Deploying the Scenarios

Applies To: Windows Server 2003 with SP1

This section describes the steps necessary to implement the scenarios. As a prerequisite, it is assumed that you have created a fully operational Active Directory domain and have validated the integrity and operation of the underlying DNS infrastructure. Group Policy is dependent on a well-configured, reliable Active Directory environment.

Note

You can download the CommonScenarios.msi installation package, which includes this document and supporting files, from the Microsoft Download Center.

The following steps are necessary to implement the scenarios:

  1. Run the CommonScenarios.msi package to copy the GPOs, scripts, and associated documentation (such as this white paper) to your administrative workstation.

  2. Create an appropriate OU environment.

  3. Use GPMC to import the scenario GPOs into your environment.

  4. Link the GPOs to OUs.

    Two options are available to cover steps 2 - 4:

    1. Automatically create an OU hierarchy, GPOs, and GPO links using a script provided with this white paper (CreateCommonScenarios.cmd).

    2. Manually implement each step (create OUs, import GPOs, and so on). This is a more flexible approach but will take a little longer to implement.

On completion of these steps – and regardless of the approach taken (scripted or manual) - you will perform the following steps to complete configuration and testing of the scenarios:

  • Configure specific scenario features (see the “Configuring Specific Features” section)

  • Create Computer and User accounts for use within the scenarios.

  • Test scenarios.

Test and Production Environment Considerations

Before installing the scenarios into your environment (described in the next section), you should understand the options available for testing. There are two primary ways in which you can incorporate the GPOs into your environment for testing; by linking the GPOs to test OUs in your production domain or by using a separate test domain (either in the same or a different forest).

Using Test OUs in Your Production Environment

Where a separate test domain (the preferred approach) is not feasible, the scenario GPOs can be imported to a production environment and linked to OUs created in that domain specifically for test purposes. These OUs should be well-segmented from those used for regular production purposes. The benefit of this approach is that you need not create infrastructure to support a separate domain (domain controllers, networking, and so on). The disadvantage is that misconfiguration of accounts, GPOs, or GPO links can directly affect the production environment.

Using a Separate Test Domain

With this approach, you use a domain that is separate from that of your production environment (trusts may or may not exist between the test and production environments). This can allow you to run a more realistic test by modeling the test domain on your existing domain, so you can test domain-wide settings and other interactions as needed. A significant benefit of using this approach is that the impact of errors through inappropriately linked or filtered GPOs is significantly less than is evident in a production environment. The primary drawback of this approach is that you need to set up domain controllers and other supporting infrastructure (networking, DNS, and so on) that implements the test domain. If possible, use this approach.

Considerations Across Forests and Domains

The two domains used for test and production purposes might or might not be in the same forest. Further, if they are in separate forests, a forest trust might or might not exist, because a forest trust can only be established between Windows Server 2003 forests.

Where a trust exists between the domains (for example, where the test and production domains are in the same forest and the default transitive trusts exist), an administrator with the appropriate rights in each domain can use GPMC to copy GPOs between domains. This can be as simple as dragging and dropping GPOs between domains using the GPMC graphical user interface. Note that if the GPOs in your test environment include security principals (for example, group names) or UNC paths (for example, when specifying your Folder Redirection parameters), migration tables will help you handle any changes you might need to make across domain boundaries. The Migration Table Editor – part of GPMC – provides a simple interface for editing migration tables. For more information, see the “Migrating GPOs Across Domains with GPMC” white paper at the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=14321).

Where a trust does not exist, the follow options are available:

  • Create your OU structure and use the GPMC Import function to create new GPOs in the production environment. The backup from which you import GPOs might be that provided with this white paper or – if you have already tailored the GPOs to your needs – from a backup set that you created.

  • Use the CreateEnvironmentFromXML.wsf script (a sample script installed with GPMC – see GPMC Help for more information) to create the default OU environment in your production domain and, if necessary, rename OUs and GPOs to better reflect naming/structural conventions in your production environment.

  • Use the Stored User Names and Password feature of Windows XP to store credentials for a user in a non-trusted domain.

Test Environment Recommendation

Where adequate resources are available (domain controllers, networking infrastructure, and so on), it is strongly recommended that the GPOs are imported into a test domain. Using a separate domain provides you with a relatively safe environment in which to assess the GPOs and also allows more flexibility in regards to testing domain-wide Group Policy settings.

Installing the Common Scenario Scripts and GPOs

Packaged with this white paper is a series of scripts and GPO backups that form the basis of your deployment of the common scenarios. The CommonScenarios.msi file installs these components – including the white paper itself – into the “%programfiles%\Microsoft\Group Policy Common Scenarios” folder and creates menu options on the Start Menu for some of these components (for example, a link to the white paper and its associated spreadsheet). After running this package, the following directory structure is created:

%programfiles%\Microsoft\Group Policy Common Scenarios

**    \Documentation (Common Scenarios white paper and spreadsheet)**

**    \GPO-Backups (GPMC-originated backups of the scenario GPOs)**

**    \GPO-Reports (GPMC-originated reports for each GPO in HTML format)**

**    \Environment (XML representation of example OU structure for scenarios)**

**    \Scripts (scripts used to create example environment)**

It is assumed that the computer on which this directory is created already has GPMC installed (the supplied scripts include calls to GPMC scripting interfaces). GPMC requires either Windows XP Professional or Windows Server 2003 (see GPMC documentation for further details about requirements). The directory in which the common scenarios files are installed is hereafter referred to as the <installdir>, (typically %programfiles%\Microsoft\Group Policy Common Scenarios).

In addition to installing the files, a Group Policy Common Scenarios menu on the user’s Start/Programs menu is created. This menu provides access to the white paper, the spreadsheet, a shortcut to the Group Policy Reports directory, and a command line configured to start in the %programfiles%\Microsoft\Group Policy Common Scenarios\Scripts directory.

After you run the installer, you must import the GPOs associated with the scenarios into your domain. There are two options to achieve this: a quick method to create an overall common scenarios test environment (a sample OU structure, GPOs, and GPO links), and a more manual process where creation of OUs, GPOs and GPO links are separate steps.

Deployment Option 1: Quick Setup Using CreateCommonScenarios.cmd

A script is included to assist with installing a representative OU structure, GPOs, and GPO links into your environment. This script is named CreateCommonScenarios.cmd and is installed into the <installdir>\Scripts directory. The script calls a sample script installed by GPMC –(CreateEnvironmentFromXML.wsf) which is installed in the %programfiles%\GPMC\Scripts directory.

CreateCommonScenarios.cmd initiates the following tasks:

  • Creates an example OU hierarchy, representing locations for computer and user accounts

  • Creates the scenario GPOs, including default permissions

  • Links the scenario GPOs to the appropriate OUs

Running CreateCommonScenarios.cmd

To run the script, do the following:

  1. Click Start, click Programs, click Group Policy Common Scenarios, and then click Common Scenarios Scripts Command Prompt.

  2. From the command prompt, type CreateCommonScenarios, and then press Enter.

Results of Running the Script

By running the script against your domain, you create a self-contained test environment with the appropriate OUs and GPOs linked to those OUs. Note that might still need to create or edit GPOs linked at the domain level, especially where account policy settings are modified but this is specific to your domain and outside the scope of the scenario GPOs. To avoid potential conflict with your existing environment, no domain-level policy settings are implemented through the scenarios.

Modifying the Behavior of CreateCommonScenarios.cmd

The CreateCommonScenarios.cmd script is a wrapper for the CreateEnvironmentFromXML.wsf script, which is installed with GPMC. In some cases you might need to change the default behavior of this script. For example, if you want to modify the domain controller against which the script is run. Any parameters passed directly to the CreateCommonScenarios.cmd script are passed on to the CreateEnvironmentFromXML.wsf script. For more information about the parameters supported by the CreateEnvironmentFromXML.wsf script, see GPMC Help.

Deployment Option 2: Manual Deployment Steps Using the GPMC GUI

This method is more time-consuming but allows you greater control over your OU design and GPO links.

Create an Appropriate OU Test Environment

You need to create OUs for the users and computers you want to manage within your domain. If your environment requires a more complex OU structure than that described in this document, refer to the “Designing the Active Directory Logical Structure” chapter of the Designing and Deploying Directory and Security Services book in the Windows Server 2003 Deployment Kit. For more information, see the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=18341).

Use GPMC to Import GPOs

The GPOs provided with this white paper can also be imported into your environment manually, using a GPMC sample script, as follows:

cscript %programfiles%\gpmc\scripts\ImportAllGPOs.wsf <installdir>\GPO-Backups

Note

“Cscript” can be omitted if you have previously configured cscript as the default scripting environment for your machine. More specifically, if you have previously run: cscript //hh:cscript this will set cscript as the default environment, in which case the following command would work: %programfiles%\gpmc\scripts\ImportAllGPOs.wsf <installdir>\GPO-Backups

The ImportAllGPOs.wsf script will result in all the GPOs provided in the <installdir>GPO-Backups directory being created in your environment and their settings imported. On completion of this step you will then need to link the GPOs to the OUs you have created.

The same result can be achieved through the GPMC MMC-snap-in, do the following:

  1. Create empty GPOs (no policy settings) in your environment by right-clicking the Group Policy object node and selecting New from the context menu. Create one GPO for each of the Common Scenario GPOs, using the names documented in the “How the Scenarios Are Designed” section of this white paper.

  2. In GPMC, right-click each GPO and then click Import. Go to the <installdir>\GPO-Backups directory and import policy settings from the appropriate backed-up GPO.

To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be delegated only to administrators who are trusted and understand Group Policy.

To link an existing GPO

  1. In GPMC, right-click a domain or OU, and then click Link an Existing GPO here.

  2. In the Select GPO dialog box, click the GPO which you want to link, and then click OK. In the left pane, the GPO is displayed beneath the domain or OU to which it is linked.

You can simultaneously link multiple GPOs to an Active Directory object by holding down the CTRL key while selecting GPOs.

Post-Installation Configuration

After you have created an environment in which you wish to host your scenario GPOs – either automatically by using the CreateCommonScenarios.cmd script or manually – you must carry out a number of additional steps to finalize the configuration of certain aspects of your environment. This section describes each of these steps.

Configure Scenario Features

Configuration for Roaming User Profiles and Redirected Folders require you to enter UNC paths specific to your environment (into the user objects within the Active Directory and to the appropriate GPOs, respectively). See the “Configuring Specific Features” section for more details.

Create Computer and User Accounts

Using the Active Directory Users and Computers snap-in, create a sufficient number of user accounts to allow you to test each of the scenarios.

It is important to note that any one scenario is implemented through the combination of user and computer accounts, each of which should be affected by GPOs associated with the same scenario. For example, to achieve the TaskStation scenario, a user in the CommonScenarios/Users/TaskStation OU might log on to a computer in the CommonScenarios/Computer/TaskStation OU. Any “cross matching” of user and computer scenarios is untested and might cause unforeseen results.

Migrating the Scenarios to a Production Environment

After testing and potentially customizing the Common Scenario environment, you might wish to move into a production environment. The following approaches can be used:

  • Manual creation in production environment. With this approach, you create each of the OUs from either GPMC or Active Directory Users and Computers. The GPOs are either copied (if a trust exists between the source and target environments) or created/imported (where file-based GPO backups are used). Then link the GPOs to the OUs and move the users/computers into the OUs as appropriate.

  • Use the CreateXMLFromEnvironment and CreateEnvironmentFromXML scripts. The CreateXMLFromEnvironment script – included with GPMC as a sample script – allows the administrator to create an XML file representing all the policy-related objects (OUs, GPOs, and GPO links). Optionally, you can specify a starting OU rather than the entire domain. The script creates a representation of the OU and its linked GPOs in the specified XML file. This file can then be used by the CreateEnvironmentFromXML script to create a mirrored OU structure and associated GPOs and links in the target environment. When planned carefully, these two scripts can help create an initial framework in your production environment.

For more information about managing GPOs across domains, see the “Migrating GPOs Across Domains with GPMC” white paper at the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=14321).

Removing the Scenarios from Your Environment

Removing the scenarios from your environment is a relatively simple task. Use the following steps to remove them:

  • Move computer and user accounts that you need to retain into alternative OUs, as necessary. Reconfigure user objects, as appropriate, to modify Roaming User Profile paths.

  • Validate that each scenario GPO is linked to the expected SOMs (using the Scope tab within GPMC). This step is important to ensure that no unexpected cross-domain or other links exist.

  • Delete each scenario GPO.

  • Validate that the scenario OUs are empty, and then use Active Directory Users and Computers to remove those OUs.

  • If you added the domain GPO, validate, unlink, and delete that GPO as appropriate.

If you have used the CreateCommonScenarios.cmd script to create your sample environment, then the CreateEnvironmentFromXML.wft sample script was called implicitly. This script has an /undo switch that removes the environment described by the XML file passed as an argument. See GPMC online Help for further details on this script.

In addition to these issues, please refer to the section “Switching Between Scenarios” for more factors that might also be relevant when removing scenarios (for example, “tattooing” the registry with security settings).