Understanding and Using the Scenarios

  • Article

Applies To: Windows Server 2003 with SP1

The scenarios are implemented through the use of GPOs provided in the .MSI package with this white paper. By linking appropriate combinations of GPOs to OUs for computer and user settings, you can be implement each of the scenarios in your environment. This section describes the general characteristics of the GPOs and how they can be linked to OUs.

How the Scenarios Are Designed

Separate GPOs for Computer and User Policy Settings

Most scenarios are directly associated with two GPOs – one for computer configuration and another for user configuration. For example, the Lightly Managed scenario is directly associated with the Lightly Managed (Machine) GPO for computer configuration and the Lightly Managed (User) GPO for user configuration. This approach simplifies troubleshooting, makes the application of GPOs somewhat more intuitive, and is a Group Policy best practice.

“Base GPOs” for Common Settings

Many of the scenarios share a considerable number of policy settings and associated values. This version of the Common Scenarios white paper introduces the concept of the “base GPO,” which is more relevant in a real-world, production environment than the monolithic GPOs packaged with previous versions.

The base GPOs (two each for Lightly Managed and Highly Managed) contain Group Policy settings common to other “child” scenarios (see the next section). The GPOs for these child scenarios extend these base GPOs by enabling, disabling, or changing the values of a relatively small number of settings tailored to their specific requirements.

Scenario/GPO Relationships

To implement any of the scenarios, the GPOs must be linked to Scope of Management (SOM) containers - a site, domain or OU. Most of the GPOs packaged with the white paper are designed to be linked to OUs, rather than sites or domains.

Note

The GPOs provided are intended to assemble common policy settings and their relationships are technically independent of any OU hierarchy you might implement. For scenarios that require more than one GPO you might either link separate GPOs in a chain of OUs (Group Policy inheritance) or link multiple GPOs to a single OU (Group Policy precedence) – these options are covered in more detail later in this white paper.

The following list illustrates the relationships between GPOs.

Machine Policy GPOs

Lightly Managed

Mobile – No differences from Lightly Managed GPO, so no machine GPO exists for Mobile

Highly Managed

AppStation - No differences from Highly Managed GPO, so no machine GPO exists for AppStation

Multi-User – GPO provided

TaskStation – GPO provided

Kiosk – GPO provided

User Policy GPOs

Lightly Managed

Mobile – GPO provided

Highly Managed

AppStation - GPO provided

Multi-User – GPO provided

TaskStation – GPO provided

Kiosk – GPO provided

For example, the AppStation scenario shares many of its Group Policy settings with the Highly Managed GPOs, as follows:

  • On the machine side of policy for the AppStation scenario, the settings are identical in all regards to that of the Highly Managed scenario and, as such, there is no AppStation-specific GPO for machine policy settings. To implement machine settings appropriate to the AppStation scenario, it is only necessary to ensure that the Highly Managed (Machine) GPO is linked to a SOM containing the target machines.

  • By comparison, some differences exist for user policy settings between Highly Managed and AppStation. For this reason, a GPO is provided for the user policy settings in the AppStation scenario, which contains differences from the Highly Managed user GPO. To implement user settings for the AppStation scenario, it is necessary that both the Highly Managed (User) and AppStation (User) GPOs are linked – directly or otherwise - to a SOM containing the target users. This can be achieved through either Group Policy inheritance or precedence when GPOs are linked to the same container.

The AppStation scenario is an exception - most scenarios are implemented through two GPOs – one for computer configuration and another for user configuration (the AppStation scenario uses only user configuration). In addition, most are associated with the base scenarios, Lightly Managed and Highly Managed, through Group Policy inheritance and/or precedence. With these issues in mind, the GPOs listed in Table 1 are effective for each scenario.

Table 1.    Scenario GPOs

Scenario Name Base GPO Name Scenario-Specific GPO Name

Lightly Managed

 

 

        Computer

Lightly Managed (Machine)

N/A (no changes from base)

        User

Lightly Managed (User)

N/A (no changes from base)

Mobile

 

 

        Computer

Lightly Managed (Machine)

N/A (no changes from base)

        User

Lightly Managed (User)

Mobile (User)

AppStation

 

 

        Computer

Highly Managed (Machine)

N/A (no changes from base)

        User

Highly Managed (User)

AppStation (User)

Multi-User

 

 

        Computer

Highly Managed (Machine)

Multi-User (Machine)

        User

Highly Managed (User)

Multi-User (User)

TaskStation

 

 

        Computer

Highly Managed (Machine)

TaskStation (Machine)

        User

Highly Managed (User)

TaskStation (User)

Kiosk

 

 

        Computer

Highly Managed (Machine)

Kiosk (Machine)

        User

Highly Managed (User)

Kiosk (User)

Purpose of the Highly Managed GPOs

The Highly Managed scenario is a virtual scenario – its purpose is to provide a set of settings common to other scenarios (specifically, the Multi-User, AppStation, TaskStation, and Kiosk scenarios). As such, the Highly Managed GPOs are not intended (or tested) to operate in their own context. Instead, the other scenarios are enabled by ensuring that the Highly Managed GPOs affect accounts through Group Policy inheritance or precedence. In short, no computer or user account should exist in OUs designed specifically for a Highly Managed scenario.

Creating a Test Environment

In previous versions of this white paper, a considerable number of scripts were necessary to create and configure the GPOs provided with the white paper. With the advent of GPMC – and specifically its Import functionality – these scripts are no longer necessary. The GPOs have been backed up and provided with this white paper, which allows you to import them directly into your environment.

To assist in creation of this environment, a script included with GPMC, CreateEnvirommentFromXML.wsf, is used to create a hierarchy of OUs, create GPOs, and link the GPOs to the OUs appropriately. A script called CreateCommonScenarios.cmd is provided with this white paper to call this script with the appropriate parameters.

After successfully running the script, you will have OUs and linked GPOs configured similar to those shown in Figure 1.

08ca59f4-3cd8-4379-b225-663379ec2786

Figure 1.    GPMC Screenshot of Scenario GPOs

Linking GPOs to OUs to Create Scenarios

There are two broad approaches available for using the GPOs to create scenarios in your environment. To illustrate these options, the AppStation scenario is used, which is an extension of the Highly Managed scenario (many of the AppStation settings are defined by the Highly Managed GPOs).

Linking GPOs to a Hierarchy of OUs (Group Policy Inheritance)

With this option, create an OU hierarchy where the AppStation OUs (one each for Computer and User accounts) are children to the Highly Managed OUs. Figure 2 illustrates how the GPOs would be linked.

2decce05-e89b-45fa-b128-641a1b7543ff

Figure 2.    Linking Scenario GPOs Using Inheritance

Note that because the machine policy for the AppStation scenario does not differ from that of the Highly Managed scenario, no AppStation (Machine) GPO exists. Technically, it is not necessary to place AppStation affected computers in the AppStation OU because they might reside in the Highly Managed OU and be affected by the same settings. However, for clarity and to easily accommodate the potential for future differences between Highly Managed and AppStation GPOs (on the machine side), there might be value in retaining the AppStation OU. After the appropriate GPOs are linked to these OUs, the computer and user accounts would be moved into the appropriate AppStation OUs.

Linking GPOs Directly to OUs (Group Policy Precedence)

In this approach, you only create two OUs (one each for Computer and User accounts). For each, both the Highly Managed and AppStation GPOs are linked directly to the OU. This is illustrated by Figure 3.

e5b2b168-0b6c-41c2-8048-f64822c30686

Figure 3.    Linking Scenario GPOs Using Precedence

After linking the GPOs, it is important to ensure that the precedence of the GPOs is such that the AppStation GPOs take priority over Highly Managed GPOs. GPMC provides a simple and intuitive interface for enforcing this precedence. This is achieved by selecting a container, such as an OU, in the GPMC tree view and using the Linked Group Policy Objects tab in the right pane to adjust ordering of GPOs linked to that container.

After creating the OUs and GPO links, move the computer and user accounts into the appropriate AppStation OUs.

Differences with Earlier Versions of the Common Scenarios

An earlier version of this white paper focused on Windows 2000 domains. Since that time, a number of Group Policy enhancements have become available, most notably GPMC. The following areas differ between the Windows 2000 and Windows Server 2003 common scenarios.

Base GPOs

As described earlier, the base GPOs (Lightly Managed and Highly Managed) are a new concept in this version of the white paper.

GPMC-Based GPO Deployment

GPMC provides a significant number of features – Backup, Import, Copy and so on – that significantly simplify managing GPOs. This white paper takes full advantage of these new capabilities by providing backed-up copies of GPOs which can easily be imported into your test environment.

Environment Creation Script (CreateCommonScenarios.cmd)

GPMC includes a series of example scripts which illustrate the automation of common Group Policy operations. One such script is CreateEnvironmentFromXML.wsf which uses an XML file to recreate an environment (typically OUs, GPOs, and GPO links) in your domain. An XML file (CommonScenarios.xml) is included with this white paper to facilitate the use of the script to largely automate the creation of your environment.

A command file – CreateCommonScenarios.cmd – is packaged with this white paper to streamline the installation of a sample environment.

It is important to note that while the script must be run from either a Windows XP or Windows Server 2003 computer, the domain in which it creates the sample environment can be either a Windows 2000 or Windows Server 2003 domain.

Group Policy Reports Documentation

GPMC provides a new way to report the contents of GPOs – Group Policy Reports. These are HTML reports that document all aspects of each GPO. Reports for each of the GPOs are provided with this CommonScenarios.msi as a documentation tool. When you make changes to the GPOs, GPMC can help you document the changes by using Group Policy Reports.

New Group Policy Settings

Windows Server 2003 delivers a number of new settings not just for that operating system but also for Windows XP Professional. Many of these settings are used in the updated scenario GPOs.

Consolidated Spreadsheet of Group Policy Settings

The Windows 2000 and Windows XP versions of the scenarios installed one spreadsheet for each scenario. This revised version includes a consolidated spreadsheet – CommonScenarios.xls - and each scenario is listed in a separate column. Using Microsoft Excel column filtering, this can be a helpful way to quickly compare GPO settings.