Working with Group Policies."

  6. To edit an existing policy, select the policy and then click Edit. You can now edit the policy as explained in the section of this chapter entitled "Working with Group Policies."

  7. To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.

Site, domain, and unit group policies are stored in the %SystemRoot%\SYSVOL\ domain\policies folder on domain controllers. In this folder you'll find one subfolder for each policy you've defined on the domain controller. Within these individual policy folders, you'll find

  • Adm Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Caution: You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

Blocking, Overriding, and Disabling Policies

You can block policy inheritance at the site, domain, and organizational unit level. This means that you could block policies that would otherwise be applied. At the site and domain level, you can also enforce policies that would otherwise be contradicted or blocked. This gives top-level administrators the ability to enforce policies and prevent them from being blocked. Another available option is to disable policies. You can disable a policy partially or entirely without deleting its definition.

You configure these policy options by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in steps 1–4 of the "Creating and Editing Site, Domain, and Unit Policies" section of this chapter.

  2. Select Block Policy Inheritance to prevent the inheritance of higher-level policies (unless those policies have the No Override option set).

  3. Use the No Override option to prevent lower-level policies from blocking the policy settings. Set or clear the No Override option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.

  4. Use the Disabled option to prevent the policy from being used. Set or clear the Disabled option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.

Tip Another way to disable a policy is to block Computer Configuration or User Configuration settings, or both. To do this, click Properties in the Global Policy tab, then set or clear Disable Computer Configuration Settings and Disable User Configuration Settings.

Applying an Existing Policy to a New Location

Any group policy that you've created can be associated with another computer, unit, domain, or site. By associating the policy with another object, you can use the policy settings without having to recreate them.

You apply an existing policy to a new location by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work.

  2. In the Group Policy tab, click Add. As shown in Figure 4-2, this opens the Add A Group Policy Object Link dialog box.

  3. Use the tabs and fields provided to find the group policy you want to apply to the current location. When you find the policy, click OK.

    Figure 4-2: Use the Add A Group Policy Object Link dialog box to link existing policies to new locations without having to recreate the policy definition.

    Figure 4-2: Use the Add A Group Policy Object Link dialog box to link existing policies to new locations without having to recreate the policy definition.
  4. Active Directory creates a link between the group policy object and the site, domain, or unit container you're working with. Now when you edit the policy in any location, you edit the master copy of the object and the changes are reflected globally.

Deleting a Group Policy

You can disable or delete group policies that you don't use. To disable a policy, see the section of this chapter entitled "Blocking, Overriding, and Disabling Policies." To delete a policy, follow these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in steps 1–4 of the section of this chapter entitled "Creating and Editing Site, Domain, and Unit Policies."

  2. Select the policy you want to delete and then click Delete.

  3. If the policy is linked, you have the option of deleting the link without affecting other containers that use the policy. To do this, in the Delete dialog box select Remove The Link From The List.

  4. If the policy is linked, you can also delete the link and the related policy object, which permanently deletes the policy. To do this, select Remove The Link And Delete The Group Policy Object Permanently.

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order


Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.