| TOGGIT
IN SEARCH OF CERTIFICATION |
|
 |
Test 070-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
| Welcome, GUEST | |||||||||||||||||||||||
|
Change
Account
Log Off |
|||||||||||||||||||||||
| Home | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Microsoft | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Cisco | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| CompTia | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Study tools for exam 070-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment | |||||||
| The Exam | Exam Tips | What to know | Study Guide | Study Tools | Practice Test | ||
Sponsored
Links:
|
|||||||
|
Managing and
Maintaining a Group Policy in Windows 2003 Configuring Account Policies Configuring Password Policy Password Policy allows you to improve system security by controlling how passwords are created and managed. You can for example specify the maximum length of time a password can be used before the user has to change it. Requiring users to change their passwords regularly decreases the chances of an unauthorized person breaking into your computer. You can also specify a minimum password length and maintain a history of the passwords that a user has used. The latter prevents a user from having two passwords and alternating between them. Table 6.6 lists the password policy options that you can configure. Option Description Enforce Password History Prevent the user for specifying a password that they had used previously. Windows Server 2003 can track up to 24 previously used passwords for each user. By default, this option is not enabled. Maximum Password Age Specifies the number of days a user can log on with a particular password before he or she is required to change the password. The default value is 42 days and can be set to 999 days. Minimum Password Age Specifies the number of days a user must keep a password before he or she can change it. The default is 0, which indicates that the password can be changed immediately. However, the minimum password age must be less than the maximum password age. Minimum Password Length Specifies the minimum number of characters required in a password. This value can range from 0 up to 14 characters inclusive. A value of 0 indicates that no password is required and is the default value. Passwords Must Meet Complexity Requirements Specifies that all passwords must meet the specified minimum password length; comply with the password history settings; contain capitals, numerals or punctuation; and cannot contain the user's account or full name. Store Password Using Reversible Encryption For All Users In The Domain This option enables Windows Server 2003 to store a reversibly encrypted password for all users in the domain. You can configure Password Policy on a computer running Windows Server 2003 by using Group Policy or Local Security Policy. Configuring Account Lockout Policy The Account Lockout Policy settings also allow you to improve the security on your computer. If you do not have an account lockout policy in place, an unauthorized user can repeatedly attempt to gain access to your computer. If, however, you have set an account lockout policy, the system will lock out the user account under the conditions you specify in Account Lockout Policy. These conditions are listed in Table 6.7. Account Lockout Duration - Specifies the number of minutes that the account is locked out for. A value of 0 indicates that the user account is locked out indefinitely until the Administrator unlocks the user account. Account Lockout Threshold - Specifies the number of invalid logon attempts it takes before the user account is locked out from logging on to the computer. A value of 0 indicates that the account will not be locked out. Reset Account Lockout - Counter After Specifies the number of minutes to wait before resetting the account lockout counter. Managing User Data In addition to the My Documents folder, Windows Server 2003 allows you to create home folders for users to store their personal documents. You can locate all users' home folders on a client computer, or in a shared folder on a file server, or in a central location on a network server. Storing all home folders on a file server provides the following advantages: • Users can gain access to their home folders from any client computer on the network. • The backing up and administration of user documents is centralized. • The home folders are accessible from a client computer running any Microsoft operating system. Using User Profiles A user profile is used to store the user's desktop environment, application settings, and personal data. User profiles maintain consistency for users in their desktop environments by providing users with the same desktop environment they had the last time they logged on to the computer. Windows Server 2003 supports four types of user profiles: • Default User Profile, which serves as the base for all user profiles; • Local User Profile, which is created the first time that a user logs on at a computer and is specific to the local computer as it is stored on the computer; • Roaming User Profile; and • Mandatory User Profile. Roaming User Profiles An administrator can set up roaming user profiles to support users who work at different computers. This profile is stored on a network server so that the profile is available to user regardless of where the user logs on in the domain. When a user logs on, Windows Server 2003 copies the roaming user profile from the network server to the client computer running Windows Server 2003 at which the user logs on and consequently, the user always receives the appropriate desktop settings and connections. When a user logs on, Windows Server 2003 applies the roaming user profile settings to that computer. The first time that a user logs on at a computer, Windows Server 2003 copies all documents to the local computer. Thereafter, when the user logs on to the computer, Windows Server 2003 compares the locally stored user profile files and the roaming user profile files. It copies only the files that have changed since the last time the user logged on at the computer. This shortens the logon process. When a user logs off from the network, Windows Server 2003 copies changes that were made to the local copy of the roaming user profile back to the server where it is stored. Mandatory User Profiles A mandatory profile is similar to a roaming user profile except that it does not save any changes a user made to the profile when the user logs off from the network. It is thus a read-only roaming user profile. Windows Server 2003 allows an administrator to assign one mandatory user profile to multiple users who require the same desktop settings. This means that when the administrator changes one profile, he or she changes the desktop environment for several users. The Ntuser.dat file, which is a hidden file located in the folder that contains the profile, contains that section of the Windows Server 2003 system settings that applies to the individual user account, and the user environment settings. By renaming the file to Ntuser.man the administrator makes the file read-only and thus mandatory. Group Policy Objects Group Policy provides you with administrative control over users and computers in your network. You can use Group Policy to configure a user’s desktop environment and let Windows Server 2003 enforce the Group Policy settings that you have configured. You can apply Group Policy settings across a network, or to a specific group of users and computers. You can use Group Policy to: • Centralize policies by applying the Group Policy for an entire organization at the site or domain level • Decentralize policies by applying the Group Policy for departments at the organizational unit level. • Ensure that users have the desktop environment and software applications that they require. You can also prevent users from installing applications that they do not require. • Control where users store their data folders. • Control user and computer environments, to reduce the level of technical support that users might require • Enforce a company’s policies, including business rules, goals, and security needs. Note: Group Policy applies only to Windows 2000, Windows Server 2003 and Windows XP Professional, but not to earlier versions of the Windows operating system. The types of Group Policy settings that you can configure are: • Administrative Templates, which allow you to configure registry settings. These allow you to configure application settings and user desktop environments, including operating system components and applications to which users can gain access, the degree of access to Control Panel options, and control of users’ offline files. • Security, which allows you to configure local computer, domain, and network security settings. These include controlling user access to the network, setting account and audit policies, and controlling user rights. • Software Installation. This allows you to centralize the management of software installations, updates, and removals. You can install applications automatically on client computers, you can upgrade applications automatically, or you can automatically remove applications. You can also make applications available in Add/Remove Programs in Control Panel, which provides users with a central location to obtain applications for installation. • Scripts, which allows you to specify when Windows Server 2003 runs specific scripts. You can specify scripts to run when a computer starts and shuts down, and when a user logs on and logs off. You can specify scripts to perform batch operations, control multiple scripts, and determine the order in which the scripts run. • Remote Installation Services, which allows you to control the options when running the Client Installation Wizard used by Remote Installation Services (RIS), available to users. • Internet Explorer Maintenance, which allows you to administer and customize Microsoft Internet Explorer on Windows Server 2003 computers. • Folder Redirection, which allows you to specify where specific user profile folders are stored on the network. Windows Server 2003 applies the Group Policy settings that are contained in the GPO user and computer objects. GPOs can be associated with sites, domains, or organizational units. The content of a GPO is stored the Group Policy container and in the Group Policy template (GPT). The Group Policy container is an Active Directory object that contains GPO attributes and version information. This allows computers to access the Group Policy templates, and domain controllers to access it to obtain version information. The Group Policy template is a folder in the SYSVOL directory, which is a shared directory that stores the server copy of the domain's public files, on domain controllers. These files are replicated among all domain controllers in the domain. When you create a GPO, Windows Server 2003 automatically creates the corresponding Group Policy template folder. Group Policy Settings for Computers and Users You can create a Group Policy object that contains configuration settings for computers or for users and apply them to computers and users respectively. Group Policy settings for computers can specify operating system settings, desktop settings, security settings, computer startup and shutdown scripts, computer assigned application options, and application settings. Computer-related Group Policy is applied when the operating system initializes and during the periodic refresh cycle. In general, computer Group Policy takes precedence over conflicting user Group Policy. Group Policy settings for users can specify operating system settings, desktop settings, security settings, assigned and published application options, application settings, folder redirection options, and logging and logging off scripts. User-related Group Policy is applied when users log on to the computer and during the periodic refresh cycle. When the Windows 2000, Windows XP Professional or Windows Server 2003 client computer starts, it retrieves the list of GPOs that contain computer configuration settings and determines the order in which they should be applied. The computer then connects to the SYSVOL folder on the authenticating domain controller, and locates the Registry.pol files that apply to the client computer in the Machine folder in the GPT for each GPO. The client computer writes the registry settings to the appropriate registry sub-tree. The computer then continues to initialize the operating system and enforces the registry settings. When the registry settings have been enforced, the Logon dialog box appears. After the user has initiated the logon process, the client computer retrieves the list of GPOs that contain user configuration settings, and determines the order in which they should be applied. The client computer then connects to the SYSVOL folder on the authenticating domain controller, and then locates the Registry.pol files that contain Group Policy settings that apply to the user in the User folder in the GPT for each GPO. These settings are then written to the appropriate registry subtree and continue the logon process and enforce the registry settings. When the registry settings have been enforced, the client computer displays the user’s desktop. Linking Group Policy Objects You apply a GPO by linking it to sites, domains, and organizational units. This allows you to set centralized policies that affect the entire organization and decentralized policies that are set by department. The linking of a GPO to a site, domain, or organizational unit causes the Group Policy settings to affect user and computer objects in that site, domain, or organizational unit. • You can link one GPO to multiple sites, domains, or organizational units in your network. This allows you to configure Group Policy settings that apply to users and computers in different sites, domains, or organizational units. • You can create several GPOs for different types of Group Policy settings and then link them to the appropriate sites, domains, or organizational units and link these GPOs to one site, domain, or organizational unit. These multiple GPOs can also be linked to other organizational units. You can create a GPO for a site by using Active Directory Sites and Services Note: You must be a member of the Enterprise Admins group to create GPOs that are linked to sites. You can apply existing Group Policy settings to additional Active Directory containers by linking the GPO that contains the required settings to those containers. Note: To link a GPO to a site, domain, or organizational unit, you must have Read and Write permissions on the gPLink and gPOptions attributes for that site, domain, or organizational unit. Group Policy Inheritance Group Policy inheritance refers to the order in which Windows Server 2003 applies GPOs. This order determines which settings ultimately affect users and computers. You can modify Group Policy inheritance and control how Group Policy settings are applied to specific computers and users. This allows you to block, force, or filter the inheritance of Group Policy settings. You can thus prevent a child container from inheriting any GPOs from parent containers by enabling Block Policy Inheritance on the child container. However, you cannot choose which GPOs are blocked as Block Inheritance affects all GPOs from all parent containers. If a link is configured with the No Override setting then Block Policy Inheritance cannot stop the inheritance of a GPO linked to a parent container as the No Override setting takes precedence over the Block Policy Inheritance setting. The No Override setting causes all Group Policy settings to apply, even if they conflict with settings in a GPO that is linked to a child container. You can also modify Group Policy inheritance by using filtering. This allows you to prevent a GPO and its settings from applying to specific computers, users, and security groups in a container. This method is preferred over Block Policy Inheritance and No Override. For Group Policy to apply to a user or computer account, the account must have Allow Read and Allow Apply Group Policy permissions for the GPO. Order of Application The order in which Windows Server 2003 applies GPOs is based on the Active Directory container to which the GPOs are linked. Windows Server 2003 applies GPOs that are linked to sites first, then GPOs that are linked to domains, and then GPOs that are linked to Organizational Units. Thus, the Group Policy settings of the organizational unit of which a user or computer is a member are the final Group Policy settings that are applied. Note: Local policies are always applied first. They should not be used in a domain environment because they will be overwritten by the Group Policies applied at the site, domain, or organizational unit levels. The exception is a member server running unique services, such as Internet Information Services (IIS). Controlling the Processing of Group Policy You can control the processing of Group Policy by specifying the refresh interval and configuring the client-side extensions to process unchanged Group Policy settings. Refreshing Group Policy at Established Intervals Computers running Windows Server 2003 and Windows 2000 refresh, or reapply, Group Policy settings at established intervals. This ensures that the settings are applied to computers and users, even if users never restart their computers or log off. By default Domain Controllers refresh every five minutes, hence those critical new Group Policy settings, such as security settings, are applied after no more than five minutes. By default Windows 2000 Professional or Windows XP Professional computers, and Windows Server 2003 and Windows 2000 member servers refresh every 90 minutes at a randomized offset time, which ensures that multiple computers do not contact a domain controller at the same time. You can change the default refresh values by modifying the Administrative Template settings for the user or computer configuration. However, Group Policy cannot be scheduled to refresh at a specific time. The processing of software installation and folder redirection settings in a GPO occurs only when a computer starts or when the user logs on and not on specified time. Resolving Conflicts between Group Policy Settings Group Policy settings in all of the GPOs that affect a user or computer account are applied, unless two or more settings conflict. If settings from a parent container GPO conflict with settings from a child container GPO, the settings in the child container are applied last and take effect. If settings from GPOs that are linked to the same container conflict, the settings in the GPO at the top of the list of GPOs on the Group Policy tab of the Properties dialog box for the container are applied last and take effect. When computer and user settings conflict, in most instances, the computer setting overrides the user settings and applies, even though the user setting was processed last. This override is not enforced by the Group Policy infrastructure but is a convention that is followed by the operating system and by applications that use Group Policy. Managing user environment You can use Group Policy to control user environments such as their desktop settings, network connections, and user interfaces. Windows Server 2003 includes Group Policy settings that give administrators extensive control over user’s computer configurations. It allows you to manage desktop configurations for groups of computers and users, including registry settings, security settings, Administrative Template settings, script settings, and folder redirection. You can also use Group Policy in conjunction with Windows Installer to deploy and manage software applications with a minimal amount of administrative effort. Administrative Templates Windows Server 2003 has Administrative Template settings, which uses the .adm file extension, for both computers and user accounts. You can use Administrative Templates to control the user’s environment by restricting access to user desktops, network resources, and administrative tools and applications while the Administrative Template settings that you can apply to computers allows you to manage Windows. There are seven types of Administrative Template settings. Windows Components - Control the Windows components that a user can gain access. This includes access to Microsoft Management Console (MMC). System - Controls logon and logoff procedures and can be applied to both computers and users. Network - Controls the properties of network connections and dial-in connections, which include shared network access. This can be applied to both computers and users. Printers - Controls printer settings that can force printers to be automatically published in Active Directory and can disable Web-based printing. This can only be applied to computers. Start Menu and Taskbar - Controls which features that users can access from the Start menu. It also allows you to make the Start menu read-only and disable users’ ability to make changes. This can only be applied to users Desktop Controls the Active Desktop and allows you to control a user’s ability to gain access to the network and the Internet by hiding the appropriate desktop icons and controlling what users can do with their My Documents folder. This can only be applied to users Control Panel - Allows you to restrict a user’s access to several applications in Control Panel. This includes restricting the use of Add/Remove Programs, Display, and Printers. This can only be applied to users. Desktop Security Settings Windows Server 2003 allows you to secure a user’s desktop by allowing you to set up a computer so that it can only perform a limited number of functions that users cannot modify. Group Policy Script Settings You can use Group Policy script settings to centrally configure scripts to run automatically at startup and shutdown or when users log on and log off. These include batch files, executable programs, and Windows Script Host–supported scripts. • You can run pre-defined scripts to manage user environments until you configure Group Policy to replace the tasks that these scripts perform. • You can run scripts that perform tasks that cannot be configured through Group Policy settings • You can use scripts to remove connections that you added with logon or startup scripts when users log off and shut down computers so that the computer is returned to the same state that it was when the user started the computer. Note: You can assign logon scripts to individual user accounts in the Properties dialog box for each user account. However, Group Policy is the preferred method of running scripts because you can manage these scripts centrally, along with startup, shutdown, and logoff scripts Windows Server 2003 executes scripts in the order that they are listed on the Script tab of the Script Properties dialog box. The scripts that are applied last are ultimately applied, thus if there is a conflict between different scripts, the script that is processed last prevails. You should also run scripts that are dependant on the successful execution of another script in the correct order. When a user starts a computer the startup scripts are run synchronously. Each of these scripts must complete or time out before the next one starts. Then when the user logs on, logon scripts are run. These are also run synchronously. Non–Group Policy logon scripts that are associated with a specific user account run after the Group Policy logon scripts run for the user account. When a user logs off and shuts down a computer logoff scripts and shutdown scripts are run. Note: The default timeout value for processing scripts is 10 minutes. Therefore, if a script requires more than 10 minutes to process, you must adjust the timeout value by configuring the wait time for Group Policy scripts, in: Computer Configuration\Administrative Templates\System\Logon\Maximum wait time. This setting affects all scripts that run. You can use Windows Server 2003 to redirect folders, which are part of the user profile, from users’ local hard disks to a central location on a server. By redirecting these folders, you can ensure that users’ data is in a central location, which makes it easier to manage and back up. Also, you can ensure that users’ data is available to them. The folders that you can redirect are My Documents, Start Menu, Desktop, and Application Data. Windows Server 2003 automatically creates these folders and makes them part of the user profile for each user account. Folder Redirection When you redirect folders, you change the storage location of folders from the local hard disk on the user’s computer to a shared folder on a network file server. Once you have redirect a folder to a file server, a user will be able to access the folder regardless of the computers to which they log on. This also ensures that the data in the folders is stored centrally so that the files that are contained in the folders can easily be manage and back up. You can use the Folder Redirection extension in Group Policy to store the My Documents, Application Data, Desktop, and Start Menu folders on a server. Software Deployment In Windows Server 2003 there are two mechanisms that you can use to deploy and manage software applications. These are Windows Installer and the software installation and maintenance technology. The Windows Installer package is an .msi file that contains explicit instructions about installing and removing specific applications. The software installation and maintenance technology assists you in managing the installation, configuration, repair, and removal of software, including applications, operating system service packs, or software upgrades. In addition, the Windows Server 2003 software installation and maintenance technology is designed to facilitate policy-based management of software through the entire software life cycle. Windows Installer uses an .msi file extension that replaces the Setup.exe file. This .msi file is the Windows Installer package and has a number of administrative advantages. The software installation and maintenance technology uses Group Policy to deploy and manage software that is in the Windows Installer package. The most important advantage of using software installation and maintenance technology is that you can manage and deploy software from a central location. By working with Windows Installer package files, you can manage most software deployment and management tasks through the use of Group Policy. After an organization obtains a Windows Installer package file, you can create GPOs and associate them with the package file. These GPOs can: • Install applications on user computers. Installation can occur automatically when a user logs on or when a computer starts up, or you can make these applications available for users to install when they need them. • Upgrade a previous version of the application, or automatically apply software patches or service packs. • Remove applications. Software installation and maintenance technology operates by using Group Policy.
|